Re: [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE: what's required?
David Noveck <davenoveck@gmail.com> Fri, 16 June 2017 18:39 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6563D12EC0E for <nfsv4@ietfa.amsl.com>; Fri, 16 Jun 2017 11:39:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqSAfr-86QG1 for <nfsv4@ietfa.amsl.com>; Fri, 16 Jun 2017 11:39:46 -0700 (PDT)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B812B1200C1 for <nfsv4@ietf.org>; Fri, 16 Jun 2017 11:39:46 -0700 (PDT)
Received: by mail-io0-x22b.google.com with SMTP id t87so35355946ioe.0 for <nfsv4@ietf.org>; Fri, 16 Jun 2017 11:39:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dUKng75c4FmUoi/VDQhXHVh7NxswJB+e5i4Q/YdeJDc=; b=GIRLQ6EaJLACpIJ0k9ALAN20A4jPpaHWFWcsK0Mck1eprp4wmUfdj3tJMQ2Xo6f1xi 9MFdElh6sQQsaVOpCI+VSZYaWiU2Sax6Rdt4bZniMPYvHb6pQYNWc5nLLZILaV9AA7fb Z8HP0L42GMKW9L8WV9wr4UAyliAyPJN0tysJeNY2R/v7XfZn6wWHu+hI+biI6mgk6qxM qHEmPYT26eBMu6miDzJe1y0CYS7fvluwk7MeWlIY0NOM67d659Jh4VPIDXivtN6mwzFu d0kZd7A7g0SZQvlFUDQfc218iA8BGfkOgW4ADzU3BsEDdYeKCvE37JesmUgc0JoobhSE ndyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dUKng75c4FmUoi/VDQhXHVh7NxswJB+e5i4Q/YdeJDc=; b=LBtfB66W1P77n3cWLuEBU9aGxkvgG/oZzqP2BIMOp2YALOx0Q6KRtmU/ceTJ8UfryO 1qeOMUTSRwOUnN1aQcd0LLCfhBYLyvB4ZZqPq8N0hgFEGToKMUmD1c/S0+rUOJxd4GUQ wBM3TtkAlkHRoktLuNvssPsZfDf8aV81/fX4qt5OHz+DAiiaC6rkVETj+P652TwVS/y5 VB7+nR4LUWIPf6YjOSTI57A1stmGgInOsYoRULErqZFqv7vsSfUfLmLKmG4P3LKBwLy3 uHvo0CYJT1fvn1+ZgiLCcky7t/wEfUqxXq7CrROEiH2eWeZoTGKYdtvZFD9T3nboccXf U9EA==
X-Gm-Message-State: AKS2vOylKLHYqEJ7k5PoRvuEO2X/jQd53j9q4keGtZRwwcvYEOX29g3o gurGKLfCs/k07WicGQK30nVAgC6LBw==
X-Received: by 10.107.59.13 with SMTP id i13mr11724556ioa.163.1497638385981; Fri, 16 Jun 2017 11:39:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.20.75 with HTTP; Fri, 16 Jun 2017 11:39:45 -0700 (PDT)
In-Reply-To: <ff5b21d9-f2f0-2c8b-1335-56384d08dacb@oracle.com>
References: <ff5b21d9-f2f0-2c8b-1335-56384d08dacb@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 16 Jun 2017 14:39:45 -0400
Message-ID: <CADaq8je5-bSKkcpP7VVP8VftLMM+nO9vQBbeavkg1xVhjGZuPQ@mail.gmail.com>
To: Mike Kupfer <mike.kupfer@oracle.com>
Cc: NFSv4 WG <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c06b8acffa29b0552181b27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/-R9lMUNp0a6Rsvg48Va3dqRCstM>
Subject: Re: [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE: what's required?
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2017 18:39:49 -0000
> I'm trying to make sense of the final paragraph in Section 6.2.1.2 of > RFC 5661, Good luck with that. > which reads > Support for any of the ACL attributes is optional (albeit > RECOMMENDED). It is hard to figure out since, in one paragraph, these attributes are optional, RECOMMENDED and (sometimes) REQUIRED. - are (lower-case) "optional" at the start of the first sentence - are then "RECOMMENDED" at the end of the sentence, although this term is not in line with RFC2119. (this sort of disparity recognized RFC7530, but still in RFC5661) - By the end of the paragraph. "MUST" is being used. > However, a server that supports either of the new > ACL attributes (dacl or sacl) MUST allow use of the new ACL > attributes to access all of the ACE types that it supports. As the sentence is written, both of these attributes are OPTIONAL, but, when you support one of them, the supported ACEs for those attributes must include all the ACEs you support. Essentially, this says that if you support sacl and dacl, they must be the same. I don't think that's the intention, though. I think this sentence is just a mistake. Perhaps the intention was to say that these attributes, when implemented,should support the ACE types that each of the attibutes were designed/intended to support, if the server supports them at all. > In > other words, if such a server supports ALLOW or DENY ACEs, then it > MUST support the dacl attribute, This is essentially saying that if you support the acl attribute you have to support dacl. I don''t know if that is the intention. > and if it supports AUDIT or ALARM > ACEs, then it MUST support the sacl attribute. > IIUC, this is forbidding a situation where (for example) the server > lists support for the dacl attribute and AUDIT ACEs but not support > for the sacl attribute. As I read it, support for dacl is irrelevant. I think it is saying that if you support AUDIT ACE's you must be able to set them using the sacl attribute. > If the server lists support for neither the dacl or sacl attributes, > it can still support AUDIT ACEs via the acl attribute. I think that is sensible but it doesn't seem to be what the spec says. On Fri, Jun 16, 2017 at 2:00 PM, Mike Kupfer <mike.kupfer@oracle.com> wrote: > I'm trying to make sense of the final paragraph in Section 6.2.1.2 of > RFC 5661, which reads > > Support for any of the ACL attributes is optional (albeit > RECOMMENDED). However, a server that supports either of the new > ACL attributes (dacl or sacl) MUST allow use of the new ACL > attributes to access all of the ACE types that it supports. In > other words, if such a server supports ALLOW or DENY ACEs, then it > MUST support the dacl attribute, and if it supports AUDIT or ALARM > ACEs, then it MUST support the sacl attribute. > > IIUC, this is forbidding a situation where (for example) the server > lists support for the dacl attribute and AUDIT ACEs but not support > for the sacl attribute. > > If the server lists support for neither the dacl or sacl attributes, > it can still support AUDIT ACEs via the acl attribute. > > Am I reading that correctly? > > thanks, > mike > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 >
- [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE: wha… Mike Kupfer
- Re: [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE:… David Noveck
- Re: [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE:… Mike Kupfer