[nfsv4] Re: Our different approaches to draft POSIX ACL support in NFSv4

David Noveck <davenoveck@gmail.com> Wed, 24 July 2024 00:18 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FFFDC1EBF59 for <nfsv4@ietfa.amsl.com>; Tue, 23 Jul 2024 17:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRYxIGOouZpO for <nfsv4@ietfa.amsl.com>; Tue, 23 Jul 2024 17:17:59 -0700 (PDT)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29058C1DA2F4 for <nfsv4@ietf.org>; Tue, 23 Jul 2024 17:17:59 -0700 (PDT)
Received: by mail-qv1-xf2c.google.com with SMTP id 6a1803df08f44-6b796667348so3643476d6.0 for <nfsv4@ietf.org>; Tue, 23 Jul 2024 17:17:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721780278; x=1722385078; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YPhhFX21Y7Nlfw0Zf5ZAJVc/8uIuCxxGaoTkOGudHXk=; b=aGHTN03cSqkPCGeuuXxUacUEVgkh4fwdLHvUEbtiqmdw1TOhaQZiP+f0fWWQyMNXlG U0vnkUQc1Hp1QretM105Z/vGtQbQQK0U/Aw+dphDLBRPHXbJdStnxMQaVMdJ7cFlCi7C 5NdaHQOsjKY9hVeLWOorbHYs9YMEEoWO981U5Dl1ZsZ86MvPe4E+YHA3YCdsuEpq3PMp eU2S3yRJjn/baj95vy6t0ADg+jh/IFqP577mF50pd6HIPXMZbB7TWBVjhXuYSP55TJOH Q26ySNSP4zY79hQBMMwNRBvlENmBYai7J2gRixoxxpyoEGvYPIqBOEIZ5cLX+qAcmJIC TVBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721780278; x=1722385078; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YPhhFX21Y7Nlfw0Zf5ZAJVc/8uIuCxxGaoTkOGudHXk=; b=d/EUYx8Jj5tG9XOr3GW9ApyErahczw3cm6wByd7VY9Z7oJBjPR359O5VBC4ktg+Oli McCIBJcx+vI0XhxVjLE36VhIT3d2EXV6ktRFTL3pHgkyQQmaQ1LVKOTpzydkKrDsYZoh y1ZUfs/DFHN8fAj4YWn4j36PiNK1nyB9VTQLOQC2nc0xE1y6Q9MRmIbe0cgdaS9GiqRt 3iMKZhK7IMVvhKkGBcKVCuzRu3kL65IrlT+LTisUlQvOe4kt0Ypu73OiX9hal54FQFV2 4PZaZdMzo8ugZDRJV/XBf47mF69qXHgTOcGmvcxOGyX+YPQQjg1afrZ7q0uhjuV7cnl/ T+2g==
X-Forwarded-Encrypted: i=1; AJvYcCUVHh/aWrggyUDcfTCySSW171F4FBGAku85O4rBXkWa6N4PmsN5B736J23PvX17BgmuHCU07jCYsrqPJxzu9Q==
X-Gm-Message-State: AOJu0Yxx8nVKJLA9KmZ/+JrGABDqbtLsTTubYsqEgodnXybpdG/r+a8X hyPdjkiC6FGWpec0LNX3KqBMTolJ0CcHJ6auF6jcZhyuY1GfgD31GaaPPZP0cPn3UCo2UgllV7J Ew+WEaqhu4LI9foLD38mA0T8YMPj0lg==
X-Google-Smtp-Source: AGHT+IE1ttcRzdXDc3rPF3yW/kLeZfxDRCh+YxMmMp6VIayNMVc6tRLuxkgE/MM+ZhpQ9T78gfJRgxnwanMgTpGAwZU=
X-Received: by 2002:a05:6214:5085:b0:6af:c2ec:3313 with SMTP id 6a1803df08f44-6b991560084mr5675536d6.26.1721780277797; Tue, 23 Jul 2024 17:17:57 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jdvZ5pcFNN5zjuVHLTO30v9=2kYKzFdRxxbkTmHYZdTdA@mail.gmail.com> <CAM5tNy7Fw954gCzYHCTjRg7th_njSHhxznni48Zz4xsSXT631A@mail.gmail.com> <53DAEF45-2A4D-4066-97C2-7B09018DE99B@oracle.com> <CAM5tNy6a4ZG90i2ugXzuPqQ1zrsK9m8jLRKmv9VpnFG6m_Pqew@mail.gmail.com> <DD250FBD-A434-4294-818A-5728757CE032@oracle.com> <d1c538065728c17df66a6f9e79e55d90849fc866.camel@gmail.com> <D352FEB9-A487-4B3E-9BC8-DB2C1896F941@oracle.com> <8efc39289ecef97624622cfc431f890736b579a0.camel@hammerspace.com> <33FA1D6E-73B3-43A1-B65C-D806156E39A5@oracle.com> <cf8a48e517210512755455dd78352ae5b64f7949.camel@hammerspace.com> <449AF448-1471-47CD-B5C5-3A3A5FB9FB12@oracle.com> <2e32694382df3e70a93edcf40434a41729031e55.camel@hammerspace.com> <83c39a7b12c05b0f1a0fa6e069b08e399864277a.camel@hammerspace.com>
In-Reply-To: <83c39a7b12c05b0f1a0fa6e069b08e399864277a.camel@hammerspace.com>
From: David Noveck <davenoveck@gmail.com>
Date: Tue, 23 Jul 2024 20:17:46 -0400
Message-ID: <CADaq8jfw1FVH3dxOEJAZLrw_S5y2F6eaGkcfpha4X8BBNWgRSQ@mail.gmail.com>
To: Trond Myklebust <trondmy@hammerspace.com>
Content-Type: multipart/alternative; boundary="000000000000d6eb9c061df33564"
Message-ID-Hash: ZNHKA2T7GSJT6INPTLH2LEKVD5QHOY7Z
X-Message-ID-Hash: ZNHKA2T7GSJT6INPTLH2LEKVD5QHOY7Z
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Chuck Lever III <chuck.lever=40oracle.com@dmarc.ietf.org>, "J. Bruce Fields" <bfields@fieldses.org>, NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Our different approaches to draft POSIX ACL support in NFSv4
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/24JMMFhTkrjvpx4fhr73v88ImG0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

I agree.  The existence of prior art would only prevent us from patenting
our protocol, which we don't want to do.

On Tue, Jul 23, 2024, 8:09 PM Trond Myklebust <trondmy@hammerspace.com>
wrote:

> On Tue, 2024-07-23 at 23:15 +0000, Trond Myklebust wrote:
> > On Tue, 2024-07-23 at 21:26 +0000, Chuck Lever III wrote:
> > >
> > >
> > > > On Jul 23, 2024, at 4:39 PM, Trond Myklebust
> > > > <trondmy@hammerspace.com> wrote:
> > > >
> > > > On Tue, 2024-07-23 at 19:06 +0000, Chuck Lever III wrote:
> > > > >
> > > > >
> > > > > > On Jul 23, 2024, at 2:09 PM, Trond Myklebust
> > > > > > <trondmy@hammerspace.com> wrote:
> > > > > >
> > > > > > On Tue, 2024-07-23 at 15:27 +0000, Chuck Lever III wrote:
> > > > > > >
> > > > > > >
> > > > > > > > On Jul 23, 2024, at 10:27 AM, Trond Myklebust
> > > > > > > > <trondmy@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > On Tue, 2024-07-23 at 13:54 +0000, Chuck Lever III wrote:
> > > > > > > > >
> > > > > > > > > > On Jul 22, 2024, at 7:13 PM, Rick Macklem
> > > > > > > > > > <rick.macklem@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > I just looked at
> > > > > > > > > > opensolaris/usr/src/head/rpcsvc/nfs_acl.x
> > > > > > > > > > which I think is the closest thing there is to a
> > > > > > > > > > spec.
> > > > > > > > > > for
> > > > > > > > > > NFSACL.
> > > > > > > > > > (FreeBSD does not implement this protocol and all I
> > > > > > > > > > know
> > > > > > > > > > about
> > > > > > > > > > it
> > > > > > > > > > is what this little .x file indicates.)
> > > > > > > > >
> > > > > > > > > That's excellent, thanks for finding it.
> > > > > > > > >
> > > > > > > > > My concern about this is that the cited .x file falls
> > > > > > > > > under
> > > > > > > > > CDDL, and thus cannot be used directly by a GPL-
> > > > > > > > > encumbered
> > > > > > > > > OS like Linux, nor can it be contributed to the IETF in
> > > > > > > > > its
> > > > > > > > > current form.
> > > > > > > > >
> > > > > > > > > This is clearly prior art.
> > > > > > > > >
> > > > > > > > > My question then is whether we should endeavor to
> > > > > > > > > produce
> > > > > > > > > an Informational document that describes NFSACL without
> > > > > > > > > encumbrance -- ie, get Sun-Oracle to contribute that
> > > > > > > > > work
> > > > > > > > > so that it might be used openly.
> > > > > > > > >
> > > > > > > >
> > > > > > > > Why do we care?
> > > > > > >
> > > > > > > As I explained, we do want to have a protocol specification
> > > > > > > for NFSv4 that will not be disruptive to folks who were
> > > > > > > using
> > > > > > > NFSv3 and are now accessing the same ACLs via NFSv4.2+
> > > > > >
> > > > > > No we don't.
> > > > > >
> > > > > > We need a new protocol specification that works correctly
> > > > > > with
> > > > > > the
> > > > > > draft POSIX acls in use with existing Linux and other
> > > > > > filesystem,
> > > > > > and
> > > > > > that supports all the features of the IEEE 1003.1e draft 17
> > > > > > document
> > > > > > that were implemented within Linux and the *BSD.
> > > > > > Once we have that, I will happily plug that implementation
> > > > > > into
> > > > > > the
> > > > > > inode 'get_acl()' and 'set_acl()' callbacks, and people will
> > > > > > be
> > > > > > able to
> > > > > > use the bog standard getfacl and setfacl utilities to control
> > > > > > the
> > > > > > POSIX
> > > > > > ACLs as if they were running on a native filesystem.
> > > > > >
> > > > > > If people then still want to use the nfs4_getfacl and
> > > > > > nfs4_setfacl
> > > > > > tools to use the existing ACL attribute against a server that
> > > > > > implements the draft-ietf-nfsv4-acl-mapping-05 (or whatever
> > > > > > it
> > > > > > is
> > > > > > that
> > > > > > the Linux server actually implements) then they can continue
> > > > > > to
> > > > > > do
> > > > > > so
> > > > > > without any further help from this committee. There will be
> > > > > > no
> > > > > > need
> > > > > > to
> > > > > > encourage the development of further broken implementations,
> > > > > > if
> > > > > > there
> > > > > > is a real NFSv4.2 API that can replace it.
> > > > >
> > > > > That's all very nice, but....
> > > > >
> > > > > I'm not talking about mapped NFSv4 ACLs or
> > > > > developing legacy implementations, so let's put
> > > > > aside those straw men, please. You seem to be
> > > > > getting excited about something I didn't write
> > > > > nor did I intend.
> > > > >
> > > > > The proposed fattr4 POSIX ACL support needs to be
> > > > > compatible with NFSACL as well. The view of POSIX
> > > > > ACLs from an NFSv3 mount needs to be compatible
> > > > > with whatever can be seen via the proposed NFSv4
> > > > > POSIX ACLs.
> > > > >
> > > > > At the very least, those compatibility requirements
> > > > > need to be stated in acls-04. I wasn't necessarily
> > > > > looking for an on-the-wire form of compatibility,
> > > > > that's just what Rick brought up in the discussion.
> > > > > And I had no idea that NFSACL had a version 4.
> > > > >
> > > > > But semantic compatibility is needed, and that is
> > > > > complicated by not having a published first-order
> > > > > description of the legacy semantics.
> > > > >
> > > > > Further, acls-04 needs to address the fact that what
> > > > > it is to propose looks semantically and on-the-wire
> > > > > a lot like NFSACL, and that protocol has been in the
> > > > > wild for 25+ years, has no published specification,
> > > > > and is very likely encumbered. This IP issue has to
> > > > > be spelled out and addressed somehow.
> > > > >
> > > > > A simple, concrete proposal would be for Oracle to
> > > > > contribute NFSACL to the IETF via an Informational
> > > > > document similar to RFC 1813.
> > > > >
> > > >
> > > > The draft POSIX ACL spec is not based on some spec for NFSACL.
> > > > The
> > > > draft POSIX ACL spec is IEEE 1003.1e draft 17.
> > >
> > > This distinction is likely to be lost on casual or
> > > even somewhat expert readers -- perhaps a reader
> > > who is not technically informed but is looking for
> > > a legal opportunity. The /purpose/ of NFSACL and the
> > > proposed protocol are the same, and so is the set
> > > of architects who are working on these protocols.
> > >
> > > acls-04 should therefore recognize that NFSACL is
> > > prior art and explain the differences in provenance
> > > that unlink acls-04 from NFSACL. For extra credit,
> > > use the term "clean room implementation" in one or
> > > more complete sentences.
> > >
> > >
> > > > The contents of the NFSACL xdr file are at best a description of
> > > > an
> > > > API
> > > > that we will not be wanting to follow, because it describes an
> > > > RPC
> > > > side
> > > > band protocol, and is based on NFSv3 semantics. It does not
> > > > describe
> > > > draft POSIX acls.
> > >
> > > Which is why I agree that nfs_acl.x by itself is
> > > not up to the task of backing up IP claims, and
> > > would like to see more substantive documentation.
> > >
> > >
> > > > If you want a reference that is independent of the IEEE draft,
> > > > then
> > > > why
> > > > not instead go for Andreas' Freenix paper from 2003?
> > > >
> https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html
> > > > That actually describes in detail the spec that needs to be
> > > > followed.
> > >
> > > IMO this doesn't address the IP issue at all.
> >
> > What IP issue? AFAICS, you've invented the straw man here.
> >
> > Nothing we do here needs to refer to or infringe upon anything Oracle
> > may think it owns w.r.t. nfsacl. There is no need to use anything
> > from
> > nfsacl.x.
>
> Put differently: if you claim there is an IP issue that precludes us
> from defining our own protocol for draft POSIX acls, then you need to
> document what is infringing. The existence of "prior art" for an
> implementation does not automatically imply that there is an
> intellectual property issue to resolve.
>
> --
> Trond Myklebust
> Linux NFS client maintainer, Hammerspace
> trond.myklebust@hammerspace.com
>
>
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org
>