[nfsv4] Re: Feedback on user ID for any bis work
"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Fri, 06 September 2024 09:45 UTC
Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C9E9C16940E for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 02:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Level:
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.455, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Hpfwpt_vENJ for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 02:45:48 -0700 (PDT)
Received: from smtp-o-1.desy.de (smtp-o-1.desy.de [IPv6:2001:638:700:1038::1:9a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1373C157938 for <nfsv4@ietf.org>; Fri, 6 Sep 2024 02:45:45 -0700 (PDT)
Received: from smtp-buf-1.desy.de (smtp-buf-1.desy.de [131.169.56.164]) by smtp-o-1.desy.de (Postfix) with ESMTP id 6D2A711F741 for <nfsv4@ietf.org>; Fri, 6 Sep 2024 11:45:41 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-1.desy.de 6D2A711F741
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1725615941; bh=5JZUN7Sv8xvXuwqD9gqsPuD3ubYSGvHBNzj08rMoMhE=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=G02YDYNspDJWixpzG/JFBqQuJQQy2FivoJ0sYOCaLRTm9FIIdrMlRhIV2bjOFidNe NyB9iKKSWGvLgHmBtfWLo7D0Djo0he9wg0btzHn0ZKDr6YJ0WEg8UR9Z/3FMJHLaJQ vEytJ84BjAwgoYl/5w7SNI6GFY0BpQL2Fn5DqWTo=
Received: from smtp-m-1.desy.de (smtp-m-1.desy.de [IPv6:2001:638:700:1038::1:81]) by smtp-buf-1.desy.de (Postfix) with ESMTP id 605EC20038; Fri, 6 Sep 2024 11:45:41 +0200 (CEST)
Received: from a1722.mx.srv.dfn.de (a1722.mx.srv.dfn.de [IPv6:2001:638:d:c301:acdc:1979:2:e7]) by smtp-m-1.desy.de (Postfix) with ESMTP id 5514240044; Fri, 6 Sep 2024 11:45:41 +0200 (CEST)
Received: from smtp-intra-1.desy.de (smtp-intra-1.desy.de [IPv6:2001:638:700:1038::1:52]) by a1722.mx.srv.dfn.de (Postfix) with ESMTP id A01E8220043; Fri, 6 Sep 2024 11:45:39 +0200 (CEST)
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-1.desy.de (Postfix) with ESMTP id 2CA098004E; Fri, 6 Sep 2024 11:45:39 +0200 (CEST)
Date: Fri, 06 Sep 2024 11:45:38 +0200
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chris Inacio <inacio@cert.org>
Message-ID: <687480948.58043142.1725615938837.JavaMail.zimbra@desy.de>
In-Reply-To: <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
References: <EFD2C35A-9FC4-4381-82F2-475957CEE07B@cert.org> <1452890090.47955225.1723888278946.JavaMail.zimbra@z-mbx-2> <2C377184-60B5-43B3-9FAD-33F682DBAC5D@oracle.com> <1086079167.54167075.1724943726342.JavaMail.zimbra@desy.de> <D5C0C2E4-0791-4970-93A5-C2DFDF566946@oracle.com> <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----=_Part_58043143_571235246.1725615939026"
X-Mailer: Zimbra 9.0.0_GA_4612 (ZimbraWebClient - FF129 (Linux)/9.0.0_GA_4612)
Thread-Topic: Feedback on user ID for any bis work
Thread-Index: AQHa8LbEvnI4unYR/0inUXlvBCKK47I+Z2UAgArrxYCAACg/gB0w3Coy
Message-ID-Hash: F2MXP2MSKPFUIWLZXOJJ2H4ELNT6B4BO
X-Message-ID-Hash: F2MXP2MSKPFUIWLZXOJJ2H4ELNT6B4BO
X-MailFrom: tigran.mkrtchyan@desy.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/28NTPascZWePmaj-zf0rN-5YxSY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
Hi Chris, ----- Original Message ----- > From: "Chris Inacio" <inacio@cert.org> > To: "Chuck Lever III" <chuck.lever@oracle.com> > Cc: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>, "NFSv4" <nfsv4@ietf.org> > Sent: Thursday, 5 September, 2024 18:12:45 > Subject: Re: [nfsv4] Feedback on user ID for any bis work > Tigran, > > This is great; really what I had in mind. I had been trying to puzzle through > this myself. For me (and its because I don’t know the mechanics of NFS well > enough, at this point) the thing I am mentally tied up in is some form of > “mapping” from these external identities to file system UIDs. LDAP provides a > binding of directory authentication to a local UID which makes basic > permissions easy to do on POSIX file systems. Would another service / > configuration mechanism be necessary to provide these remote ID to local UID > mappings? This gets a lot easier for filesystems that actually provide OpenID-Connect tokens provide both identity information and access rights. For other protocols, namely for HTTP, we can use LDAP to map users to a local account and do permission validation based on Unix permissions. Alternatively, we can trust the identity provider and use an access token, like 'storage.read:/path/to/dir' and by-pass local permission validations. The latter one is more complex for NFS, so my main focus (for now) is user mapping. > workable ACLs, as far as I can tell. Then you have the ability to at least > provide a binding (even if it isn’t cryptographically strong at rest) of a > permission on the server filesystem to the remote identity service. > > Correct me if I have any of this wrong, please. When I last worked at a file > systems company, I did TCP/IP interface and acceleration. So the real > mechanics and nuances of NFS aren’t totally clear to me. > > Side note: I was trying to understand how this works by reading the NFSv42 XDR. > That does not seem to really include anything with regards to authentication > in there. There is an include of “auth.h” which seems a little less than > ideally portable to me. I think the best place to start is RPCSEC_GSS https://datatracker.ietf.org/doc/html/rfc2203. Best regards, Tigran. > > Chris > > >> On Sep 5, 2024, at 9:48 AM, Chuck Lever III <chuck.lever@oracle.com> wrote: >> >> Warning: External Sender - do not click links or open attachments unless you >> recognize the sender and know the content is safe. >> >> >>> On Aug 29, 2024, at 11:02 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> >>> wrote: >>> >>> >>> >>> Hi Chick, >>> >>> The current state is available at: >>> >>> https://github.com/kofemann/rpc-sec-oidc/blob/main/draft-tigran-nfsv4-rpcsecoidc.md >>> >>> It is still quite raw, but indeed, if people comment, this will give me some >>> guidelines and momentum. >> >> Thanks for posting, Tigran! I will make some time in the next >> couple of weeks to study the draft. >> >> >> -- > > Chuck Lever
- [nfsv4] Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Re: Feedback on user ID for any bis work Pali Rohár
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Rick Macklem
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Re: Feedback on user ID for any bis work Mkrtchyan, Tigran
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work David Noveck
- [nfsv4] Re: Feedback on user ID for any bis work Rick Macklem
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Rick Macklem
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Mkrtchyan, Tigran
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Mkrtchyan, Tigran
- [nfsv4] Re: Feedback on user ID for any bis work Mark Liam Brown
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Fwd: Re: Feedback on user ID for any bis … David Noveck