[nfsv4] Re: Feedback on user ID for any bis work

"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Fri, 06 September 2024 09:45 UTC

Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C9E9C16940E for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 02:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Level:
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.455, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Hpfwpt_vENJ for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 02:45:48 -0700 (PDT)
Received: from smtp-o-1.desy.de (smtp-o-1.desy.de [IPv6:2001:638:700:1038::1:9a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1373C157938 for <nfsv4@ietf.org>; Fri, 6 Sep 2024 02:45:45 -0700 (PDT)
Received: from smtp-buf-1.desy.de (smtp-buf-1.desy.de [131.169.56.164]) by smtp-o-1.desy.de (Postfix) with ESMTP id 6D2A711F741 for <nfsv4@ietf.org>; Fri, 6 Sep 2024 11:45:41 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-1.desy.de 6D2A711F741
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1725615941; bh=5JZUN7Sv8xvXuwqD9gqsPuD3ubYSGvHBNzj08rMoMhE=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=G02YDYNspDJWixpzG/JFBqQuJQQy2FivoJ0sYOCaLRTm9FIIdrMlRhIV2bjOFidNe NyB9iKKSWGvLgHmBtfWLo7D0Djo0he9wg0btzHn0ZKDr6YJ0WEg8UR9Z/3FMJHLaJQ vEytJ84BjAwgoYl/5w7SNI6GFY0BpQL2Fn5DqWTo=
Received: from smtp-m-1.desy.de (smtp-m-1.desy.de [IPv6:2001:638:700:1038::1:81]) by smtp-buf-1.desy.de (Postfix) with ESMTP id 605EC20038; Fri, 6 Sep 2024 11:45:41 +0200 (CEST)
Received: from a1722.mx.srv.dfn.de (a1722.mx.srv.dfn.de [IPv6:2001:638:d:c301:acdc:1979:2:e7]) by smtp-m-1.desy.de (Postfix) with ESMTP id 5514240044; Fri, 6 Sep 2024 11:45:41 +0200 (CEST)
Received: from smtp-intra-1.desy.de (smtp-intra-1.desy.de [IPv6:2001:638:700:1038::1:52]) by a1722.mx.srv.dfn.de (Postfix) with ESMTP id A01E8220043; Fri, 6 Sep 2024 11:45:39 +0200 (CEST)
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-1.desy.de (Postfix) with ESMTP id 2CA098004E; Fri, 6 Sep 2024 11:45:39 +0200 (CEST)
Date: Fri, 06 Sep 2024 11:45:38 +0200
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chris Inacio <inacio@cert.org>
Message-ID: <687480948.58043142.1725615938837.JavaMail.zimbra@desy.de>
In-Reply-To: <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
References: <EFD2C35A-9FC4-4381-82F2-475957CEE07B@cert.org> <1452890090.47955225.1723888278946.JavaMail.zimbra@z-mbx-2> <2C377184-60B5-43B3-9FAD-33F682DBAC5D@oracle.com> <1086079167.54167075.1724943726342.JavaMail.zimbra@desy.de> <D5C0C2E4-0791-4970-93A5-C2DFDF566946@oracle.com> <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----=_Part_58043143_571235246.1725615939026"
X-Mailer: Zimbra 9.0.0_GA_4612 (ZimbraWebClient - FF129 (Linux)/9.0.0_GA_4612)
Thread-Topic: Feedback on user ID for any bis work
Thread-Index: AQHa8LbEvnI4unYR/0inUXlvBCKK47I+Z2UAgArrxYCAACg/gB0w3Coy
Message-ID-Hash: F2MXP2MSKPFUIWLZXOJJ2H4ELNT6B4BO
X-Message-ID-Hash: F2MXP2MSKPFUIWLZXOJJ2H4ELNT6B4BO
X-MailFrom: tigran.mkrtchyan@desy.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/28NTPascZWePmaj-zf0rN-5YxSY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

Hi Chris,

----- Original Message -----
> From: "Chris Inacio" <inacio@cert.org>
> To: "Chuck Lever III" <chuck.lever@oracle.com>
> Cc: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>, "NFSv4" <nfsv4@ietf.org>
> Sent: Thursday, 5 September, 2024 18:12:45
> Subject: Re: [nfsv4] Feedback on user ID for any bis work

> Tigran,
> 
> This is great; really what I had in mind.  I had been trying to puzzle through
> this myself.  For me (and its because I don’t know the mechanics of NFS well
> enough, at this point) the thing I am mentally tied up in is some form of
> “mapping” from these external identities to file system UIDs.  LDAP provides a
> binding of directory authentication to a local UID which makes basic
> permissions easy to do on POSIX file systems.  Would another service /
> configuration mechanism be necessary to provide these remote ID to local UID
> mappings?  This gets a lot easier for filesystems that actually provide

OpenID-Connect tokens provide both identity information and access rights.
For other protocols, namely for HTTP, we can use LDAP to map users to a local
account and do permission validation based on Unix permissions. Alternatively,
we can trust the identity provider and use an access token, like
'storage.read:/path/to/dir' and by-pass local permission validations.

The latter one is more complex for NFS, so my main focus (for now) is user mapping.


> workable ACLs, as far as I can tell.  Then you have the ability to at least
> provide a binding (even if it isn’t cryptographically strong at rest) of a
> permission on the server filesystem to the remote identity service.
> 
> Correct me if I have any of this wrong, please.  When I last worked at a file
> systems company, I did TCP/IP interface and acceleration.  So the real
> mechanics and nuances of NFS aren’t totally clear to me.
> 
> Side note: I was trying to understand how this works by reading the NFSv42 XDR.
> That does not seem to really include anything with regards to authentication
> in there.  There is an include of “auth.h” which seems a little less than
> ideally portable to me.

I think the best place to start is RPCSEC_GSS https://datatracker.ietf.org/doc/html/rfc2203.

Best regards,
   Tigran.


> 
> Chris
> 
> 
>> On Sep 5, 2024, at 9:48 AM, Chuck Lever III <chuck.lever@oracle.com> wrote:
>> 
>> Warning: External Sender - do not click links or open attachments unless you
>> recognize the sender and know the content is safe.
>> 
>> 
>>> On Aug 29, 2024, at 11:02 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de>
>>> wrote:
>>> 
>>> 
>>> 
>>> Hi Chick,
>>> 
>>> The current state is available at:
>>> 
>>> https://github.com/kofemann/rpc-sec-oidc/blob/main/draft-tigran-nfsv4-rpcsecoidc.md
>>> 
>>> It is still quite raw, but indeed, if people comment, this will give me some
>>> guidelines and momentum.
>> 
>> Thanks for posting, Tigran! I will make some time in the next
>> couple of weeks to study the draft.
>> 
>> 
>> --
> > Chuck Lever