Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by ietfa.amsl.com (Postfix) with ESMTP id 3C9E9C16940E
	for <nfsv4@ietfa.amsl.com>; Fri,  6 Sep 2024 02:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Level: 
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.001,
	HK_RANDOM_FROM=0.455, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
	T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001,
	URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
	header.d=desy.de
Received: from mail.ietf.org ([50.223.129.194])
	by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 4Hpfwpt_vENJ for <nfsv4@ietfa.amsl.com>;
	Fri,  6 Sep 2024 02:45:48 -0700 (PDT)
Received: from smtp-o-1.desy.de (smtp-o-1.desy.de
 [IPv6:2001:638:700:1038::1:9a])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by ietfa.amsl.com (Postfix) with ESMTPS id D1373C157938
	for <nfsv4@ietf.org>; Fri,  6 Sep 2024 02:45:45 -0700 (PDT)
Received: from smtp-buf-1.desy.de (smtp-buf-1.desy.de [131.169.56.164])
	by smtp-o-1.desy.de (Postfix) with ESMTP id 6D2A711F741
	for <nfsv4@ietf.org>; Fri,  6 Sep 2024 11:45:41 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-1.desy.de 6D2A711F741
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default;
	t=1725615941; bh=5JZUN7Sv8xvXuwqD9gqsPuD3ubYSGvHBNzj08rMoMhE=;
	h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
	b=G02YDYNspDJWixpzG/JFBqQuJQQy2FivoJ0sYOCaLRTm9FIIdrMlRhIV2bjOFidNe
	 NyB9iKKSWGvLgHmBtfWLo7D0Djo0he9wg0btzHn0ZKDr6YJ0WEg8UR9Z/3FMJHLaJQ
	 vEytJ84BjAwgoYl/5w7SNI6GFY0BpQL2Fn5DqWTo=
Received: from smtp-m-1.desy.de (smtp-m-1.desy.de
 [IPv6:2001:638:700:1038::1:81])
	by smtp-buf-1.desy.de (Postfix) with ESMTP id 605EC20038;
	Fri,  6 Sep 2024 11:45:41 +0200 (CEST)
Received: from a1722.mx.srv.dfn.de (a1722.mx.srv.dfn.de
 [IPv6:2001:638:d:c301:acdc:1979:2:e7])
	by smtp-m-1.desy.de (Postfix) with ESMTP id 5514240044;
	Fri,  6 Sep 2024 11:45:41 +0200 (CEST)
Received: from smtp-intra-1.desy.de (smtp-intra-1.desy.de
 [IPv6:2001:638:700:1038::1:52])
	by a1722.mx.srv.dfn.de (Postfix) with ESMTP id A01E8220043;
	Fri,  6 Sep 2024 11:45:39 +0200 (CEST)
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140])
	by smtp-intra-1.desy.de (Postfix) with ESMTP id 2CA098004E;
	Fri,  6 Sep 2024 11:45:39 +0200 (CEST)
Date: Fri, 6 Sep 2024 11:45:38 +0200 (CEST)
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chris Inacio <inacio@cert.org>
Message-ID: <687480948.58043142.1725615938837.JavaMail.zimbra@desy.de>
In-Reply-To: <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
References: <EFD2C35A-9FC4-4381-82F2-475957CEE07B@cert.org>
 <1452890090.47955225.1723888278946.JavaMail.zimbra@z-mbx-2>
 <2C377184-60B5-43B3-9FAD-33F682DBAC5D@oracle.com>
 <1086079167.54167075.1724943726342.JavaMail.zimbra@desy.de>
 <D5C0C2E4-0791-4970-93A5-C2DFDF566946@oracle.com>
 <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
 micalg=sha-256;
	boundary="----=_Part_58043143_571235246.1725615939026"
X-Mailer: Zimbra 9.0.0_GA_4612 (ZimbraWebClient - FF129 (Linux)/9.0.0_GA_4612)
Thread-Topic: Feedback on user ID for any bis work
Thread-Index: AQHa8LbEvnI4unYR/0inUXlvBCKK47I+Z2UAgArrxYCAACg/gB0w3Coy
Message-ID-Hash: F2MXP2MSKPFUIWLZXOJJ2H4ELNT6B4BO
X-Message-ID-Hash: F2MXP2MSKPFUIWLZXOJJ2H4ELNT6B4BO
X-MailFrom: tigran.mkrtchyan@desy.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: =?utf-8?q?=5Bnfsv4=5D_Re=3A_Feedback_on_user_ID_for_any_bis_work?=
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/nfsv4/28NTPascZWePmaj-zf0rN-5YxSY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

------=_Part_58043143_571235246.1725615939026
Date: Fri, 6 Sep 2024 11:45:38 +0200 (CEST)
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chris Inacio <inacio@cert.org>
Cc: Chuck Lever III <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Message-ID: <687480948.58043142.1725615938837.JavaMail.zimbra@desy.de>
In-Reply-To: <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
References: <EFD2C35A-9FC4-4381-82F2-475957CEE07B@cert.org> <1452890090.47955225.1723888278946.JavaMail.zimbra@z-mbx-2> <2C377184-60B5-43B3-9FAD-33F682DBAC5D@oracle.com> <1086079167.54167075.1724943726342.JavaMail.zimbra@desy.de> <D5C0C2E4-0791-4970-93A5-C2DFDF566946@oracle.com> <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
Subject: Re: [nfsv4] Feedback on user ID for any bis work
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: Zimbra 9.0.0_GA_4612 (ZimbraWebClient - FF129 (Linux)/9.0.0_GA_4612)
Thread-Topic: Feedback on user ID for any bis work
Thread-Index: AQHa8LbEvnI4unYR/0inUXlvBCKK47I+Z2UAgArrxYCAACg/gB0w3Coy


Hi Chris,

----- Original Message -----
> From: "Chris Inacio" <inacio@cert.org>
> To: "Chuck Lever III" <chuck.lever@oracle.com>
> Cc: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>, "NFSv4" <nfsv4@ietf.or=
g>
> Sent: Thursday, 5 September, 2024 18:12:45
> Subject: Re: [nfsv4] Feedback on user ID for any bis work

> Tigran,
>=20
> This is great; really what I had in mind.  I had been trying to puzzle th=
rough
> this myself.  For me (and its because I don=E2=80=99t know the mechanics =
of NFS well
> enough, at this point) the thing I am mentally tied up in is some form of
> =E2=80=9Cmapping=E2=80=9D from these external identities to file system U=
IDs.  LDAP provides a
> binding of directory authentication to a local UID which makes basic
> permissions easy to do on POSIX file systems.  Would another service /
> configuration mechanism be necessary to provide these remote ID to local =
UID
> mappings?  This gets a lot easier for filesystems that actually provide

OpenID-Connect tokens provide both identity information and access rights.
For other protocols, namely for HTTP, we can use LDAP to map users to a loc=
al
account and do permission validation based on Unix permissions. Alternative=
ly,
we can trust the identity provider and use an access token, like
'storage.read:/path/to/dir' and by-pass local permission validations.

The latter one is more complex for NFS, so my main focus (for now) is user =
mapping.


> workable ACLs, as far as I can tell.  Then you have the ability to at lea=
st
> provide a binding (even if it isn=E2=80=99t cryptographically strong at r=
est) of a
> permission on the server filesystem to the remote identity service.
>=20
> Correct me if I have any of this wrong, please.  When I last worked at a =
file
> systems company, I did TCP/IP interface and acceleration.  So the real
> mechanics and nuances of NFS aren=E2=80=99t totally clear to me.
>=20
> Side note: I was trying to understand how this works by reading the NFSv4=
2 XDR.
> That does not seem to really include anything with regards to authenticat=
ion
> in there.  There is an include of =E2=80=9Cauth.h=E2=80=9D which seems a =
little less than
> ideally portable to me.

I think the best place to start is RPCSEC_GSS https://datatracker.ietf.org/=
doc/html/rfc2203.

Best regards,
   Tigran.


>=20
> Chris
>=20
>=20
>> On Sep 5, 2024, at 9:48=E2=80=AFAM, Chuck Lever III <chuck.lever@oracle.=
com> wrote:
>>=20
>> Warning: External Sender - do not click links or open attachments unless=
 you
>> recognize the sender and know the content is safe.
>>=20
>>=20
>>> On Aug 29, 2024, at 11:02=E2=80=AFAM, Mkrtchyan, Tigran <tigran.mkrtchy=
an@desy.de>
>>> wrote:
>>>=20
>>>=20
>>>=20
>>> Hi Chick,
>>>=20
>>> The current state is available at:
>>>=20
>>> https://github.com/kofemann/rpc-sec-oidc/blob/main/draft-tigran-nfsv4-r=
pcsecoidc.md
>>>=20
>>> It is still quite raw, but indeed, if people comment, this will give me=
 some
>>> guidelines and momentum.
>>=20
>> Thanks for posting, Tigran! I will make some time in the next
>> couple of weeks to study the draft.
>>=20
>>=20
>> --
> > Chuck Lever

------=_Part_58043143_571235246.1725615939026
Content-Type: application/pkcs7-signature; name=smime.p7s; smime-type=signed-data
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIIH
XzCCBUegAwIBAgIQWCKDCq74or/A6r3iyeFcUzANBgkqhkiG9w0BAQwFADBVMQswCQYDVQQGEwJO
TDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2luZzErMCkGA1UEAxMiR0VBTlQgVENTIEF1dGhlbnRp
Y2F0aW9uIFJTQSBDQSA0QjAeFw0yMzExMjkxMTUwMjRaFw0yNDEyMjgxMTUwMjRaMIGpMRMwEQYK
CZImiZPyLGQBGRMDb3JnMRYwFAYKCZImiZPyLGQBGRMGdGVyZW5hMRMwEQYKCZImiZPyLGQBGRMD
dGNzMQswCQYDVQQGEwJERTEuMCwGA1UEChMlRGV1dHNjaGVzIEVsZWt0cm9uZW4tU3luY2hyb3Ry
b24gREVTWTEoMCYGA1UEAwwfVGlncmFuIE1rcnRjaHlhbiB0aWdyYW5AZGVzeS5kZTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBANIlFsEQpmV0zy2TtESnOX3d0a17dmceoaYpX2Sn9gwd
obCTBa2Ud/YsGJOuGMb/v1kO/4RyvlXTJFAI4Ui8GJf68MpkMHosIVzisWSPfsBnfWPxgwDTITuS
dwdviezHtvw8HM/Ksv1vjBODQcPgxBJCL/HUswzXEJEetYnnMwzBzLPHyTIuCmlJWRuTtFxNKeTN
yeMzCfm/lsoHI7cch6N+/cFzYGBl9fAKA67iLjlw+2p4IxsycFPi0PGpIxnb6N9vnTmpO9yybaoQ
KuQppnfm9cF8m6AaNoE16JqRcdxgpNbtfZTencbHnwlKukpBLGrlZcFdo/BPzjN0uBHK/W9YPMv1
MOtPaZF0rcjf2FiYUASRUNemOxCu2hkkUvN7UzPuFPszTt4Z4GF/7T76xh7jFQZnBVT8duwbvRDF
q/7rwHN7ZkSpXvIamqojIseNiBTOwC+0L3SaGQYN60JkQx+d+XoMFcFsm6mnyykwv5l2s3rXgQ7G
f73YgNG14esVa82Pbb6Rk43cUcay3DpWAlz7U/bODzePJ1pQcgpHuLJ78u2Sv2n5+YQg9huoGm6N
7eKfucPubjFE4Lpqp9O/I8IJBTwK0KNHSDOB0SFn3vaC6bt/kLGgbpsWW0yv+PzZyqmvYFZXTjlT
tgv3q86kM1sWSgCd/tuxuwWDkv2RHfbvAgMBAAGjggHUMIIB0DAfBgNVHSMEGDAWgBQQMuoC4vzP
6lYlVIfDmPXog9bFJDAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAgYIKwYBBQUHAwQwRQYDVR0gBD4wPDAMBgoqhkiG90wFAgIFMA0GCyqGSIb3TAUCAwMDMA0G
CyqGSIb3TAUCAwECMA4GDCsGAQQBgcRaAgMCAjBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3Js
LmVudGVycHJpc2Uuc2VjdGlnby5jb20vR0VBTlRUQ1NBdXRoZW50aWNhdGlvblJTQUNBNEIuY3Js
MIGRBggrBgEFBQcBAQSBhDCBgTBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5lbnRlcnByaXNlLnNl
Y3RpZ28uY29tL0dFQU5UVENTQXV0aGVudGljYXRpb25SU0FDQTRCLmNydDAuBggrBgEFBQcwAYYi
aHR0cDovL29jc3AuZW50ZXJwcmlzZS5zZWN0aWdvLmNvbTAjBgNVHREEHDAagRh0aWdyYW4ubWty
dGNoeWFuQGRlc3kuZGUwHQYDVR0OBBYEFAKakYwt5EgoalXKWoNDPhs+2W3/MA0GCSqGSIb3DQEB
DAUAA4ICAQBlAH4oPlVJWw5MWlmenHfZE/N2Ep7tU89SXGQaIZoADcgr0Uzm1+wNIs7Qon9CovjH
dZ+7zAF1/gDdfYXy+odOMq1xjSeSwHcjuUarzndM1S0uV9DIr4SCRyXf+JP5aaOwVDpoV7JWlp+U
ptDsBqjEpB+nV2M9LlgRLBp4cdxKu6n/fjJkChR9hd+lDo9bGnR9Uj3KpYWq8GHpoNumUUjSz9A+
qPTYh4cAqRP12nk5Gqjs+ZnsG4j3EM/QFHQbQUtim0jQAA8TJ6whO7gpLKBuYfqXOdwgHT7Lgsw6
KMjhJSZs37WCOjj0mwmSzVAlX7FMmDimZt/lI7kpDfUtYHK+F8c11FxH2yZbrhjaa2rB3qXv4hIB
hrhbt/TNTra8D9C8s3CzxU1FvpREW2VuULyEf36g7ZDcUGom3md/kJFKWqj92KET7JcMp4K79aW/
s65vvcxXDJX6hWiBDkGBFX5Vqy4ni39zo6X9edqRxkJQIN7d4xFhihUvcUo4oLSeybfYNr+RY+tC
/s2PvoUHBsXqfrR5gjo7wz+CBh2O9JSA0g1OvGOpCdTw/EZ00gs4sOTU9heD3x5PzP0DJI+0DM/u
NUH0v918lSJP8zE1N4PjNO1FeqA0l95tQe231ZOZSbd+3EfDjWmvWnPneL2xo+MSXqBDSW4Ua88m
2C2tFcwvOwAAMYIDZTCCA2ECAQEwaTBVMQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVy
ZW5pZ2luZzErMCkGA1UEAxMiR0VBTlQgVENTIEF1dGhlbnRpY2F0aW9uIFJTQSBDQSA0QgIQWCKD
Cq74or/A6r3iyeFcUzANBglghkgBZQMEAgEFAKCBzjAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
MBwGCSqGSIb3DQEJBTEPFw0yNDA5MDYwOTQ1MzlaMC0GCSqGSIb3DQEJNDEgMB4wDQYJYIZIAWUD
BAIBBQChDQYJKoZIhvcNAQELBQAwLwYJKoZIhvcNAQkEMSIEIHKMN9Xe2qt9XZEHpxj+1XwtrD9K
HdJMH43tCeV8eu/dMDQGCSqGSIb3DQEJDzEnMCUwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA
MAcGBSsOAwIHMA0GCSqGSIb3DQEBCwUABIICAE8puB39Kp343qtadsZBPCBhHiNJKpux7dLGQYxs
NiYVzgUkrYE3q6A3b9HHvZesyr/+kVe1sIXrDtMuTnIUZwGBGd5RzZ0Hzs7JUgJ4xmqL3dlckzei
1MDqF4N1Nmb/rIimzN2Jkle45tGrAhh3Qn8ksQwMTI+k/65/e0deMj78B36GZhqyObwx1PAo7+dO
2XKDEbAbVAl8g5/eurOzSsiGQriffENswsRaaG9dYeHFyvLiWjFA1gb0t9rDxKpRswiqMK/rktXz
fYntejCOAUKOr12EgjpOYa1Au3OM0uJ89R7R0bnF/+iBQOWXftcw4Ly0E39f+Fcx4wPgY40R+YxL
4zm01IzEAtH8HJhA2Df/vNnOxEMiLqRRku0hiFcJ6YPCdM2QwhdzZARFmowxHwc2yTm0gBsHYUmN
Q57aylMuESfyUnndyz+xNjYRLKYXcAeDEDliigQpdJEODkSYUlWin+NLsmEbFhFjFftWYvmeUYlv
/e3YJhQfuAIVIQO6ViN/XXVoadMevDXUa/fMKwL08IkmF3EuW5lImKGKy1vyFq1GfaQCf2swtCAj
DYxXmGvU5mDNaSarpHkVGCwvxHn1+YQhdv9NNCw0NGj2gSk1iGOQYchSMNDx+QXbQXY8njnjkPnv
wmT5czQwk8VMcfdOllQUm+JRtL4mvVEInXBNAAAAAAAA
------=_Part_58043143_571235246.1725615939026--