[nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-04
Rick Macklem <rick.macklem@gmail.com> Sat, 10 August 2024 20:55 UTC
Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73704C14F5F3 for <nfsv4@ietfa.amsl.com>; Sat, 10 Aug 2024 13:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28OBwX8UviAi for <nfsv4@ietfa.amsl.com>; Sat, 10 Aug 2024 13:55:47 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A038FC14F5E0 for <nfsv4@ietf.org>; Sat, 10 Aug 2024 13:55:47 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-e0bf9c7f4f2so3027941276.0 for <nfsv4@ietf.org>; Sat, 10 Aug 2024 13:55:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723323346; x=1723928146; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7yx0tUqQC4BYcIFcxOKT/aB9whTrV9x/7QL0JO8hThg=; b=aGMDgbmgJ3Mk5DbEHxZit+1EP/wMWfw24YqUUrEVW4IaabvDDKlU/XXRwYZwa5VlUI ji0xewk/XDDRxalQwv4o/+qcflF1HGVy7g6/fUGDosnXJlz3htp/CUPPdj9haD4M7O3e IrcKADqsjQ11I1tCT/pQSRInP1ZQ9xmAGPsvc8ruZOqbKrXJOoVSNzLS+AbllzSnnjZv 7Euq5U4Y/GFiJL+FweBeCCxZrQq4/E+221NOtX3pAx5gTdbgSzsemoG6jgvEAhm8hE1m ykP10erT8yJMVz7gLL9fu2KpZB/g9HlO519frEihQS3zue07+6DLYmYM/UGvvx75t63j N5yA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723323346; x=1723928146; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7yx0tUqQC4BYcIFcxOKT/aB9whTrV9x/7QL0JO8hThg=; b=e6C2pRaan3ZgZjrqCEmjCoc5FNxNBgwozzm1fFw2lf8TeTUYbzGVBLchDZGTj0faaa iDGE/BZyN7YPWmwqmAUTRPZVx/gSVs19wWpvJ6tRoUUGFLUAn5xxcQVM7XcHlLarnsRf VyuW1Kq4qEBbkKOvYGBIxtnZ0KOTo7tuEsTPi+nk7iilsgyCt1pAe0DDSeIuEts6p8TR kUOlUD31xbQPuxEtxL2aOl9PteMKbjcGpUbm8y6c5UNI3UJDlqwBrntIPJuzvjsux+eV Bv9pcQSFL1BsbrVohYW3doMufOrp/g8Gx1tLAUoA3vg7ko3slyicOOOE1PQEi3mrtC8I ONoA==
X-Gm-Message-State: AOJu0Yz/H0bhIRjqm8q6Xe4UfDJQZ7WN8Klde3IrkviTJEekGjcioo6q usYccGoXO7JCHqUKLW6QeEGrAgZL4jzESJE0TdJ1+AAhGbWVj32C/9I+qwntogDZoBR3aMyYEvC On3eXmDURZdaj1oNyxTLd/Oslz8zK
X-Google-Smtp-Source: AGHT+IGfJWEIlOFTdfCQR15U9sXah51Y8w5QC9IuZkVkmziWMORhe1zw8Pyd7Ui6bXdY26qc/xAQw1Wpuk4AzZP/Btc=
X-Received: by 2002:a05:6902:200c:b0:e04:e298:3749 with SMTP id 3f1490d57ef6-e0eb99b4661mr6908578276.33.1723323346403; Sat, 10 Aug 2024 13:55:46 -0700 (PDT)
MIME-Version: 1.0
References: <20240810003154.xw4gnos6fqr2yw54@pali>
In-Reply-To: <20240810003154.xw4gnos6fqr2yw54@pali>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Sat, 10 Aug 2024 13:55:36 -0700
Message-ID: <CAM5tNy4fo=8wzbM8qbRwtiPycSLTKPd7sVaBQZk72zZDJyq93Q@mail.gmail.com>
To: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
Content-Type: multipart/alternative; boundary="000000000000e54c24061f5a7bae"
Message-ID-Hash: L7WV6UBHX5RWKV7GWDLMTADOBGG37HAK
X-Message-ID-Hash: L7WV6UBHX5RWKV7GWDLMTADOBGG37HAK
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: nfsv4@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-04
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/5x4Oxsgl4pO3LhfRkL7OWWG9AV0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
I have updated the draft to -05. I think I have addressed your comments. A few inline responses below. On Fri, Aug 9, 2024 at 5:31 PM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> wrote: > Hello Rick, > > I have read your new version -04 of extension document and just now I > have figured out some new things there. > > For better readability I have one small suggestion for section 9. > In description of each attribute could be list of all possible values. > Currently the possible values are defined only in XDR section 4. And it > is quite hard for me to read this section 9, because I need to scroll up > (to read list of possible values) and then back down to the description. > When I first time read this section in -02 I was quite lost and I had to > read it more times. > > > My comment from -02 which still applies for -04 is version is ambiguity > of NFS4 mode attribute which does not match POSIX mode as required by > POSIX ACL. > I think I have addressed this now. It notes that mode is sychronized with the true form ACL for the file object. > > New comments for each section are below. > > > Section 5. POSIX ACL Considerations > > > in a directory that has a POSIX default ACL, the low-order nine bits > > of the mode MUST be specified by mode_umask in the setable attributes > > for the operation. > > I think that here is missing an important fact that mode is specified in > "mu_mode member of mode_umask" attribute and that the "mu_umask member > of mode_umask" is being ignored in this case (when POSIX default ACL is > being used). > > Because from current description is not clear how mode_umask is being > used as this attribute contains two members ("mu_mode" and "mu_umask"). > I added a "See RFC8275..." for this. > > > Section 6. POSIX ACL vs NFSv4 ACL Considerations > > > Using SETATTR to set the dacl attribute to an array of non-zero length > > ... will result in the object's acl model being set to ACL_MODEL_NFS4. > > Why setting NFS v4.1 dacl attribute to zero length is excluded here? > I think it is perfectly fine to set dacl with ACL4_PROTECTED flag and > with zero length (empty list of) ACEs. This is fully valid NFS4 model > ACL which overwrites automatic inheritance to ACL with no access. > > In my opinion using SETATTR on dacl attribute should always change acl > model to ACL_MODEL_NFS4. I'm expecting that as a user I'm setting NFS4 > dacl attribute which refers to NFS4 model, so I'm unconditionally > setting model to NFS4. > I compromised by saying any setting of dacl does this and any setting of acl, if it has ALLOW/DENY ACEs in it does this. (I don't know if a 0 length setting for acl means set the ACL model to NFSv4 or get rid of all ALARM/AUDIT ACEs or ???) I hope that David Noveck can resolve what a 0 length ACL actually means in his draft. As you have noted, SMB considers one of these "normal" and, as such, I see the argument that it should be that way for NFSv4 ACLs as well. However, I see that the FreeBSD port of OpenZFS (which uses ACL_MODEL_NFS4 as its true form) returns an error if a setting of a zero length ACL is attempted. I cannot tell if this was done by the FreeBSD guy that worked on ACLs or was cribbed from OpenSolaris? I think it would be nice to somehow "deprecate" acl in favour of dacl/sacl. > > In addition, if the object's acl model had been ACL_MODEL_POSIX_DRAFT, > > the existing default and access ACLs are to be deleted. > > I think that in this document it is a good idea to always explicitly > mention ACL type. Because sometimes it can be really confusing. For > example: "existing POSIX default and access ACLs" make it clear. > Sorry, but if ACL_MODEL_POSIX_DRAFT does not obviously refer to POSIX draft ACLs, I don't know what does. I left it as is. > > Section 7. GETATTR/SETATTR Atomicity should handle VERIFY and NVERIFY > atomically in the same way as GETATTR. > > For example, NFS4 client may want to check if POSIX ACL is set to some > specific structure, and VERIFY with both acl_trueform and > posix_access_acl attributes is the appropriate operation for it. > > Maybe VERIFY/NVERIFY should be covered also in other sections which > refers to GETATTR/READDIR? > Good catch. I think this is fixed now in the draft. > > > Section 9.3. Attribute 90: posix_default_acl > > > Since a POSIX default ACL only applies to directories, a SETATTR of > > the posix_default_acl for a non-directory object MUST reply > > NFS4ERR_INVAL. > > I guess that this MUST applies also for OPEN/OPEN4_CREATE and > CREATE/NON-NF4DIR operations. > Again, good catch. I think it is fixed now. > > > Section 9.4. Attribute 91: posix_access_acl > > > a successful setting of this attribute sets the value of acl_trueform > > to ACL_MODEL_POSIX_DRAFT. In addition, if the object's acl model had > > been ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be deleted so that > > the value of the dacl attribute is a zero-length array. > > In other email I already wrote similar comment which applies here too. > I think that this contradicts RFC 8881. Why? > > * Per section 1. Introduction: "If the server chooses to support > posix_default_acl and posix_access_acl for a file system, it MUST > support the mode/mode_umask attributes for the file system." > > * It is not explicitly mentioned but ACL_MODEL_NFS4 should imply that > NFS4 server has to support dacl (or acl) attribute. (It would be nice > to explicitly mention it.) > > * Per RFC 8881 section 6.4. Requirements: "The server that supports both > mode and ACL must take care to synchronize the MODE4_*USR, MODE4_*GRP, > and MODE4_*OTH bits with the ACEs that have respective who fields of > "OWNER@", "GROUP@", and "EVERYONE@". This way, the client can see if > semantically equivalent access permissions exist whether the client > asks for the owner, owner_group, and mode attributes or for just the > ACL." > > So we are in situation when mode, acl/dacl and posix_access_acl > attributes are supported. > > And successful setting of posix_access_acl attribute results in > zero-length array of dacl attribute. This removal of dacl ACEs results > in synchronization of dacl to mode attribute. As there is no "OWNER@", > "GROUP@", and "EVERYONE@" ACE entry in dacl anymore (because dacl is > empty), this will result in synchronization of mode to empty access 000. > > Per POSIX ACL, mode is being synchronized to POSIX ACL entities > user_obj, group_obj/mask, other. > > If my understanding and steps above are correct then successful setting > of posix_access_acl attribute to any value results in immediate no > access for user_obj, group_obj/mask and other POSIX entities. And I > guess that this is not intended behavior. > I added a short paragraph that states synchronization of mode with the true form ACL SHOULD be done. Using either RFC8881 or Grunbacher as references. > > > If SETATTR of a POSIX extended ACL does not have a POSIXACE4_TAG_MASK > > ACE, the SETATTR of the ACL MUST reply NFS4ERR_INVAL. > > I think there should be also mentioned that SETATTR of POSIX ACL (does > not have to be extended) which does not have POSIXACE4_TAG_USER_OBJ, > POSIXACE4_TAG_GROUP_OBJ or POSIXACE4_TAG_OTHER ACE MUST result in > NFS4ERR_INVAL too. (Except zero-length.) > I felt the description that noted these three ACEs are always in a POSIX draft ACL was enough but, yes, I suppose it should be added. I missed this one for -05, but will do so for -06. rick > > Regards, > Pali >
- [nfsv4] Comments for draft-rmacklem-nfsv4-posix-a… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… David Noveck
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár