[nfsv4] Upcoming discussion of draft-adamson-nfsv4-multi-domain-access-03.txt on Fed FS call.
"William A. (Andy) Adamson" <androsadamson@gmail.com> Wed, 27 October 2010 14:38 UTC
Return-Path: <androsadamson@gmail.com>
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D84B03A6A47 for <nfsv4@core3.amsl.com>; Wed, 27 Oct 2010 07:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYzTT5XvGuym for <nfsv4@core3.amsl.com>; Wed, 27 Oct 2010 07:38:33 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 7EFE73A6A36 for <nfsv4@ietf.org>; Wed, 27 Oct 2010 07:38:33 -0700 (PDT)
Received: by gya6 with SMTP id 6so453814gya.31 for <nfsv4@ietf.org>; Wed, 27 Oct 2010 07:40:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=qtPNIh+Y/6fHjSlDhjKHdW4wIcqArNrNntktAZvhApg=; b=Y/AC86D70KCJ/I+f3ay+Aqnf+oxelaFUyQBUCHzPDoPGxUQkHTu4qwYilzlcNo3hal S7rTzpTA4j9bo4e7TUAh5nrs1/pH223n4QOCV7EyPap3IlDucfW7MgCS7kxJqGoKd6VD Sg2S81pkLYlLSVmOVVBHOTcb+ZND+DrpWOekI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=fFvBz0YKbg8gQ71YqJcHsD4umwOsKmO8CKz6js9AbLLu6nBaoqSmk7YnXP/Uh4IrT1 oj13FiZmK3zANIqghefg3zEWzwdTdEO1bx+pNPPahUk/Dc5apDIpdQI3dsbhf4i6ka2x XfV0VeeKs0JIOQDohBcjJAm8PIfmWQkHTnM1s=
MIME-Version: 1.0
Received: by 10.42.229.133 with SMTP id ji5mr518037icb.350.1288190422854; Wed, 27 Oct 2010 07:40:22 -0700 (PDT)
Received: by 10.231.61.211 with HTTP; Wed, 27 Oct 2010 07:40:22 -0700 (PDT)
Date: Wed, 27 Oct 2010 10:40:22 -0400
Message-ID: <AANLkTim9tBeBxq51=7iYZz-3wOkOuKiDdpW700d_+7+r@mail.gmail.com>
From: "William A. (Andy) Adamson" <androsadamson@gmail.com>
To: NFSv4 <nfsv4@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [nfsv4] Upcoming discussion of draft-adamson-nfsv4-multi-domain-access-03.txt on Fed FS call.
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 14:38:39 -0000
The draft-adamson-nfsv4-multi-domain-access-03 ID will be discussed
(along with other items) during the FedFS call this Thursday, October
28th.
FedFS call:
Time: Thursdays 1:30-2:30 PM EST/10:30-11:30 AM PST
Dial-in: 1-888-765-3653 (us)
303-218-2659 (international)
Id: 2354843
The mulit-domain access draft is intended to (eventually) work well
with the general PAC described in
draft-sorce-krbwg-general-pac--00.txt, a new krb-wg draft. The general
PAC being the Kerberos version of the RPCSEC_GSS PAC described in the
mutli-domain draft. Currently, the issues that arise combining the two
IDs are being discussed on the KRB-WG.
The NFSv4 WG may or may not be the appropriate group to discuss the
Kerberos/GSS-API PAC issues, still, I suggest reading
draft-sorce-krbwg-general-pac-00.txt and to checkout the thread about
it on KRB-WG:
https://lists.anl.gov/pipermail/ietf-krb-wg/2010-October/thread.html
Here are some issues to discuss on the call. Other issues/questions welcome.
Section 5
This section includes an informative discussion of local
representations of global identity and the use of LDAP naming services
and ID mapping to provide multi domain capabilities for local-domain
only POSIX ID local representations (32bit UID/GID).
Issues:
a) LDAP as required-to-implement
b) Mandating how to configure the base DN, and how it is mandated
Our thinking is to REQUIRE to implement the above but allow OPTIONAL
methods for dealing with domains with base DNs that don't conform, for
NIS, SAML, ... instead of LDAP, ...
Section 6
This section discusses how to map an RPCSEC_GSS principal to a local
identity representation plus file access authorization information
including a set of local group representations.
Issues:
a) What is the Global ID form referred to in the RPCSEC_GSS
Authorization Context: Is it an SID? a
UUID(draft-sorce-krbwg-general-pac-00.txt)? some other form?
b) For global ID construction, we need to identify domains by ID. How
do we identify domains by ID, and how do we enforce domain ID
uniqueness?
One suggestion is that each federation should run a minimal directory
of its own to contain such things as the names and IDs of member
domains and to provide resolution of those items. By making this
minimal it can be easily replicated (and needn't even be an LDAP
directory).
Section 6.3
User Group Membership Determination
Issue for discussion from Nico:
This came up recently in the ABFAB WG / moonshot community, and it is
related to an issue that came up at KITTEN WG a few years ago:
depending on the terms of federation membership it may not be possible
to determine any attributes about a initiator principal other than a)
those asserted by their home domain, b) those asserted by the acceptor
principal's domain. That is, it may not be possible to determine all
of a user's group memberships across a federation. Moreover, you may
only get the attributes that the principal's home domain is willing to
assert, which may not be all of them -- privacy reasons.
This has implications for DENY ACL entries, namely: you must not add
DENY ACEs for groups unless you have an agreement that will be able to
determine memberships in those groups. Typically this will mean that
only groups in the acceptor principal's home domain can be used for
DENY ACEs.
Another implication is that if there might be any DENY ACEs, not only
must we limit them to groups whose memberships we stand a chance to
resolve, but also we need to knoe when the authorization context
resolution process has any transient failures, so that we can then
decide to reject authorization altogether (if, indeed, an ACL has DENY
ACEs).
Besides, for scalability reasons we couldn't have systems doing O(N)
searches, where N is the number of domains in the federation, in order
to fully determine the authorization context of a principal.
The only workaround I see: have one federation-wide directory to hold
federation-wide groups and their memberships (but not users). Then
servers will be able to lookup users' group memberships in
federation-wide groups (including via group nesting). And servers
could then have DENY ACEs with federation-wide groups, groups from the
acceptor principals' domains, local groups, and users from anywhere in
the federation.
-->Andy
- [nfsv4] Upcoming discussion of draft-adamson-nfsvā¦ William A. (Andy) Adamson