Re: [nfsv4] comments w.r.t. flex layout draft 12
Olga Kornievskaia <aglo@citi.umich.edu> Tue, 25 July 2017 17:05 UTC
Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69570131E0F for <nfsv4@ietfa.amsl.com>; Tue, 25 Jul 2017 10:05:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ap4zKhShRPSR for <nfsv4@ietfa.amsl.com>; Tue, 25 Jul 2017 10:05:51 -0700 (PDT)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D742E131E0D for <nfsv4@ietf.org>; Tue, 25 Jul 2017 10:05:50 -0700 (PDT)
Received: by mail-qk0-x233.google.com with SMTP id q130so31656156qka.4 for <nfsv4@ietf.org>; Tue, 25 Jul 2017 10:05:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=Y7Tz+8P85yZGWOQiaOUa0CjC2g6E0G6JCyl7qoTJEKg=; b=f3pOAjabqhWDwSEd6SVf2+/qfmouJFGJDHZujlJA3smt4HixEm1szhQQ1yGBlCenlT BrWUhHYp80AP3UdqAOklJc+N56nUawlO7BV6vccyhcl8cx/sMPmpMJCAwI55E/ZRQy2b pXsjZYCGTHbL3GrawwLVspjeWmmwObEbcU9e2CbFvLa2B4j8bPR+JOyG3rQuIlsPdtAM BrZsdq4OA3Ctbn1YV7UauVYu45BgleusKFNnGuNsn1IJbfoXvFzdUSTctyC8KPOCrIMu BXn6bk7/ZvaW6Q8PEh6w9Re9Qm/WYhynfQ6MzseF/6mAyfJePZ2tNjDysmLc3e0oBt68 adlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=Y7Tz+8P85yZGWOQiaOUa0CjC2g6E0G6JCyl7qoTJEKg=; b=WDa23fUwFAZIw/xX7WDzrA1oLRb7WNrlVizE2Y7c7RJR77/IhvtCsA6wzUhgEfgCVj hCmS+x0voqhkjtHwfN7y27pqfzjFynvdSfm0sUomrh0l+kGI6ctChsKjn8HY3FROPyMF iVJKxDwYwbVxL8DMdByQ4Otb0EsN34kDxsg4fq6KVwOKdJqTm3k7LSpRa/qYkQ70VCe8 TTyZNHxH4edjo2WKeQlS35fDFhcxqMyrL17i8oq21VmW2luCg2jm3AZbiMuN0I+Bo+28 C/lYtnsj5cF47IhDwesv301n/mwQP8vNYfdToGt7R+fVCamEDikWsYoAGN6vqRHNeouI lnSQ==
X-Gm-Message-State: AIVw111g24sG+sh6flo2OCP1Kihg6wBBjE7xTaXe/hoObk+rbfNCS+gR 7ZcwZ//RpuZ8iZ1UK0k7FmjvSUq2Uw==
X-Received: by 10.55.72.206 with SMTP id v197mr25253893qka.133.1501002349897; Tue, 25 Jul 2017 10:05:49 -0700 (PDT)
MIME-Version: 1.0
Sender: olga.kornievskaia@gmail.com
Received: by 10.12.186.159 with HTTP; Tue, 25 Jul 2017 10:05:49 -0700 (PDT)
In-Reply-To: <20170724204354.GH17639@kduck.kaduk.org>
References: <YTXPR01MB0189332A64D2E7485CFC8F2CDDA40@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> <20170724204354.GH17639@kduck.kaduk.org>
From: Olga Kornievskaia <aglo@citi.umich.edu>
Date: Tue, 25 Jul 2017 13:05:49 -0400
X-Google-Sender-Auth: FtTMRHs_xDJwEriGKq3d09sbctg
Message-ID: <CAN-5tyHTb7-NA4NFSKQuOFxdh1ittxnWgqBnuBhBS7i3puG72w@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Rick Macklem <rmacklem@uoguelph.ca>, "nfsv4@ietf.org" <nfsv4@ietf.org>, Thomas Haynes <loghyr@primarydata.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/8IJpnX9V_p7r6NpHCj-uFBVn_xs>
Subject: Re: [nfsv4] comments w.r.t. flex layout draft 12
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 17:05:53 -0000
On Mon, Jul 24, 2017 at 4:43 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: > On Fri, Jul 21, 2017 at 09:41:40PM +0000, Rick Macklem wrote: >> Hi, >> >> Overall, it looks good to me. >> >> First off, there is one generic issue I thought I'd bring up... >> - w.r.t. Kerberos...shouldn't it be talking about Rpcsec_gss instead of Kerberos, >> just in case someone uses another security mechanism someday? > > Arguably it should, yes. But the GSSAPI way to do the sort of thing > needed here involves GSS_Export_sec_context/GSS_Import_sec_context, which > is formally only specified for interprocess transfer on a single machine. > (After all, GSS-API objects are permitted to be opaque handles referring > to data stored outside of the current process.) Some implementations > do just dump a serialized data structure that could in theory be sent > over the network and used elsewhere, but there is no standardized way to > do so. Kerberos tickets, on the other hand, are standardized and quite > interoperable. But the specification might do well from using more general > terms and only listing Kerberos tickets as an example. > >> - Also, I'll admit I didn't understand the last two sentences of Sec. 15.1.1. >> - Why is the metadata server generating TGTs. Is this referring to the case of >> the metadata doing I/O on the storage server? Or is this specific to some part of >> RPCSEC_GSS_V3 (which I'll admit I've never looked at;-). If the latter, just ignore >> my ignorance;-) > > My (admittedly hasty) reading was that the metadata server is generating > "credentials" that the client then uses in subsequent communication with > the data server. Those newly minted credentials ought to be limited to > just the file access that was indicated to the MDS, whether by having > a dedicated/throwaway client principal name akin to the synthetic uid/gid > schemes, authorization data in the ticket, or some out-of-band scheme. > In order to fit nicely into the existing deployments using Kerberos, > the minted credentials need to be Kerberos credentials. > > That said, I see no reason why they need to be a TGT -- a service ticket > for the data server principal would work just fine and would save the > client a round-trip to the KDC. Doing so would also provide a bit more > implementation flexibility, if the MDS is given access to the long-term > key of the data servers (as it could then just print tickets locally and > not need to interact with the KDC). Another option for this sort of thing > would be the S4U2Proxy extension, that lets the MDS request that the KDC > print the desired tickets and the KDC can do authorization checking and > apply restrictions to the generated tickets/etc. S4U2Proxy helps if MDS was the one wanting to "act on users request" to the storage server. However, in this case (in this proposal), MDS is the one creating a new "identity" (synthetic uid/synthetic Kerberos principal) for the user to use while the client is authenticating to the storage server.
- [nfsv4] comments w.r.t. flex layout draft 12 Rick Macklem
- Re: [nfsv4] comments w.r.t. flex layout draft 12 Benjamin Kaduk
- Re: [nfsv4] comments w.r.t. flex layout draft 12 Thomas Haynes
- Re: [nfsv4] comments w.r.t. flex layout draft 12 Thomas Haynes
- Re: [nfsv4] comments w.r.t. flex layout draft 12 Olga Kornievskaia