Re: [nfsv4] (belated) copy of my review of draft-ietf-nfsv4-layout-types-03 (part 4)
Thomas Haynes <loghyr@primarydata.com> Thu, 20 July 2017 05:16 UTC
Return-Path: <loghyr@primarydata.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E463131748 for <nfsv4@ietfa.amsl.com>; Wed, 19 Jul 2017 22:16:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.49
X-Spam-Level:
X-Spam-Status: No, score=-2.49 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=primarydata.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTaw4cEgxDHk for <nfsv4@ietfa.amsl.com>; Wed, 19 Jul 2017 22:16:08 -0700 (PDT)
Received: from us-smtp-delivery-194.mimecast.com (us-smtp-delivery-194.mimecast.com [216.205.24.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 483AC131803 for <nfsv4@ietf.org>; Wed, 19 Jul 2017 22:16:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=PrimaryData.onmicrosoft.com; s=selector1-primarydata-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VgPIV1BAbXVoVg4uT4ef/S5xyLbWykua8O53p+8vgxA=; b=Pe1JWMtLowDCRRPEFw8+6NVanU0lr70Ez0K4NHiN//c0GclCF2NhQRxWzkKAq1zHf4msmUc0TxswoRKzKFTYPTaeckcd5gVehQbI+Q+ztcBHzjNCiRBE2X+NqIIjln4NyVqVEOhw+2PkoP3xMJQMuRgt+f6/ouA4WZgHQfLL1Ow=
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03lp0054.outbound.protection.outlook.com [216.32.180.54]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-191-uTaAtxccNOSAQyrUjATbyQ-1; Thu, 20 Jul 2017 01:16:04 -0400
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com (10.164.166.21) by BY2PR1101MB1093.namprd11.prod.outlook.com (10.164.166.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Thu, 20 Jul 2017 05:16:00 +0000
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) by BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) with mapi id 15.01.1261.024; Thu, 20 Jul 2017 05:16:00 +0000
From: Thomas Haynes <loghyr@primarydata.com>
To: Dave Noveck <davenoveck@gmail.com>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] (belated) copy of my review of draft-ietf-nfsv4-layout-types-03 (part 4)
Thread-Index: AQHTARdGcmgjaVHv4kqDY6q374aZ2g==
Date: Thu, 20 Jul 2017 05:16:00 +0000
Message-ID: <54031CB6-50E1-4A46-9E38-7252EA1BBA9B@primarydata.com>
References: <CADaq8jc5ZkHbF=d8-6P+3hU0Y8YeXH_vRBK1RyepAK=vo4g93Q@mail.gmail.com>
In-Reply-To: <CADaq8jc5ZkHbF=d8-6P+3hU0Y8YeXH_vRBK1RyepAK=vo4g93Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:67c:1232:144:412a:96b6:3c15:67e5]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR1101MB1093; 20:Nk5yLOjikmF0vN5ju6b+YQCN8mj5mJRb8+7+KGeQZOTwcRU+3Bx2cLr6YvJ27LlcxrTrU9eteOWn896DwtNNr462hyoUbeqF9EPLjD/a5BCBpidmKfw44dzny1AYg/arEOEv//EUUqXLthZYYhvlXyVYpcMXZ5PjKyczAUglw/s=
x-ms-office365-filtering-correlation-id: 99c103af-ed0c-4084-1eaf-08d4cf2e6947
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR1101MB1093;
x-ms-traffictypediagnostic: BY2PR1101MB1093:
x-exchange-antispam-report-test: UriScan:(278178393323532)(158342451672863)(133145235818549)(236129657087228)(192374486261705)(788757137089)(148574349560750)(50300203121483)(247924648384137)(17755550239193);
x-microsoft-antispam-prvs: <BY2PR1101MB10938E6D9E0BF5AD0FEB4331CEA70@BY2PR1101MB1093.namprd11.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(2017060910075)(8121501046)(5005006)(93006095)(93001095)(3002001)(100000703101)(100105400095)(10201501046)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(2016111802025)(20161123560025)(20161123564025)(20161123558100)(20161123555025)(20161123562025)(6072148)(6043046)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR1101MB1093; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR1101MB1093;
x-forefront-prvs: 0374433C81
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39830400002)(39450400003)(39410400002)(24454002)(377454003)(3280700002)(6916009)(36756003)(5660300001)(4326008)(25786009)(53546010)(1411001)(33656002)(102836003)(6116002)(7736002)(2906002)(2950100002)(189998001)(6436002)(6486002)(81166006)(8676002)(3660700001)(230783001)(76176999)(53936002)(8936002)(38730400002)(54356999)(2900100001)(14454004)(77096006)(50986999)(39060400002)(6512007)(236005)(110136004)(6306002)(966005)(478600001)(6246003)(82746002)(99286003)(6506006)(83716003)(229853002)(54896002)(86362001)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR1101MB1093; H:BY2PR1101MB1093.namprd11.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: primarydata.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2017 05:16:00.5765 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 03193ed6-8726-4bb3-a832-18ab0d28adb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR1101MB1093
X-MC-Unique: uTaAtxccNOSAQyrUjATbyQ-1
Content-Type: multipart/alternative; boundary="_000_54031CB650E14A469E387252EA1BBA9Bprimarydatacom_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/8hEEd2vjYwyIJ03zIz5zzt1Vj64>
Subject: Re: [nfsv4] (belated) copy of my review of draft-ietf-nfsv4-layout-types-03 (part 4)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 05:16:12 -0000
Here is part 4:
On Jul 16, 2015, at 4:21 PM, David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com>> wrote:
Object Layout Type
Within the first paragraph:
* I don't understand the first sentence as written. Is the following reasonable replacement?
The Object Layout Type provides that security checks occur during the allocation of a layout.
With the object layout type, security checks occur during
the allocation of the layout.
* The second sentence as written seems to (typically) require one LAYOUTGET per IO. I'm sure that isn't intended. Would the following make sense?
The client will typically will typically ask for layouts covering all of the file and may do so for either READ and READ/WRITE. This enables the client to do subsequent IO operations without the need to obtain layouts for specific byte ranges.
* With regard to the third sentence there are some difficulties that from inappropriately combining issues elated to authorization and those relating to locking:
* It doesn't make sense to speak of verifying permissions against outstanding locks since locks are owned by owners and not users/principals.
I’ll strip out the lock observation since RFC 5664 spares one sentence for locking.
* It seems incongruous to speak of verifying permissions against layout iomodes. Actually, layout iomodes are verified against permission (i.e. mode and acls).
* As regards the last sentence of the paragraph:
* Whatever you want to say about authentication her, clearly authentication has nothing to do with issuing ACCESS or OPEN calls.
Section 13 of RFC 5664:
When the client acts on I/O
operations on behalf of its local users, it MUST authenticate and
authorize the user by issuing respective OPEN and ACCESS calls to the
metadata server, similar to having NFSv4 data delegations.
and later in that same section:
A pNFS client will typically hold one layout for each byte range for
either READ or READ/WRITE. The client's credentials are checked by
the metadata server at LAYOUTGET time and it is the client's
responsibility to enforce access control among multiple users
accessing the same file. It is neither required nor expected that
the pNFS client will obtain a separate layout for each user accessing
a shared object. The client SHOULD use OPEN and ACCESS calls to
check user permissions when performing I/O so that the server's
access control policies are correctly enforced. The result of the
ACCESS operation may be cached while the client holds a valid layout
as the server is expected to recall layouts when the file's access
permissions or ACL change.
* I don't see why you would issue ACCESS (as opposed to OPEN) calls. Is this to enable IO with anonymous stateids?
You would have to ask one of the authors of RFC 5664.
* I don't see how this similar to having a data delegation. One always has to do an OPEN whether you have a data delegation or not.
Again, ask the authors...
In the first sentence of the second paragraph. the phrase "inside the layout" seems misplaced. How about the following proposed replacement?
Upon successful authorization, the client receives, within the layout, a set of object capabilities allowing it I/O access to the specified objects, with the requested iomode.
Took an edited version
As regards the long final sentence of the second paragraph, the fact that it includes the word "MUST" means we need to exercise particular care:
* Suggest replacing "enforce access control" by "enforce access control and loocking semantics”
Ack
* Suggest replacing "Whenever the metadata server detects one of:" by "Whenever any of the follow occur:
We still need to call out it is the responsibility of the MDS and not one of the other systems.
Whenever one of the following occur on the
metadata server:
* With regard to "the permissions on the object change", it should not be necessary to change the capability unless the change make access permissions more restrictive.
Making such a change would be a normative change to RFC 5664.
* With regard to "a conflicting mandatory byte-range lock is granted", since layouts are not owner-specific, it isn't clear exactly what is meant here by "conflicting”.
A good question to ask the authors of RFC 5664.
It appears that what is meant here is that you need to change the capability when there is a conflicting mandatory byte range lock obtained by another client.
It appear to me that the model for locking is that MDS is responsible enforcing locking between clients while the client is responsible for enforcing locking among owners within a single client. I hope that's right. It's all I can think of.
* With regard to, "a layout is revoked and reassigned to another client", the capability change should follow the revocation and should occur independently of any potential layout reassignment.
* Should also look at adding some the following:
* Revocation of a delegation, open or mandatory byte-range lock held by the client
Another normative change.
My hands are tied with respect to both the block and object layout types - I do not have any
implementation experience with them and have to go by what the authors specified as gospel.
* At the end of the sentence that the bullets are part of, suggest replacing "it" by "the metadata server" and "to implicitly invalidate'" by "in order to invalidate”
Ack
Summary
in the second sentence, suggest replacing "decisions seem to be forced" by "choices are conditioned".
I have a number of problems with the third sentence:
* Given, that, as indicated above, these choices are essentially dictated by the choice of storage protocol, I don't see how implementing any particular control protocol could be expected to change that.
A perfect example is with loosely and tightly coupled flex file implementations.
* It's not clear what the phrase "a real control protocol" means given the definition of a control protocol as "a set of requirements". I'm supposing this means "a 'control protocol', as that phrase might normally be understood", but this needs to be clarified. It is possible that the definitions I proposed for section 2 might help here. Then again,maybe not.
Took out “real”.
With regard to the first sentence of the second paragraph, I think "as we have seen" is not appropriate. I don't see where this has been shown (or demonstrated) to be the case. In fact, the control protocol has been defined to be a set of requirements and this sentence appear to draw conclusion from this fact, which is not appropriate. How about the following as a replacement?
In the context of this document , we treat the control protocol as a set of requirements.
With regard to the second sentence of the second paragraph, I have the following proposals:
* Replace "enclosing: by "defining".
* I have problems with the word "minimally' as it suggests something that only meets these minimal requirements is essentially OK. I can see how you might want to stress (1) and (2) as especially important. So how about the following:
* Drop the word 'minimally".
* Add the following paragraph at the end:
In addition, the document needs to make clear how other semantic requirements of NFSv4.1 (e.g. locking) are met in the context of the proposed layout type.
Ack
Security Considerations
I think you need a few introductory paragraphs, such as the following:
This section does not deal directly with security considerations for existing or new layout types. instead, it provides a general framework for understating security-related issues within the pNFS framework. Specific security considerations will be addressed in the Security Considerations sections of documents specifying layout types.
I really like that first paragraph...
The layout type specification must ensure that only data accesses consistent with the NFSV4.1 security model are allowed. It may do this directly, by providing that appropriate checks be performed at the time the access is performed, or by allowing the client or the data storage device to be responsible for making the appropriate checks, with the support of the metadata server. In the latter case,, IO access writes are reflected in layouts and the layout type must provide a way to prevent inappropriate access due to permissions changes between the time a layout is granted and the time the access is performed.
Took an edited version.
I think the following paragraph could appear after yours:
After such termination of access, the client has the opportunity to re-acquire the layout and perform the secuirty check in the context of the newly current access permissions.
Note that I am saying here that revocation of layouts is not required to enforce access permission chnges in the case of the file layout. It is required to enforce locking., but not access permissions. is this a problem?
No, because it may be required in another layout type
_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org<mailto:nfsv4@ietf.org>
https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] (belated) copy of my review of draft-ietf… David Noveck
- Re: [nfsv4] (belated) copy of my review of draft-… spencer shepler
- Re: [nfsv4] (belated) copy of my review of draft-… Thomas Haynes
- Re: [nfsv4] (belated) copy of my review of draft-… Thomas Haynes
- Re: [nfsv4] (belated) copy of my review of draft-… David Noveck
- Re: [nfsv4] (belated) copy of my review of draft-… Thomas Haynes
- Re: [nfsv4] (belated) copy of my review of draft-… Thomas Haynes