IETF Logo Mail Archive

Re: [nfsv4] comments w.r.t. flex layout draft 12

Thomas Haynes <loghyr@primarydata.com> Mon, 24 July 2017 21:22 UTC

Return-Path: <loghyr@primarydata.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E60C9131C34 for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 14:22:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.491
X-Spam-Level:
X-Spam-Status: No, score=-2.491 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=primarydata.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tO4mM2GRseym for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 14:22:52 -0700 (PDT)
Received: from us-smtp-delivery-194.mimecast.com (us-smtp-delivery-194.mimecast.com [216.205.24.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FCDE131456 for <nfsv4@ietf.org>; Mon, 24 Jul 2017 14:22:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=PrimaryData.onmicrosoft.com; s=selector1-primarydata-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZgGDhR0bP9Uaa78Til7MGQv2IBaCgfVSlyYo8rbxxgU=; b=BVGswlUWmwskDnv2XTR3rNylQPePLwJUJsPQNca2483ndj4XYoNRGSjbfgs7RPsbYzLWo66kMIv9dnJUCNPjMETl8NrGcoYVrLSLiTlTBOKsvyEz97E1/mBPu5XSi5jrEHGez5pdG6zybAMrNWoZHGfPIS4Is65mjXPBBOUg0tI=
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02lp0087.outbound.protection.outlook.com [207.46.163.87]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-133-R9ZJHqbLOwGb0kSVIx2JOQ-1; Mon, 24 Jul 2017 17:22:49 -0400
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com (10.164.166.21) by BY2PR1101MB1095.namprd11.prod.outlook.com (10.164.166.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.10; Mon, 24 Jul 2017 21:22:47 +0000
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) by BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) with mapi id 15.01.1282.017; Mon, 24 Jul 2017 21:22:47 +0000
From: Thomas Haynes <loghyr@primarydata.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Rick Macklem <rmacklem@uoguelph.ca>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] comments w.r.t. flex layout draft 12
Thread-Index: AQHTAmkEOtZ5rSlip0aWin7YxO1ZKaJjdk+AgAAK2wA=
Date: Mon, 24 Jul 2017 21:22:46 +0000
Message-ID: <DF640596-C528-4BA5-9BCB-8C79977C0B7C@primarydata.com>
References: <YTXPR01MB0189332A64D2E7485CFC8F2CDDA40@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM> <20170724204354.GH17639@kduck.kaduk.org>
In-Reply-To: <20170724204354.GH17639@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [63.157.6.18]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR1101MB1095; 20:d1XZEyNN8QO+vSLqI2CD7qj8sr1P1MSS5xZu619HCvfjTwyYOs9c3kCnZ1jyOf3uS2Hp4ZiHciA1diS1c6aQBACAafpqrbRmmzWTy/z01Ssf/LoA88+WVR5jGagPQI6mn+pCuAekPH3wjHhEv1N3S8f4m2+RMbglNxjcj/I5/rY=
x-ms-office365-filtering-correlation-id: 116ddc62-cafd-4f13-6916-08d4d2da2175
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR1101MB1095;
x-ms-traffictypediagnostic: BY2PR1101MB1095:
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(35073007944872);
x-microsoft-antispam-prvs: <BY2PR1101MB1095EB5415AFF1ED80890B9DCEBB0@BY2PR1101MB1095.namprd11.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(2016111802025)(20161123564025)(20161123560025)(20161123555025)(6072148)(6043046)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR1101MB1095; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR1101MB1095;
x-forefront-prvs: 0378F1E47A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39830400002)(39400400002)(39410400002)(24454002)(189002)(199003)(377454003)(51914003)(53546010)(110136004)(2900100001)(99286003)(38730400002)(54906002)(6512007)(2171002)(6306002)(3280700002)(36756003)(5660300001)(14454004)(6246003)(189998001)(3660700001)(2906002)(53936002)(54356999)(76176999)(50986999)(966005)(82746002)(83716003)(101416001)(97736004)(105586002)(106356001)(66066001)(6916009)(2950100002)(478600001)(81156014)(33656002)(6506006)(86362001)(229853002)(68736007)(77096006)(4326008)(6436002)(102836003)(7736002)(6116002)(3846002)(81166006)(8676002)(305945005)(8936002)(6486002)(25786009)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR1101MB1095; H:BY2PR1101MB1093.namprd11.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <FC1C31F8ED58C44A902D5E6F402FF3D1@namprd11.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: primarydata.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2017 21:22:46.9941 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 03193ed6-8726-4bb3-a832-18ab0d28adb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR1101MB1095
X-MC-Unique: R9ZJHqbLOwGb0kSVIx2JOQ-1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/8vNYR_GGipUrcB1cXATAiEQhsTw>
Subject: Re: [nfsv4] comments w.r.t. flex layout draft 12
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 21:22:55 -0000

> On Jul 24, 2017, at 1:43 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> On Fri, Jul 21, 2017 at 09:41:40PM +0000, Rick Macklem wrote:
>> Hi,
>> 
>> Overall, it looks good to me.
>> 
>> First off, there is one generic issue I thought I'd bring up...
>> - w.r.t. Kerberos...shouldn't it be talking about Rpcsec_gss instead of Kerberos,
>>  just in case someone uses another security mechanism someday?
> 
> Arguably it should, yes.

My bad - too much caffeine and not enough sleep. I knew I should
not have been writing down the word “kerberos”.

I’ll tie this back into Section 1.7.1 of RFC 5661.


>  But the GSSAPI way to do the sort of thing
> needed here involves GSS_Export_sec_context/GSS_Import_sec_context, which
> is formally only specified for interprocess transfer on a single machine.
> (After all, GSS-API objects are permitted to be opaque handles referring
> to data stored outside of the current process.)  Some implementations
> do just dump a serialized data structure that could in theory be sent
> over the network and used elsewhere, but there is no standardized way to
> do so.  Kerberos tickets, on the other hand, are standardized and quite
> interoperable.  But the specification might do well from using more general
> terms and only listing Kerberos tickets as an example.
> 
>> - Also, I'll admit I didn't understand the last two sentences of Sec. 15.1.1.
>> - Why is the metadata server generating TGTs. Is this referring to the case of
>>   the metadata doing I/O on the storage server? Or is this specific to some part of
>>   RPCSEC_GSS_V3 (which I'll admit I've never looked at;-). If the latter, just ignore
>>   my ignorance;-)
> 
> My (admittedly hasty) reading was that the metadata server is generating
> "credentials" that the client then uses in subsequent communication with
> the data server.  Those newly minted credentials ought to be limited to
> just the file access that was indicated to the MDS, whether by having
> a dedicated/throwaway client principal name akin to the synthetic uid/gid
> schemes, authorization data in the ticket, or some out-of-band scheme.
> In order to fit nicely into the existing deployments using Kerberos,
> the minted credentials need to be Kerberos credentials.
> 
> That said, I see no reason why they need to be a TGT -- a service ticket
> for the data server principal would work just fine and would save the
> client a round-trip to the KDC.  Doing so would also provide a bit more
> implementation flexibility, if the MDS is given access to the long-term
> key of the data servers (as it could then just print tickets locally and
> not need to interact with the KDC).  Another option for this sort of thing
> would be the S4U2Proxy extension, that lets the MDS request that the KDC
> print the desired tickets and the KDC can do authorization checking and
> apply restrictions to the generated tickets/etc.

Thanks for the suggestion, I’ll try to write this in to the next draft.

My main concerns here were:

1) Having sufficient requirements to meet the ones we have at the standards body level.
2) Giving enough detail that it did not look like hand waving.
3) Not lock an implementation down.




> 
> -Ben
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email