Re: [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE: what's required?
Mike Kupfer <mike.kupfer@oracle.com> Tue, 20 June 2017 19:11 UTC
Return-Path: <mike.kupfer@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4830D129526 for <nfsv4@ietfa.amsl.com>; Tue, 20 Jun 2017 12:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FLRpFJ5u22D2 for <nfsv4@ietfa.amsl.com>; Tue, 20 Jun 2017 12:11:40 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A169912869B for <nfsv4@ietf.org>; Tue, 20 Jun 2017 12:11:40 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v5KJBcqU028449 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jun 2017 19:11:39 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v5KJBcsj016568 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jun 2017 19:11:38 GMT
Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v5KJBbcP000787; Tue, 20 Jun 2017 19:11:38 GMT
Received: from [10.132.144.95] (/10.132.144.95) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 20 Jun 2017 12:11:37 -0700
To: David Noveck <davenoveck@gmail.com>
Cc: NFSv4 WG <nfsv4@ietf.org>
References: <ff5b21d9-f2f0-2c8b-1335-56384d08dacb@oracle.com> <CADaq8je5-bSKkcpP7VVP8VftLMM+nO9vQBbeavkg1xVhjGZuPQ@mail.gmail.com>
From: Mike Kupfer <mike.kupfer@oracle.com>
Organization: Oracle Corporation
Message-ID: <b91dd68b-0383-24dd-cafd-d7c589959db8@oracle.com>
Date: Tue, 20 Jun 2017 12:11:35 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0
MIME-Version: 1.0
In-Reply-To: <CADaq8je5-bSKkcpP7VVP8VftLMM+nO9vQBbeavkg1xVhjGZuPQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/9Dh2l5pNjP51_TufGqWz1G38hl0>
Subject: Re: [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE: what's required?
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 19:11:42 -0000
On 06/16/17 11:39, David Noveck wrote:
>> However, a server that supports either of the new
>> ACL attributes (dacl or sacl) MUST allow use of the new ACL
>> attributes to access all of the ACE types that it supports.
[...]
> Perhaps the intention was to say that these attributes, when
> implemented,should support the ACE types that each of the attributes
> were designed/intended to support, if the server supports them at
> all.
That was more or less my interpretation.
>> In other words, if such a server supports ALLOW or DENY ACEs,
>> then it MUST support the dacl attribute,
>
> This is essentially saying that if you support the acl attribute you
> have to support dacl. I don't know if that is the intention.
But there's that qualifier: "such a server". I think that refers to
servers that support either dacl or sacl. So if the server supports
acl, but not dacl or sacl, only the first sentence of the paragraph is
relevant.
Support for any of the ACL attributes is optional (albeit
RECOMMENDED).
The rest of the paragraph is moot.
mike
- [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE: wha… Mike Kupfer
- Re: [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE:… David Noveck
- Re: [nfsv4] NFSv4.1 SACL attribute and AUDIT ACE:… Mike Kupfer