[nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-04
David Noveck <davenoveck@gmail.com> Sat, 17 August 2024 23:03 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EDE8C14F6A5 for <nfsv4@ietfa.amsl.com>; Sat, 17 Aug 2024 16:03:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zrUQSXrQSnLm for <nfsv4@ietfa.amsl.com>; Sat, 17 Aug 2024 16:03:50 -0700 (PDT)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 012EEC14F5F8 for <nfsv4@ietf.org>; Sat, 17 Aug 2024 16:03:49 -0700 (PDT)
Received: by mail-yb1-xb2f.google.com with SMTP id 3f1490d57ef6-e115eb44752so3382645276.0 for <nfsv4@ietf.org>; Sat, 17 Aug 2024 16:03:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723935829; x=1724540629; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=B05LoDD6CD8sVRqb5xZDcb9q5SERpXAgLtjJDYxvd0k=; b=ZPzLGz3iKoXJS2+0BuDVT006bdoHU9ofFqxr8sZk7SETsD0ON4ztFVGQ1tSw6HtPav F57+7s5O5FUi3dpQah6N/p1JZ8xqVCC+q8kP+il5Ue5LFXF1bAJ6VZJ/2WJT+7jBhb6Z Ao63kAjLdUamdq1xdqtrIpdo8KNbcQ20sGPnY4xMCVqbBE20ZqlSTMyvni5IrgSTibno WivstHdL4/KGYHDhrS8qHExRJAN8ZzH8xx68JSx8fcXzumqSmvy+KZ0sRAkcuPMt2Zg3 IXEK6doBm6BQNiU5z56DH5GTeWZxwhg7OrjEcjlm/jPLbEfwKFt5v8rFv00zYyQJklW4 NeTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723935829; x=1724540629; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=B05LoDD6CD8sVRqb5xZDcb9q5SERpXAgLtjJDYxvd0k=; b=S07Z0RYDcRj3ZQrfYsqxBA7Z631BiVcOXjJZg6N5iCRCtXPJCf5MW88+wejwgEhdre Yx/WKoNNoKC4+Rx0orMn2Pm2WOgq4qhJujuWA+mdPUd0NYSrAo4hsgsDDXvPzPtsbUNm ZmG0glzdXufMm1q6/BKEWq7V5YT2DkWMkDmnZLUahdg3exWKB8TshTY0Rz36S+M9bJrc ytbn0TazPPAdr2aSGa6keNz9Cyg6rvqUC1/sPOdUTrn4fwD70i0ZbRQYI/D+179Vy2sx VUFkpMT5rz+m+KKeH5uWJmBQxsuk1CU9IGZRDWBNoCk03ze0pBgekjN1bk/QOGtJwWfU U9xQ==
X-Forwarded-Encrypted: i=1; AJvYcCVVbRDkfUX1sjYVN2XKrHI3PQt8GDTOmkQCNOX2FhnCm6tygkoOoGD+7DcYEPJb0CUhAFJwgiV+J6tpDnro7A==
X-Gm-Message-State: AOJu0YwhJCwckiimyXm1WqihVXl646Q926IfTQQ0wpIduQUJVcNHTfM4 vBJ0N0NliMdcb0rv5YRif+sE9Q0aXnamACHnPwwwT5+rdvPf1gHy4CxxyhX/rj6bWm2RAX8TwWk M2IwVHoLqB/JbPM9Gn8DDOZd+M1DN5Q==
X-Google-Smtp-Source: AGHT+IH7Ngaxv+NSeCtqR5ddu4v/Z/Pl8Sl0DG8vNXerBOMHQ5+uqsCUZ5yxClD0MIr4APdELbpgtcNiHqN9t4m7124=
X-Received: by 2002:a05:6902:1005:b0:e11:6b7a:22e1 with SMTP id 3f1490d57ef6-e1180fbca1fmr8534870276.36.1723935828748; Sat, 17 Aug 2024 16:03:48 -0700 (PDT)
MIME-Version: 1.0
References: <20240810003154.xw4gnos6fqr2yw54@pali> <CAM5tNy4fo=8wzbM8qbRwtiPycSLTKPd7sVaBQZk72zZDJyq93Q@mail.gmail.com> <20240810223629.dukpymniqn3uy2s6@pali> <CAM5tNy6+XHApuCu=N6RKLTgWToU7JQpp4QTxV9T2EE_dJQcGsQ@mail.gmail.com> <20240811101105.iuiyk7ygelhs7crv@pali> <CAM5tNy412=y44uFNLet0_Q6gZRKu4bOKF_Q0dGfO0v7sqf-U1A@mail.gmail.com> <20240812181732.nylecnp6lyrishgg@pali> <CAM5tNy60R69+ky3FaJ5guMYRhdY-A1_7qn4+5RzWtv8J+W0aaQ@mail.gmail.com> <20240817194734.ozzhrppu2psrka6k@pali> <CAM5tNy6cXogDyrYWkjBvek+M0tBn_4pVe=+ZC930Syw51ueboA@mail.gmail.com>
In-Reply-To: <CAM5tNy6cXogDyrYWkjBvek+M0tBn_4pVe=+ZC930Syw51ueboA@mail.gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Sat, 17 Aug 2024 19:03:36 -0400
Message-ID: <CADaq8jfxqW8RHBQ9nGtKTPV16+WRJDQYQ1G_FzQL+yX_O4B3pA@mail.gmail.com>
To: Rick Macklem <rick.macklem@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b036ea061fe916de"
Message-ID-Hash: HD5EN52DD4HSCHWTRVQYBQ2QRDBSDHIV
X-Message-ID-Hash: HD5EN52DD4HSCHWTRVQYBQ2QRDBSDHIV
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>, NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-04
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/ADpWtIdmXeNpxcD-o3qU3D7Fb6A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
On Sat, Aug 17, 2024, 6:28 PM Rick Macklem <rick.macklem@gmail.com> wrote: > > > On Sat, Aug 17, 2024 at 12:47 PM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> > wrote: > >> On Monday 12 August 2024 18:03:09 Rick Macklem wrote: >> > I am only going to make a few generic statements... >> >> Ok, if you have a time, try to look at my comments from previous >> message. I would like to know if my ideas at least makes some sense or >> how hard would be to design this NFS4 POSIX ACL extension compatible >> with NFS4 servers with any possible RFC 8881 compatible meaning of >> "mode" attribute. >> >> Or if it is not clear, I could try to show it on more / other examples. >> >> > Before I started writing this draft, I prototyped >> > the posix_access_acl/posix_default_acl in FreeBSD. >> > Both client and server changes took about 3hrs. >> > Why was it so easy? >> > Because all of the stuff related to POSIX draft ACL >> > semantics was already there. Handling of mode vs POSIX >> > draft ACL was already there. >> > --> All I had to do was translate between the XDR format >> > and FreeBSD's internal format for a POSIX draft ACL. >> > By using a file system configured to use POSIX draft ACLs >> > for testing, that was all there was to it. >> > >> > What I cannot easily do is change any of the POSIX draft ACL >> > semantics, including how mode vs ACL are handled. Those are in >> > functions written by others at least 15years ago and trying >> > to change the semantics in any way would get serious pushback. >> > >> > I am not conversant with the Linux sources, but I suspect >> > that the situation is similar. >> > >> > I have trouble understanding your concerns w.r.t. mode for >> > a couple of reasons: >> > 1 - A NFSv4 client just sets/gets the mode bits. How setting >> > them affects ACLs and vice versa, are handled internally >> > by the server. >> >> Yes, it is handled by server and server is relatively free to choose one >> of the option what to do with it. But IEEE POSIX ACL does not allow to >> choose more options how to handle it. >> >> > 2 - Right now, there may some words in RFC8881 related to >> > NFSv4 ACLs vs mode bits, but in the end, it is whatever >> > the server implementation chooses to do. >> >> Yes, this is the primary problem related to mode as I detailed >> described. Servers can chose and existing servers have already chosen >> one of the option how to handle it. And if server implementation has >> chosen option incompatible with IEEE POSIX ACL draft then such server >> cannot implement this NFS4 POSIX ACL extension if backward compatibility >> is priority of the server. >> > When I first started working on this draft, I assumed that a file system > would choose to do POSIX draft ACLs or it would choose to do NFSv4 ACLs. > As such, the file system would maintain mode based on which it chose. > (Or, put another way, the mode vs ACL algorithms will be different for > the different true form ACLs.) > > Then David Noveck indicated that he thought a "per-file object" scope > was useful (and Frank Filz noted that IBM's GPFS could do this already). > I would like to know how IBM's GPFS handles mode when the true form > ACL (lets say NFSv4) is replaced by a POSIX draft ACL? > (I'd guess that the mode gets set to whatever the POSIX draft ACL requires, > Yes. essentially replacing both mode and ACL at the same time, but I do not > know.) > "at the same time" suggests atomicity. I'm not sure the draft POSIX ACLs requires that, bit if it does, you have to do the same. > > Now, if you meant the mode would be replaced when you talked about "two > modes" > then, yes, I would agree. > > David, do you have an opinion w.r.t. what should happen to mode when a ACL > of one true form is replaced by an ACL of the other true form for a file > object? > Yes. The mode should be that required by the new true to reflect the new ACL. I don't see how you could do anything else. > rick > > >> If server implementation already chosen option fully compatible with >> IEEE POSIX ALC draft (which I guess is the case of Linux and FreeBSD >> servers) then implementation of NFS4 POSIX ACL extension is >> straightforward. >> >> > For OpenZFS, there is a knob (they call them properties) >> > called "aclmode". It controls what happens when either >> > a NFSv4 ACL is set or the 9 bits of mode is set. >> > The knob currently has 4 possible settings. >> > Does any of these four settings conform to the >> > vague requirements in RFC8881? I am not sure, but again, >> > changing those semantics now would not be easy. (Maybe >> > yet another knob setting?) >> > (If you google for "man zfsprops", you can read what they are.) >> >> I looked at it. I think that all four options are "compatible" with NFS4 >> server according to RFC 8881. Just because RFC 8881 allows server to do >> lot of options. >> > 🤢 >> On the other hand, IEEE POSIX ACL draft is exact and strict how chmod >> modifies (POSIX) ACL. >> >> > The case my prototype does not implement is the per file object scope >> > case (ACL_SCOPE_FILE_OBJECT), because no file system on FreeBSD can >> > do NFSv4 and POSIX draft ACLs on the same file system. >> > >> > Btw, if there is a server implementor that wants to implement >> > posix_access_acl/posix_default_acl and the system they are working >> > on does not have a POSIX draft ACL implementation, there are at >> > least 3 open source implementations (with different licenses) they >> > can work from, plus the Grunbacher paper. >> >> I guess that this would apply for industry environment where is mainly >> used Windows-style/NFS4 ACLs. >> >> > rick >> > >> > >> > On Mon, Aug 12, 2024 at 11:17 AM Pali Rohár < >> pali-ietf-nfsv4@ietf.pali.im> >> > wrote: >> > >> > > On Sunday 11 August 2024 17:09:44 Rick Macklem wrote: >> > > > On Sun, Aug 11, 2024 at 3:11 AM Pali Rohár < >> pali-ietf-nfsv4@ietf.pali.im >> > > > >> > > > wrote: >> > > > >> > > > > On Saturday 10 August 2024 16:54:39 Rick Macklem wrote: >> > > > > > On Sat, Aug 10, 2024 at 3:36 PM Pali Rohár < >> > > pali-ietf-nfsv4@ietf.pali.im >> > > > > > >> > > > > > wrote: >> > > > > > >> > > > > > > On Saturday 10 August 2024 13:55:36 Rick Macklem wrote: >> > > > > > > > I have updated the draft to -05. I think I have >> > > > > > > > addressed your comments. >> > > > > > > > >> > > > > > > > A few inline responses below. >> > > > > > > > >> > > > > > > > On Fri, Aug 9, 2024 at 5:31 PM Pali Rohár < >> > > > > pali-ietf-nfsv4@ietf.pali.im> >> > > > > > > > wrote: >> > > > > > > > >> > > > > > > > > Hello Rick, >> > > > > > > > > >> > > > > > > > > I have read your new version -04 of extension document >> and just >> > > > > now I >> > > > > > > > > have figured out some new things there. >> > > > > > > > > >> > > > > > > > > For better readability I have one small suggestion for >> section >> > > 9. >> > > > > > > > > In description of each attribute could be list of all >> possible >> > > > > values. >> > > > > > > > > Currently the possible values are defined only in XDR >> section >> > > 4. >> > > > > And it >> > > > > > > > > is quite hard for me to read this section 9, because I >> need to >> > > > > scroll >> > > > > > > up >> > > > > > > > > (to read list of possible values) and then back down to >> the >> > > > > > > description. >> > > > > > > > > When I first time read this section in -02 I was quite >> lost >> > > and I >> > > > > had >> > > > > > > to >> > > > > > > > > read it more times. >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > My comment from -02 which still applies for -04 is >> version is >> > > > > ambiguity >> > > > > > > > > of NFS4 mode attribute which does not match POSIX mode as >> > > required >> > > > > by >> > > > > > > > > POSIX ACL. >> > > > > > > > > >> > > > > > > > I think I have addressed this now. It notes that mode is >> > > sychronized >> > > > > > > > with the true form ACL for the file object. >> > > > > > > >> > > > > > > I think that there is still an issue. Meaning of the mode >> > > attribute is >> > > > > > > defined differently in RFC 8881. >> > > > > > > >> > > > > > > RFC 8881 6.2.4. Attribute 33: mode says: "Bits MODE4_RGRP, >> > > MODE4_WGRP, >> > > > > > > and MODE4_XGRP apply to principals identified in the >> owner_group >> > > > > > > attribute but who are not identified in the owner attribute." >> > > > > > > >> > > > > > > RFC 8881 6.3.2.1. Discussion says: "Some server >> implementations >> > > also >> > > > > add >> > > > > > > bits permitted to named users and groups to the group bits >> > > (MODE4_RGRP, >> > > > > > > MODE4_WGRP, and MODE4_XGRP). Implementations are discouraged >> from >> > > doing >> > > > > > > this." >> > > > > > > >> > > > > > > So according to meaning of mode attribute, MODE4_RGRP, >> MODE4_WGRP, >> > > and >> > > > > > > MODE4_XGRP bits matches POSIXACE4_TAG_GROUP_OBJ. Which is not >> > > > > compatible >> > > > > > > with IEEE POSIX draft. >> > > > > > > >> > > > > > > I see that you have added following requirement into >> description. >> > > > > > > >> > > > > > > "If the true form is ACL_MODEL_POSIX_DRAFT, synchronization >> is >> > > > > > > described in [Grünbacher]." >> > > > > > > >> > > > > > > Which sounds like that it wants to override what is defined >> in the >> > > > > > > "RFC 8881 6.2.4. Attribute 33: mode", and change meaning of >> the >> > > NFS4 >> > > > > > > mode attribute. >> > > > > > > >> > > > > > > I do not think that it is a good idea if some optional >> extension is >> > > > > > > going to change meaning or wants that server should implement >> > > something >> > > > > > > which RFC 8881 6.3.2.1. says that "Implementations are >> discouraged >> > > from >> > > > > > > doing this". It it contradiction. >> > > > > > > >> > > > > > > Example scenario why it is a bad idea. >> > > > > > > >> > > > > > > Some existing NFS4 server implements mode attribute according >> to >> > > > > > > RFC 8881 and always synchronize group bits with owner_group >> (who >> > > is not >> > > > > > > owner). So group bits are never POSIX mask. And also >> implements >> > > NFS4 >> > > > > > > ACL support. >> > > > > > > >> > > > > > > There is some NFS4 client which is using that NFS4 server, >> and this >> > > > > > > client uses only mode attribute (does not touch >> acl/dacl/sacl), >> > > and is >> > > > > > > using chmod with group bits to set access for owner_group >> (who is >> > > not >> > > > > > > owner). >> > > > > > > >> > > > > > > Everything is working fine up to here. >> > > > > > > >> > > > > > > Now that NFS4 server wants to implement per-file scope POSIX >> ACL >> > > > > > > support. The only requirement is not break that existing NFS4 >> > > client. >> > > > > > > As the NFS4 client does not look or touch any ACL, POSIX ACL >> > > support on >> > > > > > > server filesystem should be harmless. >> > > > > > > >> > > > > > > But problem is that such server cannot implement POSIX ACL >> support >> > > > > > > according to this extension because of "mode" compatibility >> issues >> > > with >> > > > > > > that NFS4 client. For compatibility reasons for every file, >> server >> > > has >> > > > > > > to return MODE4_RGRP/MODE4_WGRP/MODE4_XGRP bits from >> owner_group >> > > (like >> > > > > > > before). But this POSIX ACL extension requires that mode >> group bits >> > > > > > > would be synchronized with POSIX MASK, so chmod of group bits >> stops >> > > > > > > working and breaks that NFS4 mode-only client. >> > > > > > > >> > > > > > That is a choice the server implementer makes. It is no >> different >> > > > > > than local use of POSIX draft ACLs on systems such as Linux. >> > > > > > The user chooses to set a POSIX draft ACL on the local file >> object >> > > > > > and in doing so, gets POSIX draft ACL semantics. If they do not >> set >> > > > > > a POSIX draft ACL on the object, they get "mode only" semantics. >> > > > > >> > > > > By implementing this extension there is no choice for server in >> above >> > > > > example to allow it to return GETATTR(mode) attribute according to >> > > > > preferred way as in RFC 8881. >> > > > > >> > > > > It is not same as on local Linux system, because on local Linux >> system, >> > > > > all get-mode operations (stat or statx, ...) can already return >> MASK in >> > > > > mode group bits. >> > > > > >> > > > > RFC 8881 say that "Implementations are discouraged from doing >> this." >> > > > > Local Linux systems do not say anything like this. >> > > > > >> > > > > So it is different situation. >> > > > > >> > > > I am aware from home until Friday, so I cannot do any actual >> > > > test on Linux until then. However, I expect to see the following: >> > > > - Given a typical server running knfsd, where the server's file >> > > > system uses POSIX draft as its true form. >> > > > Locally on the server: AC >> > > > - create a file in a directory without any default ACL. >> > > > ls -l <-- shows the default mode >> > > > setfacl of an extended POSIX ACL >> > > > ls -l <-- shows the mode has changed, as expected >> > > > - Mount this file system via NFSv3 and do the same as above. >> > > > - create a file in a directory without any default ACL. >> > > > ls -l <-- shows the default mode >> > > > setfacl of an extended POSIX ACL >> > > > ls -l <-- shows the mode has changed, as expected >> > > > Bottom line, Since both the Linux client and knfsd server >> > > > support the undocumented NFSACL sideband protocol, I would >> > > >> > > I'm not sure if NFS3 ACL is really undocumented, year ago when I was >> > > looking for it I found some documentation, XDR definitions and also >> some >> > > Sun or Oracle descriptions. But I do not have references in hands. >> > > >> > > > expect the outcome to look identical to what happens when >> > > > the same commands are done locally on the file system. >> > > > (As I said, I cannot actually try this until I get home >> > > > at the end of the week and will post if do not see the above.) >> > > >> > > Yes, IIRC last time when I checked it, over NFS3 network protocol, >> this >> > > behavior of Linux NFS3 client and Linux knfsd NFS3 server was same as >> on >> > > the local Linux ext4 filesystem. Matches what you described above. >> > > >> > > > Now, remount using NFSv4.1/4.2 >> > > > - setfacl fails with an error. >> > > >> > > Yes, this is truth, as Linux NFS4 client does not allow to access >> > > Linux NFS4 server's ACLs via setfacl, even that Linux NFS4 knfsd >> server >> > > provides mapping in "acl" attribute. >> > > >> > > > The user has to go back to NFSv3 to do the setfacl. >> > > > Now, wouldn't it be nice if NFSv4 worked exactly the >> > > > same way as NFSv3 and local file system access? >> > > >> > > Yes, it would be really nice and I hope that this your extension would >> > > allow to implement it. >> > > >> > > > The object of this extension is to permit the semantics for >> > > > NFSv4 to be identical to NFSv3 and locally on the server file >> > > > system. That is what this extension is all about. >> > > >> > > Yes, I agree. >> > > >> > > > Until the Linux folk do an implementation, I cannot be sure what >> > > > will be needed, but I am confident that the Linux developers >> > > > will figure it out. >> > > >> > > The important is that _both_ Linux NFS4 client and Linux NFS4 knfsd >> > > server have to be modified to support this new extension. Just one >> part >> > > (e.g. only client or only server) is not enough. So it would be >> required >> > > to upgrade all clients and server. >> > > >> > > > Since [Grunbacher] describes how this is done on Linux, that >> > > > is the "standard" for handling mode when a server chooses to >> > > > support posix_access_acl for a true form of POSIX draft ACL. >> > > >> > > Here I would say that it (mode) is _not_ standard way of handling. I >> > > would say that standard way of mode is only what is descried in >> released >> > > RFCs, therefore in RFC 8881. More NFS4 servers do not handle NFS4 mode >> > > attribute in this way as Linux NFS4 server (which is allowed by RFC >> 8881 >> > > but not preferred). >> > > >> > > But Linux NFS4 knfsd server is handling it in this way as you >> described >> > > So for combination of Linux NFS4 client and Linux knfsd NFS4 server >> > > would work it fine. >> > > >> > > > Maybe the draft needs a sentence clarifying this. >> > > > Something like: >> > > > For a server file system that supports the posix_access_acl >> > > > attribute and file objects where acl_trueform is >> ACL_MODEL_POSIX_DRAFT, >> > > > if there is a discrepancy between the semantics for mode handling as >> > > > described >> > > > in [RFC8881] vs the semantics for mode handling in {Grunbacher], the >> > > > semantics >> > > > specified in [Grunbacher] MUST be used. >> > > >> > > I still do not think it is a good idea. It will work perfectly fine >> for >> > > Linux knfsd server and Linux client. But would not work for >> combination >> > > of Linux client with some non-Linux NFS4 server which cannot (for >> > > existing backward compatibility) provide existing NFS4 mode attribute >> > > according to [Grunbacher] mapping, even when some optional extension >> > > will be implemented. >> > > >> > > I'm trying to show that this way is not universal for any NFS4 server. >> > > I understand that it will work fine for Linux and FreeBSD NFS4 servers >> > > and this ecosystem around but as I described it would not work for >> some >> > > other servers. >> > > >> > > I'm looking at this from other perspective: to be usable for more >> > > servers and ecosystems, not just Linux<-->Linux or FreeBSD<-->Linux >> > > but also for industry<-->Linux. >> > > >> > > And I would like to see this POSIX extension to be implementable also >> > > for other NFS4 server which do not provide current NFS4 mode attribute >> > > according to [Grunbacher] but provide it according to [RFC8881]. >> > > >> > > Changing mode mapping in industrial NFS software, just for >> implementing >> > > some optional extension, is a huge risk and can be a big stop gap to >> not >> > > implement this optional extension at all. Changing behavior of >> anything >> > > (does not matter what it is) is always a problem. So if some >> industrial >> > > NFS server returns in MODE4_*GRP bits permissions only and only for >> > > owner_group then this server would have to do it in any future >> versions >> > > under any conditions, and changing this behavior does not have to be >> > > acceptable. Industrial software is lot of times "certificated" or >> > > "tested" for behavior to ensure forward and backward compatibility >> under >> > > any condition (for this case, "any condition" means also any value of >> > > acl_trueform setting). >> > > >> > > That is why I'm trying to say that it is better to not change meaning >> of >> > > NFS4 mode attribute, let it as is in RFC 8881 (and discrepancy handle >> as >> > > defined in RFC 8881) and instead for POSIX ACL extension purposes >> > > provide a way for client to retrieve the real POSIX mode from some >> other >> > > attribute which will be according to POSIX ACL specification. I >> proposed >> > > two alternatives how it could be done. >> > > >> > > This should work with any NFS4 server, any NFS4 client, including >> Linux, >> > > and also allows NFS4 servers which needs to have existing NFS4 mode >> > > attribute to stay according to RFC 8881, to implement optional >> per-file >> > > POSIX ACL support. >> > > >> > > > >> > > > >> > > > > > If a server chooses to implement the extension proposed in this >> > > draft, >> > > > > > then there is no NFSv4 ACL and the behaviour looks exactly the >> same >> > > > > > as for local uses with/without POSIX draft ACLs on file objects >> on >> > > the >> > > > > > system. >> > > > > >> > > > > In above example there no usage of NFS4 ACL. So this issue is not >> > > > > related to NFS4 ACL. It is related to NFS4 mode. >> > > > > >> > > > > I do not see a choice how could that NFS4 server in above example >> > > > > implement this POSIX extension without violating some MUST parts >> of >> > > > > description. >> > > > > >> > > > > > >> > > > > > > So how could this NFS4 server implements POSIX ACL support for >> > > Linux or >> > > > > > > FreeBSD client without breaking that one mentioned NFS4 >> client? >> > > > > > >> > > > > > >> > > > > > > I think that it is needed to define a new posix_mode >> attribute. I >> > > do >> > > > > not >> > > > > > > see right now any option how to not break backward >> compatibility >> > > for >> > > > > > > existing mode-only clients (which wants behavior of mode group >> > > bits as >> > > > > > > written in RFC 8881 / 6.2.4) and at the same time support >> POSIX ACL >> > > > > > > which requires that mode group bits contains either MASK (or >> > > group_obj >> > > > > > > if MASK is not defined). >> > > > > > > >> > > > > > > Or another option, putting content of POSIX-correct "mode" >> > > attribute >> > > > > > > into the "posix_access_acl" attribute (e.g. at beginning of >> the >> > > > > > > structure) as it is used only when POSIX ACL mode is active. >> > > > > > > >> > > > > > I do not think a separate mode is a good idea, just like I do >> not >> > > > > > think having both POSIX draft ACL(s) and a NFSv4 ACL >> stored/used for >> > > > > > permission checking on the same file >> > > > > > object at a given time is a good idea (the true form). >> > > > > > >> > > > > > The simple summary for all this is the following: >> > > > > > RFC8881 was written for only one kind of ACL (NFSv4), so any >> > > discussions >> > > > > > in it w.r.t. the relationship between ACLs and mode are >> implicitly >> > > for >> > > > > > NFSv4 ACLs only and, understandably, did not take the POSIX >> draft >> > > ACLs >> > > > > > into account. >> > > > > > --> This optional extension changes all the above, so that >> server >> > > > > > implementers >> > > > > > can choose to implement POSIX draft ACLs and use POSIX draft >> > > rules >> > > > > > related >> > > > > > to ACLs and mode, if they choose to do so. >> > > > > >> > > > > What is in RFC 8881 written: >> > > > > >> > > > > "Bits MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP apply to principals >> > > > > identified in the owner_group attribute but who are not >> identified in >> > > > > the owner attribute." >> > > > > >> > > > > This does not imply NFS4 ACL usage. At least this is how I >> understand >> > > it. >> > > > > >> > > > > It if the extension is suppose to change all this above then this >> > > > > extension is not backward compatible with existing RFC 8881 >> > > > > implementations and NFS4 servers for which is backward >> compatibility >> > > > > crucial part, cannot implement this extension at all. >> > > > > >> > > > > In my opinion, backward compatible extension should not change >> meaning >> > > > > of some parts or require servers to implements something which is >> > > marked >> > > > > as "discourage do it". >> > > > > >> > > > > For me this is really too restrictive. >> > > > > >> > > > > From one direction I'm seeing it quite inconsistent if POSIX ACL >> is >> > > > > stored in separate attribute than NFS4 ACL, but POSIX mode is >> stored in >> > > > > same attribute as NFS4 mode. For an engineer who is going to >> implement >> > > > > this extension it looks to be a mess. >> > > > > >> > > > > >> > > > > I have just another option without need for a new posix_mode >> attribute >> > > > > (if you think that new separate attribute is not a good idea) how >> to >> > > > > make the extension backward compatible and allow NFS4 server in >> above >> > > > > example implement it without braking that NFS4 client: >> > > > > >> > > > > - Explicitly mention that NFS4 mode attribute is exactly >> according to >> > > > > RFC 8881 description, so MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP >> bits >> > > > > on existing server implementations could refer to POSIX >> group_obj >> > > > > (but server implementations may refer to also POSIX mask, but >> it is >> > > > > discourage do it). All this is just explicit backward >> compatibility. >> > > > > >> > > > > - Describe that NFS4 client, which is implementing this >> extension, and >> > > > > wants to call CHMOD on ACL_MODEL_POSIX_DRAFT file with MASK >> ACE, it >> > > > > has to use SETATTR(posix_access_acl) instead of SETATTR(mode). >> Also >> > > > > if client wants to receive POSIX MODE, it has to use >> > > > > GETATTR(posix_access_acl) instead of GETATTR(mode). This is for >> > > making >> > > > > compatibility with existing NFS4 server which follows RFC 8881. >> > > > > NFS4 client implementing this extension can calculate correct >> POSIX >> > > > > mode from posix_access_acl attribute (checking if there is a >> MASK and >> > > > > based on this put content of MODE_xGRP bits). >> > > > > >> > > > > > >> > > > > > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > New comments for each section are below. >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > Section 5. POSIX ACL Considerations >> > > > > > > > > >> > > > > > > > > > in a directory that has a POSIX default ACL, the >> low-order >> > > nine >> > > > > bits >> > > > > > > > > > of the mode MUST be specified by mode_umask in the >> setable >> > > > > attributes >> > > > > > > > > > for the operation. >> > > > > > > > > >> > > > > > > > > I think that here is missing an important fact that mode >> is >> > > > > specified >> > > > > > > in >> > > > > > > > > "mu_mode member of mode_umask" attribute and that the >> "mu_umask >> > > > > member >> > > > > > > > > of mode_umask" is being ignored in this case (when POSIX >> > > default >> > > > > ACL is >> > > > > > > > > being used). >> > > > > > > > > >> > > > > > > > > Because from current description is not clear how >> mode_umask is >> > > > > being >> > > > > > > > > used as this attribute contains two members ("mu_mode" and >> > > > > "mu_umask"). >> > > > > > > > > >> > > > > > > > I added a "See RFC8275..." for this. >> > > > > > > > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > Section 6. POSIX ACL vs NFSv4 ACL Considerations >> > > > > > > > > >> > > > > > > > > > Using SETATTR to set the dacl attribute to an array of >> > > non-zero >> > > > > > > length >> > > > > > > > > > ... will result in the object's acl model being set to >> > > > > > > ACL_MODEL_NFS4. >> > > > > > > > > >> > > > > > > > > Why setting NFS v4.1 dacl attribute to zero length is >> excluded >> > > > > here? >> > > > > > > > > I think it is perfectly fine to set dacl with >> ACL4_PROTECTED >> > > flag >> > > > > and >> > > > > > > > > with zero length (empty list of) ACEs. This is fully >> valid NFS4 >> > > > > model >> > > > > > > > > ACL which overwrites automatic inheritance to ACL with no >> > > access. >> > > > > > > > > >> > > > > > > > > In my opinion using SETATTR on dacl attribute should >> always >> > > change >> > > > > acl >> > > > > > > > > model to ACL_MODEL_NFS4. I'm expecting that as a user I'm >> > > setting >> > > > > NFS4 >> > > > > > > > > dacl attribute which refers to NFS4 model, so I'm >> > > unconditionally >> > > > > > > > > setting model to NFS4. >> > > > > > > > > >> > > > > > > > I compromised by saying any setting of dacl does this and >> any >> > > setting >> > > > > > > > of acl, if it has ALLOW/DENY ACEs in it does this. (I don't >> know >> > > if >> > > > > a 0 >> > > > > > > > length >> > > > > > > > setting for acl means set the ACL model to NFSv4 or get rid >> of >> > > all >> > > > > > > > ALARM/AUDIT ACEs or ???) >> > > > > > > >> > > > > > > If acl attribute for some object contains only one ACE with >> > > > > > > "AUDIT SUCCESS|FAILURE EVERYONE@ FULL_ACCESS" then server >> should >> > > send >> > > > > > > into audit log any attempt to access that file. >> > > > > > > >> > > > > > > If I as admin want to remove auditing on that file then I >> need to >> > > > > remove >> > > > > > > this one ACE from acl attribute. So it means that I have to >> set acl >> > > > > > > attribute to empty. >> > > > > > > >> > > > > > > So setting zero length acl attribute has to get rid of all >> ACEs, >> > > ALLOW, >> > > > > > > DENY and also AUDIT and ALARM. Otherwise admin would not be >> able to >> > > > > stop >> > > > > > > auditing on file which has only AUDITing rules. >> > > > > > > >> > > > > > > > I hope that David Noveck can resolve what a 0 length ACL >> actually >> > > > > means >> > > > > > > > in his draft. As you have noted, SMB considers one of these >> > > "normal" >> > > > > and, >> > > > > > > > as such, I see the argument that it should be that way for >> NFSv4 >> > > > > ACLs as >> > > > > > > > well. >> > > > > > > > However, I see that the FreeBSD port of OpenZFS (which uses >> > > > > > > ACL_MODEL_NFS4 >> > > > > > > > as >> > > > > > > > its true form) returns an error if a setting of a zero >> length >> > > ACL is >> > > > > > > > attempted. >> > > > > > > >> > > > > > > I thought that it is clear, but seems that there are >> confusions >> > > about >> > > > > > > zero length ACL. So proper clarification in new ACL draft >> would be >> > > > > > > really helpful. >> > > > > > > >> > > > > > > > I cannot tell if this was done by the FreeBSD guy that >> worked on >> > > > > ACLs or >> > > > > > > was >> > > > > > > > cribbed from OpenSolaris? >> > > > > > > >> > > > > > > I think it could be possible to check what the Oracle's >> Solaris is >> > > > > > > doing. >> > > > > > > >> > > > > > > > I think it would be nice to somehow "deprecate" acl in >> favour of >> > > > > > > dacl/sacl. >> > > > > > > >> > > > > > > I'm supporting the idea of deprecating "acl" attribute in >> favour of >> > > > > > > separated dacl and sacl attributes. >> > > > > > > >> > > > > > > But for backward compatibility with NFS v4.1 (and v4.2) it is >> > > > > > > impossible. Breaking existing NFS v4.1 clients which supports >> only >> > > > > "acl" >> > > > > > > attribute should be really avoided. So some future NFS v4.3 >> is the >> > > > > > > candidate for removal of this "acl" attribute. >> > > > > > > >> > > > > > > > >> > > > > > > > > > In addition, if the object's acl model had been >> > > > > > > ACL_MODEL_POSIX_DRAFT, >> > > > > > > > > > the existing default and access ACLs are to be deleted. >> > > > > > > > > >> > > > > > > > > I think that in this document it is a good idea to always >> > > > > explicitly >> > > > > > > > > mention ACL type. Because sometimes it can be really >> > > confusing. For >> > > > > > > > > example: "existing POSIX default and access ACLs" make it >> > > clear. >> > > > > > > > > >> > > > > > > > Sorry, but if ACL_MODEL_POSIX_DRAFT does not obviously >> refer to >> > > POSIX >> > > > > > > draft >> > > > > > > > ACLs, >> > > > > > > > I don't know what does. I left it as is. >> > > > > > > >> > > > > > > I was suggesting this from the point of view of somebody new >> this >> > > area. >> > > > > > > For people familiar with POSIX ACL it is obvious. For >> somebody who >> > > is >> > > > > > > new to ACL it can be hard to figure out what is obvious and >> what >> > > not. >> > > > > > > >> > > > > > > But if you think it is OK then let it as is. >> > > > > > > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > Section 7. GETATTR/SETATTR Atomicity should handle VERIFY >> and >> > > > > NVERIFY >> > > > > > > > > atomically in the same way as GETATTR. >> > > > > > > > > >> > > > > > > > > For example, NFS4 client may want to check if POSIX ACL >> is set >> > > to >> > > > > some >> > > > > > > > > specific structure, and VERIFY with both acl_trueform and >> > > > > > > > > posix_access_acl attributes is the appropriate operation >> for >> > > it. >> > > > > > > > > >> > > > > > > > > Maybe VERIFY/NVERIFY should be covered also in other >> sections >> > > which >> > > > > > > > > refers to GETATTR/READDIR? >> > > > > > > > > >> > > > > > > > Good catch. I think this is fixed now in the draft. >> > > > > > > > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > Section 9.3. Attribute 90: posix_default_acl >> > > > > > > > > >> > > > > > > > > > Since a POSIX default ACL only applies to directories, a >> > > SETATTR >> > > > > of >> > > > > > > > > > the posix_default_acl for a non-directory object MUST >> reply >> > > > > > > > > > NFS4ERR_INVAL. >> > > > > > > > > >> > > > > > > > > I guess that this MUST applies also for OPEN/OPEN4_CREATE >> and >> > > > > > > > > CREATE/NON-NF4DIR operations. >> > > > > > > > > >> > > > > > > > Again, good catch. I think it is fixed now. >> > > > > > > > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > Section 9.4. Attribute 91: posix_access_acl >> > > > > > > > > >> > > > > > > > > > a successful setting of this attribute sets the value of >> > > > > acl_trueform >> > > > > > > > > > to ACL_MODEL_POSIX_DRAFT. In addition, if the object's >> acl >> > > model >> > > > > had >> > > > > > > > > > been ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be >> deleted >> > > so >> > > > > that >> > > > > > > > > > the value of the dacl attribute is a zero-length array. >> > > > > > > > > >> > > > > > > > > In other email I already wrote similar comment which >> applies >> > > here >> > > > > too. >> > > > > > > > > I think that this contradicts RFC 8881. Why? >> > > > > > > > > >> > > > > > > > > * Per section 1. Introduction: "If the server chooses to >> > > support >> > > > > > > > > posix_default_acl and posix_access_acl for a file >> system, it >> > > MUST >> > > > > > > > > support the mode/mode_umask attributes for the file >> system." >> > > > > > > > > >> > > > > > > > > * It is not explicitly mentioned but ACL_MODEL_NFS4 should >> > > imply >> > > > > that >> > > > > > > > > NFS4 server has to support dacl (or acl) attribute. (It >> > > would be >> > > > > nice >> > > > > > > > > to explicitly mention it.) >> > > > > > > > > >> > > > > > > > > * Per RFC 8881 section 6.4. Requirements: "The server that >> > > supports >> > > > > > > both >> > > > > > > > > mode and ACL must take care to synchronize the >> MODE4_*USR, >> > > > > > > MODE4_*GRP, >> > > > > > > > > and MODE4_*OTH bits with the ACEs that have respective >> who >> > > > > fields of >> > > > > > > > > "OWNER@", "GROUP@", and "EVERYONE@". This way, the >> client >> > > can >> > > > > see if >> > > > > > > > > semantically equivalent access permissions exist >> whether the >> > > > > client >> > > > > > > > > asks for the owner, owner_group, and mode attributes or >> for >> > > just >> > > > > the >> > > > > > > > > ACL." >> > > > > > > > > >> > > > > > > > > So we are in situation when mode, acl/dacl and >> posix_access_acl >> > > > > > > > > attributes are supported. >> > > > > > > > > >> > > > > > > > > And successful setting of posix_access_acl attribute >> results in >> > > > > > > > > zero-length array of dacl attribute. This removal of dacl >> ACEs >> > > > > results >> > > > > > > > > in synchronization of dacl to mode attribute. As there is >> no >> > > > > "OWNER@", >> > > > > > > > > "GROUP@", and "EVERYONE@" ACE entry in dacl anymore >> (because >> > > dacl >> > > > > is >> > > > > > > > > empty), this will result in synchronization of mode to >> empty >> > > access >> > > > > > > 000. >> > > > > > > > > >> > > > > > > > > Per POSIX ACL, mode is being synchronized to POSIX ACL >> entities >> > > > > > > > > user_obj, group_obj/mask, other. >> > > > > > > > > >> > > > > > > > > If my understanding and steps above are correct then >> successful >> > > > > setting >> > > > > > > > > of posix_access_acl attribute to any value results in >> > > immediate no >> > > > > > > > > access for user_obj, group_obj/mask and other POSIX >> entities. >> > > And I >> > > > > > > > > guess that this is not intended behavior. >> > > > > > > > > >> > > > > > > > I added a short paragraph that states synchronization of >> mode >> > > with >> > > > > > > > the true form ACL SHOULD be done. Using either RFC8881 or >> > > Grunbacher >> > > > > > > > as references. >> > > > > > > >> > > > > > > But the problem is still there. The extension document still >> says >> > > > > > > "if the object's acl model had been ACL_MODEL_NFS4, all ALLOW >> and >> > > DENY >> > > > > > > ACEs will be deleted so that the value of the dacl attribute >> is a >> > > > > > > zero-length array." which as I described above, according to >> RFC >> > > 8881 >> > > > > it >> > > > > > > can be interpreted as removal of all access for owner, group >> and >> > > > > others. >> > > > > > > >> > > > > > > It is not clear if the synchronization of the mode with true >> form >> > > ACL >> > > > > > > should be done before or after deleting of ALLOW/DENY rules. >> > > > > > > >> > > > > > > The problem is that SETATTR(posix_access_acl) is doing lot of >> > > things, >> > > > > > > including: >> > > > > > > >> > > > > > > * changing acl_trueform_scope to ACL_MODEL_POSIX_DRAFT >> > > > > > > * changing posix_access_acl to value specified in SETATTR >> > > > > > > * changing mode to value from posix_access_acl >> > > > > > > * changing acl and dacl values by removing all ALLOW and DENY >> rules >> > > > > > > * changing acl and dacl values to value from mode (RFC 8881 >> 6.4) >> > > > > > > (Have I forgot something?) >> > > > > > > >> > > > > > Although it is hard to write in a format that works for this >> draft, >> > > > > > in summary, it is very simple: >> > > > > > - Set a POSIX draft ACL on the file object and delete any dacl. >> > > > > > Unfortunately, there is no well defined way to say the dacl has >> been >> > > > > > deleted. >> > > > > > (I thought a zero length ACL worked for this, since OpenZFS >> > > > > > does not allow setting of a zero length ACL, but you have >> pointed out >> > > > > > that that is not the case.) >> > > > > > --> So, until there is (if there ever is) a better way to say >> "dacl >> > > has >> > > > > > been deleted", it ends up as "make the dacl a zero length >> ACL >> > > and get >> > > > > > rid >> > > > > > of all allow/deny ACEs in acl. >> > > > > >> > > > > Just to note that zero length dacl is not accepted by NFS4 XDR >> because >> > > > > dacl attribute is a struct which contains flags and list of ACEs. >> > > > > >> > > > By aero length dacl, it means that the ACE cnt is zero, not that >> > > > the entire dacl attribute is of zero length. I will clarify that >> > > > in the next draft. >> > > >> > > Ok, this is a good idea to clarify it. Maybe it would be better to >> avoid >> > > "zero length" wording at all as it is confusing. I can imagine even >> more >> > > meanings of "zero length" in this RPC / XDR / NFS4 / ACL context. What >> > > about explicitly saying that dacl's na41_aces array has zero size and >> > > dacl's na41_flag is something... >> > > >> > > > >> > > > > So for backward compatibility, NFS4 server cannot send zero-length >> > > > > structure as a response for GETATTR(dacl) operation. >> > > > > >> > > > > Saying "delete dacl" or "remove dacl" is ambiguous. Developers of >> > > > > different NFS4 servers would understand it differently. >> > > > > >> > > > > I think it is needed to properly describe what it means. >> > > > > >> > > > As I have said before, I do not currently know the correct >> > > > syntax for "no NFSv4 ACL associated with this file object". >> > > >> > > I think that this is not possible to report. At least for me the ACL >> > > evaluation algorithm is clear that for empty list of ACEs means DENY. >> > > >> > > Anyway, RFC 8881 section 6.2.1 "Attribute 12: acl" says: >> > > >> > > "Some server platforms may provide access-control functionality that >> > > goes beyond the UNIX-style mode attribute, but that is not as rich as >> > > the NFS ACL model. So that users can take advantage of this more >> limited >> > > functionality, the server may support the acl attributes by mapping >> > > between its ACL model and the NFSv4.1 ACL model." >> > > >> > > This matches POSIX ACL model, so returning in GETATTR(dacl) mapped >> > > POSIX-in-NFS4 ACL according to [Grunbacher] should be fine and better >> > > than returning empty list of ACEs. >> > > >> > > Also needs to take care about combination of NFS4 server with POSIX >> > > extension on per-file level and NFS4 client without this POSIX >> > > extension. Practical example can be: FreeBSD server + Windows client. >> > > Windows client would be unhappy if for some files (under POSIX model) >> it >> > > would not receive NFS4 ACLs (at least mapped). >> > > >> > > > However, if the GETATTR also acquires the acl_trueform attribute >> > > > and sees it is not ACL_MODEL_NFS4, then the client knows that >> > > > the replied dacl is meaningless. >> > > >> > > I think it would be better to express that NFS4 client which >> implements >> > > this POSIX extension should ignore value of both acl and dacl >> attributes >> > > and use only posix_access_acl attribute when acl_trueform is not >> > > ACL_MODEL_NFS4 (still allow clients to use sacl attribute as POSIX ACL >> > > does not provide auditing support). >> > > >> > > But I would not say that dacl is meaningless when acl_trueform is not >> > > ACL_MODEL_NFS4. For clients which do not implement this POSIX >> extension, >> > > they cannot figure out what is state of acl_trueform. And cannot >> figure >> > > out that something other is used for access control. Again, quoted >> > > RFC 8881 section 6.2.1 above can be really useful for them. >> > > >> > > So server should return something meaningful for these NFS4 clients >> > > which do not implement this POSIX extension. It is needed for all >> > > already released Linux NFS4 clients which will be there for a very >> > > long time (via enterprise RHEL, SLED, ...) and on which is used >> > > nfs4_getfacl tool. >> > > >> > > > Maybe that is a better way to express it. >> > > > >> > > > rick >> > > > >> > > > >> > > > > > >> > > > > > > And executing these steps in incorrect order can results in >> > > something >> > > > > > > unexpected or something not compatible with IEEE POSIX draft. >> > > > > > > >> > > > > > Maybe I should just say "delete the dacl" and let server >> implementors >> > > > > > take it from there? >> > > > > > >> > > > > > >> > > > > > > >> > > > > > > >> > > > > > > And now I'm thinking, what should happen with dacl attribute's >> > > > > na41_flag >> > > > > > > value? Specially with ACL4_AUTO_INHERIT and ACL4_PROTECTED >> flags. >> > > > > > > >> > > > > > > I would say that ACL4_AUTO_INHERIT needs to be cleared (to >> prevent >> > > > > > > automatic inheritance to child objects) and ACL4_PROTECTED to >> be >> > > set >> > > > > (to >> > > > > > > prevent inheritance from parent objects). As POSIX ACL does >> not >> > > have >> > > > > any >> > > > > > > kind of automatic inheritance. >> > > > > > > >> > > > > > The intent of the above (and I have already noted that this is >> > > difficult >> > > > > > to write in a format acceptable for this draft) is "delete the >> dacl". >> > > > > > --> It goes away, no longer exists, has no effect on mode or >> access >> > > to >> > > > > > the file. >> > > > > >> > > > > It would be nice to explicitly mention this intent. This is >> something >> > > > > which really is not clear. >> > > > > >> > > > > Anyway, the question reminds, what should NFS4 server return in >> > > > > GETATTR(dacl) reply? Part of the dacl XDR structure are flags. >> > > > > >> > > > > And NFS4 client implementing automatic inheritance, when changing >> some >> > > > > top level dacl attribute, it has to traverse whole filesystem >> hierarchy >> > > > > and updates all child dacl attributes according to child's dacl >> flags. >> > > > > >> > > > > So incorrect information returned by dacl flags can totally mess >> up >> > > > > either NFS4 client or server's ACLs in whole filesystem. >> > > > > >> > > > > Due to this automatic inheritance, I think it is import to define >> > > > > exactly what has to happen. And as I wrote in previous message, I >> think >> > > > > that the correct way is to clear ACL4_AUTO_INHERIT and set >> > > > > ACL4_PROTECTED, to say NFS4 ACL client that automatic inheritance >> at >> > > > > that point stops and POSIX ACL (without automatic inheritance) >> > > > > continues. >> > > > > >> > > > > >> > > > > Hm... Would not it be easier for understanding to say that "dacl" >> > > > > attribute for object with acl_trueform ACL_MODEL_POSIX_DRAFT >> should >> > > > > return POSIX mapped NFS4 ACL [Eriksen]? (Of course only in case >> server >> > > > > implements "dacl" attribute). It will avoid any confusion what >> that >> > > zero >> > > > > length means or what that remove dacl mans. >> > > > > >> > > > > > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > > If SETATTR of a POSIX extended ACL does not have a >> > > > > POSIXACE4_TAG_MASK >> > > > > > > > > > ACE, the SETATTR of the ACL MUST reply NFS4ERR_INVAL. >> > > > > > > > > >> > > > > > > > > I think there should be also mentioned that SETATTR of >> POSIX >> > > ACL >> > > > > (does >> > > > > > > > > not have to be extended) which does not have >> > > > > POSIXACE4_TAG_USER_OBJ, >> > > > > > > > > POSIXACE4_TAG_GROUP_OBJ or POSIXACE4_TAG_OTHER ACE MUST >> result >> > > in >> > > > > > > > > NFS4ERR_INVAL too. (Except zero-length.) >> > > > > > > > > >> > > > > > > > I felt the description that noted these three ACEs are >> always in >> > > a >> > > > > POSIX >> > > > > > > > draft >> > > > > > > > ACL was enough but, yes, I suppose it should be added. >> > > > > > > > I missed this one for -05, but will do so for -06. >> > > > > > > >> > > > > > > Documentation should explicitly say what should happen = which >> > > error >> > > > > > > code to return when invalid POSIX ACL is specified in SETATTR >> (or >> > > > > > > OPEN/CREATE) operation. >> > > > > > > >> > > > > > > I was somehow surprised that XDR definition allows invalid >> POSIX >> > > ACL >> > > > > > > structure (the one without user_obj/group_obj/other parts). >> > > Because if >> > > > > > > it allows invalid structure then it is required to explicitly >> > > specify >> > > > > > > how to handle invalid cases. >> > > > > > > >> > > > > > I have already added a note that "one ACE for each of >> > > > > > POSIXACE4_USER_OBJ, POSIXACE4_GROUP_OBJ and POSIXACE4_OTHER is >> > > > > > required in posix_access_acl and posix_default_acl or >> NFS4ERR_INVAL >> > > > > > MUST be replied" in the next draft (I won't be updating the >> draft >> > > > > > on the datatracker for at least a week or two). >> > > > > >> > > > > Ok, this is good. >> > > > > >> > > > > I think it is not need to update draft every day. >> > > > > >> > > > > > rick >> > > > > > >> > > > > > >> > > > > > > > >> > > > > > > > rick >> > > > > > > > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > Regards, >> > > > > > > > > Pali >> > > > > > > > > >> > > > > > > >> > > > > >> > > > > > _______________________________________________ >> > > > > > nfsv4 mailing list -- nfsv4@ietf.org >> > > > > > To unsubscribe send an email to nfsv4-leave@ietf.org >> > > > > >> > > > > >> > > >> >> > _______________________________________________ >> > nfsv4 mailing list -- nfsv4@ietf.org >> > To unsubscribe send an email to nfsv4-leave@ietf.org >> >> _______________________________________________ > nfsv4 mailing list -- nfsv4@ietf.org > To unsubscribe send an email to nfsv4-leave@ietf.org >
- [nfsv4] Comments for draft-rmacklem-nfsv4-posix-a… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… David Noveck
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár