[nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-acls-02

Rick Macklem <rick.macklem@gmail.com> Fri, 09 August 2024 22:25 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC47DC180B71 for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 15:25:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mrhg1Qx5mSK for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 15:25:56 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF413C137362 for <nfsv4@ietf.org>; Fri, 9 Aug 2024 15:25:56 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-2cb4b6ecb3dso1977243a91.3 for <nfsv4@ietf.org>; Fri, 09 Aug 2024 15:25:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723242356; x=1723847156; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Yjk7tcVq6CTSjjQ+vGrgG6ofABEXViCCQ2/vy+LxiQg=; b=mB/p6MDY9BUD81CQ86uRG48qfR7dGJSl8qOCY1a+0KDHNKJiaigeHX9U/Oku4u+SQP 4xCNw6saWTVJMKKbtK4tcxXTvnIg/iFx7TAKU0TtN8LWKEBpOWpf9DPXE9QBxnwbY0Mh DFZFpRdCsAquw88ICxJpgfKJCfXZNIqzuST2OeHbGTDvzd3+gSdyOMw/kX003N7KaOv1 KUtvmWsrWWC4h+oQmdvVZCxYpFJR+Iedsu7EjybY3FEIQj51vGM/BLmjUvwI1VUzC+lf WIgSqdWxQzFfXcPi9AhCK836LdAz9eT+1UvWQJpETPr1Sh0fpJrZlYw91y6l76YhKllZ euvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723242356; x=1723847156; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Yjk7tcVq6CTSjjQ+vGrgG6ofABEXViCCQ2/vy+LxiQg=; b=rUPxV6niHBrlmHnK10b1qSCPYbqCpKt9nIRMDmrlu5LeAIgNjzANUVFlRSomdOfymr E9wuTksjYnMWeuUe+zqZURzDQ/59GVWcMmUAyKrPnzpNHYTgzfDHh6UFi08miT6+jdiH LbW6bjb5jkTodF+vpZbuTDngWXi2jVJeIABXvni2W5zkmKf9UeYPJ9ssGD4bffHt55JE 55D29J/Km25nGWcs8+8Js+27s0DN7fHFh5Vrn2yby1sqLP8qnZUhUbPGtPxKohxYTreN 4Zpj/Sn+XnY+42/Hz4IH+Va/CG9Dz+lazv69kwxzQydosYgpJ25H/pWFG4eoNCyHFVj+ 5ZYg==
X-Gm-Message-State: AOJu0YzkWZUPduZkrdrgNnNobuLywB3UKCbV5M+GrFDrKKjRtrANkR5+ 9Ald4Z+UWhv1+t62U3F/UPkQU2TjVFsIGnt1NVEz/jY613qTUG7fIuymD2CdTjGtjQfIlr691MI fTPgljfSvZF5MofKf+j8qz8fxQg==
X-Google-Smtp-Source: AGHT+IE9TeLM7BrPzUpdmEfohlfe3dgIWO42zuiilPpc4TQkLTdBMLteCvKxsxtMf9Po0f6/ZzKfK82iroluy5orJyI=
X-Received: by 2002:a17:90a:9c5:b0:2c9:9f50:3f9d with SMTP id 98e67ed59e1d1-2d1e7f99f38mr3067859a91.5.1723242355745; Fri, 09 Aug 2024 15:25:55 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jdxWbC-5XUsRECL61kRkc5Ywmq2DogsaAxSdwyMAF15CA@mail.gmail.com> <CAM5tNy5kkGGCYSdfthZ419tv1OoA18y6rjkCkxzS+=VqH1w47Q@mail.gmail.com>
In-Reply-To: <CAM5tNy5kkGGCYSdfthZ419tv1OoA18y6rjkCkxzS+=VqH1w47Q@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 09 Aug 2024 15:25:45 -0700
Message-ID: <CAM5tNy5S6hyRaZgHDfiND-f4_kLYa_eViWnL9qO1NX0xd1K1ZQ@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000079ecea061f47a0c9"
Message-ID-Hash: DURKZQTDWGRYYR5JO2IITLW3VGOIJGE3
X-Message-ID-Hash: DURKZQTDWGRYYR5JO2IITLW3VGOIJGE3
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/EAudwG8-bkekfQ4UAFfzoXYpZr0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

I have updated the draft yet again to -04. Hopefully this
is it for a while.
The changes were:
- Added a short section w.r.t. atomicity of the ACL related
  attributes for GETATTR/READDIR vs SETATTR.
- Fixed a few typos introduced in the last revision.
- Reworded one case so that it now says that
  "if the acl_truform is ACL_MODEL_NONE, the
   posix_access_acl MUST be returned 0 length".

rick


On Wed, Aug 7, 2024 at 4:15 PM Rick Macklem <rick.macklem@gmail.com> wrote:

> I have updated the draft to draft-rmacklem-nfsv4-posix-acls-03.
> I think I have addressed all the comments in David's review.
>
> There are a few substantive changes:
> - The draft no longer refers to the setting of a 0 length NFSv4
>   ACL. (It appears that a 0 length NFSv4 ACL may just be a NFSv4
>   with no permissions. This is different from an erased Windows/SMB ACL,
>   which was what I was using a 0 length NFSv4 ACL for.)
> - I changed the ordering of setting mode vs POSIX ACL to defining the
>   order if they are in the set of setable attributes.
> - I think I now refer to mode/mode_set_masked/mode_umask correctly
>   and require support of mode_umask and mode for this extension.
> - When a NFSv4 ACL is being replaced by a POSIX ACL, it now notes that
>   the allow/deny ACEs will be deleted, so that the audit/alarm ACEs
>   remain intact.
> - It now allows a SETATTR to flip between NFSv4 and POSIX ACLs when
>   the scope is ACL_SCOPE_FILE_OBJECT. (The old draft restricted that.)
>
> Thanks go to David Noveck for his review.
>
> rick
>
>
> On Tue, Aug 6, 2024 at 8:26 AM David Noveck <davenoveck@gmail.com> wrote:
>
>> *Overall Evaluation *
>>
>> In good shape.  There are a few  non-editorial issues that need to be
>> dealt with but not many.
>>
>> I am prepared to support working group adoption as soon as the author is
>> ready to deal with the inevitable requests for a completion date.
>>
>> Based on what I have seen so far, I am planning to refocus work on
>> acls-05.  I had been hoping to enhance the NFSv4 ACL model so that the
>> POSIX ACL model could be a submodel.  As I read Andreas' document, this
>> kept getting more and more difficult and it now appears that, with the
>> document being reviewed, we have a reasonable path out of the existing ACL
>> mess 😳
>>
>> *General Issues*
>>
>> *Dealing with Sacls*
>>
>> There are a number of places where sacls are treated as parts of acls.
>> They shouldn't be and I will discuss below ways of having posix acls
>> co-exist with use of the parts of  NFSv4 ACLs  that are not related to
>> authorization.
>>
>> *Interaction with Existing ACL Attributes*
>>
>> There are some missing cases in the list in *6. POSIX ACL vs NFSv4 ACL
>> Considerations.* The existing treatment which deals only with deleting
>> ACLs does not address issues involving creating new ACLs of either type.
>>
>> *Ordering Issues*
>>
>> My issues with the substance of the attribute ordering restrictions have
>> been addressed but I still have issues with the stated justification.  See 5.
>> POSIX ACL Considerations for details.
>>
>>
>> *Per-section Issues*
>>
>> *Abstract *
>>
>> Suggest rewriting the first sentence as follows:
>>
>> This document describes a potential protocol extension involving the
>> addition of four new attributes to be used by server to provide support for
>> POSIX ACLs.
>>
>> *1. Introduction*
>>
>> I have problems with the first sentence which says that mapping was
>> attempted because of the semantic differences.   This implies that if there
>> were no semantic differences, mapping would  not have been attempted.  In
>> fact, it still would have been attempted but would have been sucessful.  I
>> would start the section with something like the following:
>>
>> In response to the very different over-the-wire formats, attempts have been made to map between these two sorts of ACLs.  However, because of the
>>
>> large number of semantic differences, implementation experience with mapping between NFSv4 and POSIX ACLs has not been completely successful.
>>
>>  For example, if a NFSv4 ACL is applied to a server file via SETATTR on a server that stores POSIX ACLs and then retrieved via
>>
>> GETATTR/READDIR, the ACL will often not be the same, since the mapping algorithm cannot do an exact mapping between them.
>>
>>
>> Suggest rewriting the last sentence of the last paragraph to read as
>> follows:
>>
>> In addition, issues related to the over-the-wire format of POSIX ACLs and the interactions among the various new attributes and with
>>
>> existing attributes are dealt with in this document.
>>
>>
>> *5.  POSIX ACL Considerations*
>>
>>
>> In the first sentence, you are stating a true fact, but you need to make some normative statement to follow up.
>>
>>
>> I assume that that would be that setting a POSIX ACL that does not follow that is invalid.
>>
>>
>> In the second paragraph, know what you mean, but it is not clear that a reader would.  Suggest the following:
>>
>>
>> In the who value within the posixace4 structure that appear in these new attributes, the field is interpreted as follows:
>>
>>
>>    - For ACEs whose tag field is POSIXACE4_TAG_USER or POSIXACE4_TAG_GROUP the who value is a UTF8-encoded Unicode string.
>>
>> that has the same format as a user or group as represented within other NFSv4 operations and designates the same entity.
>>
>> In these cases, the distinction between users and groups derives from the tag rather than a flag bit, as is done in NFSv4 ACLs.
>>
>> This in in contrast to how the corresponding structures are described in <xref target="Gr&#252;nbacher">, where numeric uids and gds are
>>
>> specified.
>>
>>
>>    - For ACEs whose tag field has other values, the who field is ignored by the receiver and there is no reason for the sender to set it to any
>>
>> particular value.
>>
>> With regards to the third paragraph, I no longer object to the result.  I had objected but you have made it clear why this is the way it is but that differs from what is in the document now.  Below I quote the existing paragraph with my comments interspersed.
>>
>> For POSIX ACLs, setting of the low order 9 bits of mode can change the ACL and setting of the POSIX access ACL can change the low order 9 bits of mode.
>>
>> This is true.
>>
>> As such, the ordering of setting the attributes related to mode and POSIX ACLs is important.
>>
>> It is certainly significant.
>>
>> Therefore, a client MUST not set the low order 9 bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document.
>>
>> I don't agree with the "therefore".
>>
>> This is required because [RFC8881] does not specify an ordering for setting attributes in a SETATTR operation.
>>
>> That is* NOT *true. There is nothing in rfc8881 that prevents you from
>> specifying an ordering as rfcs8881 does for NFSv4 ACLs.
>>
>> You are as free to specify an ordering as you are to specify that these are incompatible.
>>
>>
>> I suggest rewriting this to say something like the following:
>>
>>
>> A client MUST not set any of the nine-low order bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document.  Similarly, it MUST not set these together when creating a new file. These restrictions apply because:
>>
>>
>>    - Setting these together is not required by the POSIX interface.
>>    - To do so, would require dealing with difficult ordering issues left unaddressed by the existing definitionof SETATTR.
>>
>> For the last paragraph, I have the following editorial suggestions:
>>
>>
>>    - Suggest replacing "low order 9" by "low-order nine"
>>    - In the second sentence I suggest replacing "SHOULD" by "should".
>>    - In the third sentence suggest replacing "may use" by "can use".
>>    - In this last sentence suggest replacing "will avoid" by "would avoid"
>>
>>
>> *6.  POSIX ACL vs NFSv4 ACL Considerations*
>>
>>
>> In the first sentence of the second paragraph, suggest replace "a" with  "an".
>>
>>
>> Suggest rewriting the third paragraph as follows:
>>
>> For servers configured as described above, and not for any others,  the following apply:
>>
>> For the third bulleted item, propose rewriting it as two paragraphs like
>> the following.
>>
>> Using SETATTR to set a zero-length posix_default_acl or posix_access_acl (for a file object with a true form ACL of ACL_MODEL_POSIX_DRAFT)
>>
>> will delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE.
>>
>> Similarly, using  SETATTR to eliminate the authorization-related portions of the ACL for a file object with a true form ACL of ACL_MODEL_NFS4  will
>>
>> delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE.  This can occur when setting the sacl or dacl to an array of length
>>
>> zero or by settting the acl attribute to an array of ACEs  in which none are ALLOW or DENY ACEs.
>>
>>
>> Propose to add the following items to the existing list:
>>
>>    -
>>
>>    Using SETATTR to set a posix_default_acl or posix_access_acl of non-zero length (for a file object with a true form ACL of
>>
>>    ACL_MODEL_POSIX_DRAFT) will result in the object's acl model being
>>    set to ACL_MODEL_POSIX_DRAFT. In addition, if the object's acl model
>>    had been  ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be deleted so
>>    that the value dacl attribute is a zero-length array.
>>    -
>>
>>    Using SETATTR to set the dacl attribute to an array of non-zero length or to st the acl attribute so that it contains one or more ALLOW or DENY ACEs
>>
>>    will result in the object's acl model being set to
>>    ACL_MODEL_POSIX_NFS4. In addition, if the object's acl model had
>>    been  ACL_MODEL_POSIX_DRAFT, the existing default and access ACLs ae
>>    to be deleted.
>>
>>
>>