[nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-acls-02
Rick Macklem <rick.macklem@gmail.com> Fri, 09 August 2024 22:25 UTC
Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC47DC180B71 for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 15:25:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mrhg1Qx5mSK for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 15:25:56 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF413C137362 for <nfsv4@ietf.org>; Fri, 9 Aug 2024 15:25:56 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-2cb4b6ecb3dso1977243a91.3 for <nfsv4@ietf.org>; Fri, 09 Aug 2024 15:25:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723242356; x=1723847156; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Yjk7tcVq6CTSjjQ+vGrgG6ofABEXViCCQ2/vy+LxiQg=; b=mB/p6MDY9BUD81CQ86uRG48qfR7dGJSl8qOCY1a+0KDHNKJiaigeHX9U/Oku4u+SQP 4xCNw6saWTVJMKKbtK4tcxXTvnIg/iFx7TAKU0TtN8LWKEBpOWpf9DPXE9QBxnwbY0Mh DFZFpRdCsAquw88ICxJpgfKJCfXZNIqzuST2OeHbGTDvzd3+gSdyOMw/kX003N7KaOv1 KUtvmWsrWWC4h+oQmdvVZCxYpFJR+Iedsu7EjybY3FEIQj51vGM/BLmjUvwI1VUzC+lf WIgSqdWxQzFfXcPi9AhCK836LdAz9eT+1UvWQJpETPr1Sh0fpJrZlYw91y6l76YhKllZ euvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723242356; x=1723847156; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Yjk7tcVq6CTSjjQ+vGrgG6ofABEXViCCQ2/vy+LxiQg=; b=rUPxV6niHBrlmHnK10b1qSCPYbqCpKt9nIRMDmrlu5LeAIgNjzANUVFlRSomdOfymr E9wuTksjYnMWeuUe+zqZURzDQ/59GVWcMmUAyKrPnzpNHYTgzfDHh6UFi08miT6+jdiH LbW6bjb5jkTodF+vpZbuTDngWXi2jVJeIABXvni2W5zkmKf9UeYPJ9ssGD4bffHt55JE 55D29J/Km25nGWcs8+8Js+27s0DN7fHFh5Vrn2yby1sqLP8qnZUhUbPGtPxKohxYTreN 4Zpj/Sn+XnY+42/Hz4IH+Va/CG9Dz+lazv69kwxzQydosYgpJ25H/pWFG4eoNCyHFVj+ 5ZYg==
X-Gm-Message-State: AOJu0YzkWZUPduZkrdrgNnNobuLywB3UKCbV5M+GrFDrKKjRtrANkR5+ 9Ald4Z+UWhv1+t62U3F/UPkQU2TjVFsIGnt1NVEz/jY613qTUG7fIuymD2CdTjGtjQfIlr691MI fTPgljfSvZF5MofKf+j8qz8fxQg==
X-Google-Smtp-Source: AGHT+IE9TeLM7BrPzUpdmEfohlfe3dgIWO42zuiilPpc4TQkLTdBMLteCvKxsxtMf9Po0f6/ZzKfK82iroluy5orJyI=
X-Received: by 2002:a17:90a:9c5:b0:2c9:9f50:3f9d with SMTP id 98e67ed59e1d1-2d1e7f99f38mr3067859a91.5.1723242355745; Fri, 09 Aug 2024 15:25:55 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jdxWbC-5XUsRECL61kRkc5Ywmq2DogsaAxSdwyMAF15CA@mail.gmail.com> <CAM5tNy5kkGGCYSdfthZ419tv1OoA18y6rjkCkxzS+=VqH1w47Q@mail.gmail.com>
In-Reply-To: <CAM5tNy5kkGGCYSdfthZ419tv1OoA18y6rjkCkxzS+=VqH1w47Q@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 09 Aug 2024 15:25:45 -0700
Message-ID: <CAM5tNy5S6hyRaZgHDfiND-f4_kLYa_eViWnL9qO1NX0xd1K1ZQ@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000079ecea061f47a0c9"
Message-ID-Hash: DURKZQTDWGRYYR5JO2IITLW3VGOIJGE3
X-Message-ID-Hash: DURKZQTDWGRYYR5JO2IITLW3VGOIJGE3
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/EAudwG8-bkekfQ4UAFfzoXYpZr0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
I have updated the draft yet again to -04. Hopefully this is it for a while. The changes were: - Added a short section w.r.t. atomicity of the ACL related attributes for GETATTR/READDIR vs SETATTR. - Fixed a few typos introduced in the last revision. - Reworded one case so that it now says that "if the acl_truform is ACL_MODEL_NONE, the posix_access_acl MUST be returned 0 length". rick On Wed, Aug 7, 2024 at 4:15 PM Rick Macklem <rick.macklem@gmail.com> wrote: > I have updated the draft to draft-rmacklem-nfsv4-posix-acls-03. > I think I have addressed all the comments in David's review. > > There are a few substantive changes: > - The draft no longer refers to the setting of a 0 length NFSv4 > ACL. (It appears that a 0 length NFSv4 ACL may just be a NFSv4 > with no permissions. This is different from an erased Windows/SMB ACL, > which was what I was using a 0 length NFSv4 ACL for.) > - I changed the ordering of setting mode vs POSIX ACL to defining the > order if they are in the set of setable attributes. > - I think I now refer to mode/mode_set_masked/mode_umask correctly > and require support of mode_umask and mode for this extension. > - When a NFSv4 ACL is being replaced by a POSIX ACL, it now notes that > the allow/deny ACEs will be deleted, so that the audit/alarm ACEs > remain intact. > - It now allows a SETATTR to flip between NFSv4 and POSIX ACLs when > the scope is ACL_SCOPE_FILE_OBJECT. (The old draft restricted that.) > > Thanks go to David Noveck for his review. > > rick > > > On Tue, Aug 6, 2024 at 8:26 AM David Noveck <davenoveck@gmail.com> wrote: > >> *Overall Evaluation * >> >> In good shape. There are a few non-editorial issues that need to be >> dealt with but not many. >> >> I am prepared to support working group adoption as soon as the author is >> ready to deal with the inevitable requests for a completion date. >> >> Based on what I have seen so far, I am planning to refocus work on >> acls-05. I had been hoping to enhance the NFSv4 ACL model so that the >> POSIX ACL model could be a submodel. As I read Andreas' document, this >> kept getting more and more difficult and it now appears that, with the >> document being reviewed, we have a reasonable path out of the existing ACL >> mess 😳 >> >> *General Issues* >> >> *Dealing with Sacls* >> >> There are a number of places where sacls are treated as parts of acls. >> They shouldn't be and I will discuss below ways of having posix acls >> co-exist with use of the parts of NFSv4 ACLs that are not related to >> authorization. >> >> *Interaction with Existing ACL Attributes* >> >> There are some missing cases in the list in *6. POSIX ACL vs NFSv4 ACL >> Considerations.* The existing treatment which deals only with deleting >> ACLs does not address issues involving creating new ACLs of either type. >> >> *Ordering Issues* >> >> My issues with the substance of the attribute ordering restrictions have >> been addressed but I still have issues with the stated justification. See 5. >> POSIX ACL Considerations for details. >> >> >> *Per-section Issues* >> >> *Abstract * >> >> Suggest rewriting the first sentence as follows: >> >> This document describes a potential protocol extension involving the >> addition of four new attributes to be used by server to provide support for >> POSIX ACLs. >> >> *1. Introduction* >> >> I have problems with the first sentence which says that mapping was >> attempted because of the semantic differences. This implies that if there >> were no semantic differences, mapping would not have been attempted. In >> fact, it still would have been attempted but would have been sucessful. I >> would start the section with something like the following: >> >> In response to the very different over-the-wire formats, attempts have been made to map between these two sorts of ACLs. However, because of the >> >> large number of semantic differences, implementation experience with mapping between NFSv4 and POSIX ACLs has not been completely successful. >> >> For example, if a NFSv4 ACL is applied to a server file via SETATTR on a server that stores POSIX ACLs and then retrieved via >> >> GETATTR/READDIR, the ACL will often not be the same, since the mapping algorithm cannot do an exact mapping between them. >> >> >> Suggest rewriting the last sentence of the last paragraph to read as >> follows: >> >> In addition, issues related to the over-the-wire format of POSIX ACLs and the interactions among the various new attributes and with >> >> existing attributes are dealt with in this document. >> >> >> *5. POSIX ACL Considerations* >> >> >> In the first sentence, you are stating a true fact, but you need to make some normative statement to follow up. >> >> >> I assume that that would be that setting a POSIX ACL that does not follow that is invalid. >> >> >> In the second paragraph, know what you mean, but it is not clear that a reader would. Suggest the following: >> >> >> In the who value within the posixace4 structure that appear in these new attributes, the field is interpreted as follows: >> >> >> - For ACEs whose tag field is POSIXACE4_TAG_USER or POSIXACE4_TAG_GROUP the who value is a UTF8-encoded Unicode string. >> >> that has the same format as a user or group as represented within other NFSv4 operations and designates the same entity. >> >> In these cases, the distinction between users and groups derives from the tag rather than a flag bit, as is done in NFSv4 ACLs. >> >> This in in contrast to how the corresponding structures are described in <xref target="Grünbacher">, where numeric uids and gds are >> >> specified. >> >> >> - For ACEs whose tag field has other values, the who field is ignored by the receiver and there is no reason for the sender to set it to any >> >> particular value. >> >> With regards to the third paragraph, I no longer object to the result. I had objected but you have made it clear why this is the way it is but that differs from what is in the document now. Below I quote the existing paragraph with my comments interspersed. >> >> For POSIX ACLs, setting of the low order 9 bits of mode can change the ACL and setting of the POSIX access ACL can change the low order 9 bits of mode. >> >> This is true. >> >> As such, the ordering of setting the attributes related to mode and POSIX ACLs is important. >> >> It is certainly significant. >> >> Therefore, a client MUST not set the low order 9 bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document. >> >> I don't agree with the "therefore". >> >> This is required because [RFC8881] does not specify an ordering for setting attributes in a SETATTR operation. >> >> That is* NOT *true. There is nothing in rfc8881 that prevents you from >> specifying an ordering as rfcs8881 does for NFSv4 ACLs. >> >> You are as free to specify an ordering as you are to specify that these are incompatible. >> >> >> I suggest rewriting this to say something like the following: >> >> >> A client MUST not set any of the nine-low order bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document. Similarly, it MUST not set these together when creating a new file. These restrictions apply because: >> >> >> - Setting these together is not required by the POSIX interface. >> - To do so, would require dealing with difficult ordering issues left unaddressed by the existing definitionof SETATTR. >> >> For the last paragraph, I have the following editorial suggestions: >> >> >> - Suggest replacing "low order 9" by "low-order nine" >> - In the second sentence I suggest replacing "SHOULD" by "should". >> - In the third sentence suggest replacing "may use" by "can use". >> - In this last sentence suggest replacing "will avoid" by "would avoid" >> >> >> *6. POSIX ACL vs NFSv4 ACL Considerations* >> >> >> In the first sentence of the second paragraph, suggest replace "a" with "an". >> >> >> Suggest rewriting the third paragraph as follows: >> >> For servers configured as described above, and not for any others, the following apply: >> >> For the third bulleted item, propose rewriting it as two paragraphs like >> the following. >> >> Using SETATTR to set a zero-length posix_default_acl or posix_access_acl (for a file object with a true form ACL of ACL_MODEL_POSIX_DRAFT) >> >> will delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE. >> >> Similarly, using SETATTR to eliminate the authorization-related portions of the ACL for a file object with a true form ACL of ACL_MODEL_NFS4 will >> >> delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE. This can occur when setting the sacl or dacl to an array of length >> >> zero or by settting the acl attribute to an array of ACEs in which none are ALLOW or DENY ACEs. >> >> >> Propose to add the following items to the existing list: >> >> - >> >> Using SETATTR to set a posix_default_acl or posix_access_acl of non-zero length (for a file object with a true form ACL of >> >> ACL_MODEL_POSIX_DRAFT) will result in the object's acl model being >> set to ACL_MODEL_POSIX_DRAFT. In addition, if the object's acl model >> had been ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be deleted so >> that the value dacl attribute is a zero-length array. >> - >> >> Using SETATTR to set the dacl attribute to an array of non-zero length or to st the acl attribute so that it contains one or more ALLOW or DENY ACEs >> >> will result in the object's acl model being set to >> ACL_MODEL_POSIX_NFS4. In addition, if the object's acl model had >> been ACL_MODEL_POSIX_DRAFT, the existing default and access ACLs ae >> to be deleted. >> >> >>
- [nfsv4] Review of draft-rmacklem-nfsv4-posix-acls… David Noveck
- [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-… Rick Macklem
- [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-… Rick Macklem