[nfsv4] Re: Our different approaches to draft POSIX ACL support in NFSv4
David Noveck <davenoveck@gmail.com> Fri, 26 July 2024 19:47 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC616C151990 for <nfsv4@ietfa.amsl.com>; Fri, 26 Jul 2024 12:47:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHAVczca3Vfw for <nfsv4@ietfa.amsl.com>; Fri, 26 Jul 2024 12:47:44 -0700 (PDT)
Received: from mail-oo1-xc36.google.com (mail-oo1-xc36.google.com [IPv6:2607:f8b0:4864:20::c36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62FC2C151983 for <nfsv4@ietf.org>; Fri, 26 Jul 2024 12:47:44 -0700 (PDT)
Received: by mail-oo1-xc36.google.com with SMTP id 006d021491bc7-5d5c324267aso694668eaf.0 for <nfsv4@ietf.org>; Fri, 26 Jul 2024 12:47:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722023263; x=1722628063; darn=ietf.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VX2qwSx88jacw7bmkm74vi3ZohTVdAGi3AyiXeI/UTw=; b=TUmjVlfCWun2ECnYphnemkciW9r6FChIe/sNn+4MVosjmYBvsE66ABg+qmpZOgeyAS byfch6onx9FxJjbV76cg2WcKzNi+Msd7ccRRc3Sy9dKx4kt29u76zXGQHk3tPcqMg1e9 mCclfLpA2LENr9/nfLr4/l3fl6MhVeIGOkpHQmBPajq7sgm/62GiMVoKWsgB5fUmnpj4 aARLZEjiZhM5KAQrJVPqjToPlM7p+0gJqKWvrgsxI6lNY3aoVOYGFbzsHiPVMozXPAO+ KU4Vp4yDM7UgHX3A6lzOYMEDx/Z3sIr+6xy2BAkOOJbW46XsLdn3Zm/ZGr1WNFxM3UqI sQHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722023263; x=1722628063; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VX2qwSx88jacw7bmkm74vi3ZohTVdAGi3AyiXeI/UTw=; b=IqBrOHhnTo0NjUnPGvjKust2pKEy9+6zzB54G2s5v71W3buXZ6e0JOlaBngjLAGG23 hOpTtaEZ83+AaLl1CXXcGeIxstJTBEt4HDGCjpMuxfe1FxKQJlOEDp1qYUNOnEv7fAcF NBKNJg8/DHQZPD761RBURYkvBLkP7Nr0cI+Yx/5sI2Sew0Nu1MIOMf5kmRwxYuhYnC+8 96lI+pXT/gknpk8eNiTgV/9c/aMFP6SqblM9/vad8dmCA+yA3jT8hGj3WuRR0cGWOpv7 RXPis8tfta0XF0EXBynQ/04wz9JzQxJZiRqHA5vKoNCRzUGmoubm7Z/moUMBGH38qv97 3A1Q==
X-Forwarded-Encrypted: i=1; AJvYcCWudsMl4JKt5cdfcX83ldrm/bPnA0QLglt32Xfq1VASJwMe6pXgJZfwpBD7S99CAI5m0GWSLLtaBcQR0gFSdw==
X-Gm-Message-State: AOJu0Yzt7c+mygDvx/Gqq79HnySBdmGVH2MNZ0y0GpWTqPNaGsuohG0I IhumZ1kRL4sjFCL8CA5UEbJmQSgaieQ5Tmyga+2QTgDIa6+zRe6/a4UtRgn8RmkJK94I/2HYgux hSA9dhq32ohZhgYgZ0dhEvAlX1TA=
X-Google-Smtp-Source: AGHT+IGmCuJnLSGY2ORdAUxgwuuJSLopN8Wd1S4o7mSdz7iQfgVbCMNapcu2049t5Jxunga9rHZ0UgN9gYAeyUvtySc=
X-Received: by 2002:a05:6358:490e:b0:1aa:c71e:2b5b with SMTP id e5c5f4694b2df-1adce46452amr109227355d.19.1722023263432; Fri, 26 Jul 2024 12:47:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a05:6214:2b0b:b0:6b5:7c7d:352c with HTTP; Fri, 26 Jul 2024 12:47:42 -0700 (PDT)
In-Reply-To: <F7648EA3-E6A1-4741-85EF-C73801E703D0@oracle.com>
References: <CADaq8jdvZ5pcFNN5zjuVHLTO30v9=2kYKzFdRxxbkTmHYZdTdA@mail.gmail.com> <CAM5tNy7Fw954gCzYHCTjRg7th_njSHhxznni48Zz4xsSXT631A@mail.gmail.com> <53DAEF45-2A4D-4066-97C2-7B09018DE99B@oracle.com> <CAM5tNy6a4ZG90i2ugXzuPqQ1zrsK9m8jLRKmv9VpnFG6m_Pqew@mail.gmail.com> <DD250FBD-A434-4294-818A-5728757CE032@oracle.com> <d1c538065728c17df66a6f9e79e55d90849fc866.camel@gmail.com> <D352FEB9-A487-4B3E-9BC8-DB2C1896F941@oracle.com> <8efc39289ecef97624622cfc431f890736b579a0.camel@hammerspace.com> <33FA1D6E-73B3-43A1-B65C-D806156E39A5@oracle.com> <cf8a48e517210512755455dd78352ae5b64f7949.camel@hammerspace.com> <449AF448-1471-47CD-B5C5-3A3A5FB9FB12@oracle.com> <2e32694382df3e70a93edcf40434a41729031e55.camel@hammerspace.com> <83c39a7b12c05b0f1a0fa6e069b08e399864277a.camel@hammerspace.com> <CADaq8jfw1FVH3dxOEJAZLrw_S5y2F6eaGkcfpha4X8BBNWgRSQ@mail.gmail.com> <6903782a95875541489844e33541114f0bf01acb.camel@hammerspace.com> <CADaq8jdFYo_DtRxS3h17dyQSFqXeoR60OjsjMM=o35HDg8ZnNg@mail.gmail.com> <855662e75c4433042fd9875c2c9c5d0244c929da.camel@hammerspace.com> <CADaq8jdZzqt-bXB4YsO=R2qpT9MNfwvSAJyBJng1qjGFTn2tbw@mail.gmail.com> <CAM5tNy5oVnyP66fzZsQXnNQcTYtpQaR59Q6io92F4LX74gPivQ@mail.gmail.com> <7FAE51A2-6E14-412F-8B0A-AC617AE4173B@oracle.com> <CADaq8je9VqYoe8StfezCNjYPD3-dGmbz-zNSO51RBmfzCPcgeA@mail.gmail.com> <F7648EA3-E6A1-4741-85EF-C73801E703D0@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 26 Jul 2024 15:47:42 -0400
Message-ID: <CADaq8je7pWo2wc+XzLW2RB-Ujv7QuB5DRNVW7aUx_FYdzmC3fg@mail.gmail.com>
To: Chuck Lever III <chuck.lever@oracle.com>
Content-Type: multipart/alternative; boundary="000000000000e97f06061e2bc859"
Message-ID-Hash: T6ZFPAR3QLNICKNA4T7PBQHHKJA76Z6K
X-Message-ID-Hash: T6ZFPAR3QLNICKNA4T7PBQHHKJA76Z6K
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Trond Myklebust <trondmy@hammerspace.com>, Bruce Fields <bfields@fieldses.org>, "nfsv4@ietf.org" <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Our different approaches to draft POSIX ACL support in NFSv4
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/FDV0Mc0GD4Usyxf31Y9IQF1YJ8U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
On Friday, July 26, 2024, Chuck Lever III <chuck.lever@oracle.com> wrote: > > > > On Jul 25, 2024, at 3:36 PM, David Noveck <davenoveck@gmail.com> wrote: > > > > On Thursday, July 25, 2024, Chuck Lever III <chuck.lever@oracle.com> > wrote: > > > >> I agree there should be one per file, > > > > Definitely. > > > >> and that the server's > >> local file system should determine which type of ACL it can > >> support. > > > > I would think it determines the set of types it an support. This can > be ofen will be a singleton or the null set. > > > >> (I don't envision a scenario where one file system > >> could support multiple types of ACLs). > >> > > I consider it unfortunate that your vision is so limited. > > > > I expect to face the issue in the near future since Netapp supports a > considerable portion of the NFSv4 ACL model and will want to support the > draft POSIX ACL. > > > > I don't think it is reasonable to tell users that they have to get rid > of their existing ACLs in order to allow them to use draft POSIX ACLs. > > Hopefully this can shed a little light on the use case > that Linux NFSD might prefer -- I'm not denigrating any > other usage scenarios. > > For Linux NFSD, its local file systems can store only > POSIX ACLs. > > In order to provide broad compatibility with existing > and new clients, I'm thinking that NFSD will provide > GET/SETATTR capabilities that allow clients to see both > a mapped NFSv4 ACL and a POSIX ACL per file; the mapped > ACL will be created from the stored POSIX ACL to satisfy > GETATTR requests, and access authorization decisions will > be based on the stored POSIX ACL, as I believe NFSD does > today. As a said before, the sacl case need to be dealt with also. Since there are no POSIX sacls, this winds up meaning that the allow and alarm ACEs are only part of the NFSv4 ACL model. Probably Linux clients and servers will not deal with such ACEs. BTW, this is another illustration of how ludicrous it was to call such attributes "RECOMMENDED". Switching it to OPTIONAL is a move toward sanity. > > NFSD will map incoming NFSv4 ACLs to POSIX ACLs before > storing them. You need to deal with the cae of those that are not mappable. There are some suggestions about this in acls-05. > > Storing either type of ACL will wholly > replace the POSIX ACL that is already there. Yes. > > > -- > Chuck Lever > > >
- [nfsv4] Our different approaches to draft POSIX A… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Trond Myklebust
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Trond Myklebust
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Trond Myklebust
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Chris Inacio
- [nfsv4] Re: Our different approaches to draft POS… Trond Myklebust
- [nfsv4] Re: Our different approaches to draft POS… Trond Myklebust
- [nfsv4] Re: Our different approaches to draft POS… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Trond Myklebust
- [nfsv4] Re: Our different approaches to draft POS… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Chris Inacio
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem
- [nfsv4] Re: Our different approaches to draft POS… Trond Myklebust
- [nfsv4] Re: Our different approaches to draft POS… Chris Inacio
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Chris Inacio
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… Trond Myklebust
- [nfsv4] Re: Our different approaches to draft POS… Christoph Hellwig
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem
- [nfsv4] Re: Our different approaches to draft POS… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem
- [nfsv4] Re: Our different approaches to draft POS… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Chuck Lever III
- [nfsv4] Re: Our different approaches to draft POS… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem
- [nfsv4] Re: Our different approaches to draft POS… David Noveck
- [nfsv4] Re: Our different approaches to draft POS… Rick Macklem