IETF Logo Mail Archive

Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready

"J. Bruce Fields" <bfields@fieldses.org> Fri, 14 July 2006 20:28 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1UGo-00076D-VO; Fri, 14 Jul 2006 16:28:18 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1UGn-000768-Q5 for nfsv4@ietf.org; Fri, 14 Jul 2006 16:28:17 -0400
Received: from mail.fieldses.org ([66.93.2.214] helo=pickle.fieldses.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G1UGm-0008Vo-F3 for nfsv4@ietf.org; Fri, 14 Jul 2006 16:28:17 -0400
Received: from bfields by pickle.fieldses.org with local (Exim 4.62) (envelope-from <bfields@fieldses.org>) id 1G1UGg-0001wW-UL; Fri, 14 Jul 2006 16:28:10 -0400
Date: Fri, 14 Jul 2006 16:28:10 -0400
To: "Yoder, Alan" <agy@netapp.com>
Subject: Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Message-ID: <20060714202810.GM20999@fieldses.org>
References: <992BA60650F1584BA63E339312CE42030595891C@exsvl02.hq.netapp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <992BA60650F1584BA63E339312CE42030595891C@exsvl02.hq.netapp.com>
User-Agent: Mutt/1.5.11+cvs20060403
From: "J. Bruce Fields" <bfields@fieldses.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Cc: Sam.Falkner@sun.com, wurzl_mario@emc.com, nfsv4@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org

On Fri, Jul 14, 2006 at 01:05:13PM -0700, Yoder, Alan wrote:
>    The hell comes from having to explain this on the phone
> to mystified customers.

Understood.

>    But it sounds like you're telling me an admin will
> never be able to see different permissions on files depending
> on what OS she happens to be looking at them with.  Is that
> correct?

It's not the OS so much as the ACL model.  Depending on what you and
your clients support, users may be looking at:

	1. Windows ACLs (over CIFS)
	2. Pure NFSv4 ACLs
	3. Pure NFSv4 ACLs with the mask attributes as proposed by Andreas
	   to make them meet POSIX requirements.
	4. "POSIX" draft ACLs, which their client got either from the v2/v3
	   sideband protocol or which they got as NFSv4 ACLs and then
	   translated (with or without the help of the new mask attributes.)
	5. mode bits

Obviously these can't all be identical.

But they should all be have the same meaning to the extent allowed,
hopefully erring on the side of showing users more permissive
permissions than are really enforced.

Of course, they're all going to encounter the same effective
permissions, because those are enforced at the server.

To expand on the specific example above: if a user of ACL model #3 sees:

	group_class_mask READ
	OWNER@    ALLOW  READ+WRITE
	bfields   ALLOW  READ+WRITE
	GROUP@    ALLOW  READ
	EVERYONE@ ALLOW  READ

then a user of ACL model #1 will see:

	OWNER@    ALLOW  READ+WRITE
	bfields   ALLOW  READ
	GROUP@    ALLOW  READ
	EVERYONE@ ALLOW  READ

The two determine identical access--the first model just gives some
extra information about what will happen on chmod.

The extra complexity introduced by the mask ACL may be nothing compared
to what you've got if you're already supporting the old sideband NFS ACL
protocol, mode bits, and v4/windows ACLs.  But it's still extra
complexity, so it's reasonable to ask whether it's worth it.

But keep in mind that if you're dealing with clients doing POSIX ACL
translation than currently you're seeing ACLs that look like

	OWNER@    ALLOW  READ
	OWNER@    DENY   everything but READ
	bfields   DENY   everything but READ
	bfields   ALLOW  READ+WRITE
	bfields   DENY   everything but READ+WRITE
	GROUP@    DENY   everything but READ
	GROUP@    ALLOW  READ
	GROUP@    DENY   everything but READ
	EVERYONE@ ALLOW  READ
	EVERYONE@ DENY   everything but READ

...and that's leaving out all the details of which mode bits are
*really* being set.  So anything that helps us get away from that kind
of stuff will be welcomed....

--b.

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email