Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
"J. Bruce Fields" <bfields@fieldses.org> Fri, 14 July 2006 20:28 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1UGo-00076D-VO; Fri, 14 Jul 2006 16:28:18 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1UGn-000768-Q5 for nfsv4@ietf.org; Fri, 14 Jul 2006 16:28:17 -0400
Received: from mail.fieldses.org ([66.93.2.214] helo=pickle.fieldses.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G1UGm-0008Vo-F3 for nfsv4@ietf.org; Fri, 14 Jul 2006 16:28:17 -0400
Received: from bfields by pickle.fieldses.org with local (Exim 4.62) (envelope-from <bfields@fieldses.org>) id 1G1UGg-0001wW-UL; Fri, 14 Jul 2006 16:28:10 -0400
Date: Fri, 14 Jul 2006 16:28:10 -0400
To: "Yoder, Alan" <agy@netapp.com>
Subject: Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Message-ID: <20060714202810.GM20999@fieldses.org>
References: <992BA60650F1584BA63E339312CE42030595891C@exsvl02.hq.netapp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <992BA60650F1584BA63E339312CE42030595891C@exsvl02.hq.netapp.com>
User-Agent: Mutt/1.5.11+cvs20060403
From: "J. Bruce Fields" <bfields@fieldses.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Cc: Sam.Falkner@sun.com, wurzl_mario@emc.com, nfsv4@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org
On Fri, Jul 14, 2006 at 01:05:13PM -0700, Yoder, Alan wrote: > The hell comes from having to explain this on the phone > to mystified customers. Understood. > But it sounds like you're telling me an admin will > never be able to see different permissions on files depending > on what OS she happens to be looking at them with. Is that > correct? It's not the OS so much as the ACL model. Depending on what you and your clients support, users may be looking at: 1. Windows ACLs (over CIFS) 2. Pure NFSv4 ACLs 3. Pure NFSv4 ACLs with the mask attributes as proposed by Andreas to make them meet POSIX requirements. 4. "POSIX" draft ACLs, which their client got either from the v2/v3 sideband protocol or which they got as NFSv4 ACLs and then translated (with or without the help of the new mask attributes.) 5. mode bits Obviously these can't all be identical. But they should all be have the same meaning to the extent allowed, hopefully erring on the side of showing users more permissive permissions than are really enforced. Of course, they're all going to encounter the same effective permissions, because those are enforced at the server. To expand on the specific example above: if a user of ACL model #3 sees: group_class_mask READ OWNER@ ALLOW READ+WRITE bfields ALLOW READ+WRITE GROUP@ ALLOW READ EVERYONE@ ALLOW READ then a user of ACL model #1 will see: OWNER@ ALLOW READ+WRITE bfields ALLOW READ GROUP@ ALLOW READ EVERYONE@ ALLOW READ The two determine identical access--the first model just gives some extra information about what will happen on chmod. The extra complexity introduced by the mask ACL may be nothing compared to what you've got if you're already supporting the old sideband NFS ACL protocol, mode bits, and v4/windows ACLs. But it's still extra complexity, so it's reasonable to ask whether it's worth it. But keep in mind that if you're dealing with clients doing POSIX ACL translation than currently you're seeing ACLs that look like OWNER@ ALLOW READ OWNER@ DENY everything but READ bfields DENY everything but READ bfields ALLOW READ+WRITE bfields DENY everything but READ+WRITE GROUP@ DENY everything but READ GROUP@ ALLOW READ GROUP@ DENY everything but READ EVERYONE@ ALLOW READ EVERYONE@ DENY everything but READ ...and that's leaving out all the details of which mode bits are *really* being set. So anything that helps us get away from that kind of stuff will be welcomed.... --b. _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- RE: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Noveck, Dave
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Lisa Week
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… J. Bruce Fields
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Spencer Shepler
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… J. Bruce Fields
- RE: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… Noveck, Dave
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… J. Bruce Fields
- RE: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… Yoder, Alan
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… J. Bruce Fields
- RE: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… Yoder, Alan
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… J. Bruce Fields
- RE: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Noveck, Dave
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- RE: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Noveck, Dave
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- RE: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Noveck, Dave
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… J. Bruce Fields
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… J. Bruce Fields
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner