IETF Logo Mail Archive

[nfsv4] Re: Feedback on user ID for any bis work

Rick Macklem <rick.macklem@gmail.com> Sat, 17 August 2024 19:06 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FDF3C14F5F6 for <nfsv4@ietfa.amsl.com>; Sat, 17 Aug 2024 12:06:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ECHzRn33PGE for <nfsv4@ietfa.amsl.com>; Sat, 17 Aug 2024 12:06:04 -0700 (PDT)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABBEAC14F5EB for <nfsv4@ietf.org>; Sat, 17 Aug 2024 12:06:04 -0700 (PDT)
Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-2d3d58d6e08so1891529a91.3 for <nfsv4@ietf.org>; Sat, 17 Aug 2024 12:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723921564; x=1724526364; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=imMYdDSFPpnzy2dCfQ4rzKGvzmGyFKzP8/o0TQH5JkM=; b=WNm1e0hzQomXbeDbfglot1kefS4MQnrUFJ+EkSUSbHeOay7sYdlO4IxHwWBzY0v0jK TFin2TtJrqGShT7YEwDvpnaXbK7X/utJXaOFdY4aGkNS3jo+IPfOdR5wTENvw8pVh2fm evhvWrG/35rl4RaxTNQtcEGsciiAzX57l7BvqwJKUznCCNQZqho/ApO7efDbkHon4fsu vkoMq0HqceMWY0d236cUbTeMmyqBcfBeNBi08DdwVEspQvVwdlMqg3EzGV9pn6Sm0fqL xMojxetohWotreqkVl1Rss7BT5E5tzabVxXd31O71y/TqeEfkHD5VRmw757prCCu3GzA Ra1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723921564; x=1724526364; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=imMYdDSFPpnzy2dCfQ4rzKGvzmGyFKzP8/o0TQH5JkM=; b=wOwwijwnXpNYWFNvyEbBpK93xISy3Wi3/wHOEP5jsl7mRwdcrXkZGBAAWwAUob22NK VYByZnzNk8LUqS3idUY473eJcDWoPML9JooH9kVO9QaAvxG8YPsqJmLuytpchu9u/mQv zFo5Ix+TZjHa0wd/SQ/aCVZsp/jEKHJ1Y9bqGpzqUNGUX0CSJINtlJBt1tmO4h8euSud puhEOE6sOHVdW4S5Ll4ej7K/aVjBoS0YjN/xLV9nIobkkyRtoFUQZmJr4yU1BJftDtAR GhrnT5JYwevpKbHSmC12h3Q6Yl+/wlv/YWcYf7K2XMaL6d3k8Ki/vpXBbErpZM1oJKqx 8Zfg==
X-Forwarded-Encrypted: i=1; AJvYcCXsB6h8KuJAvTdQe3Z9zBKTRY+Tv3mbtATcccsDNKuvVzZCsYudkchBv8auByGhxHBOmIxNAYaN5bk++pbA+Q==
X-Gm-Message-State: AOJu0YwN+qd5lX3xT2d8096a4TqH+hH61LXbQ5eEuMZ375YmYqSO81cT vmJicNjtBZApu3+DE97qM3aVsqRlUk6zAy53i9X5OXsIuR+CeIyWnKwahU+83bR3l7r9B3+8yg2 waZGvkBahwwz80O4E1pBpPLmoEwtA
X-Google-Smtp-Source: AGHT+IH0uRg6VHkyXgPs5yAyAUTkMk7p1nSaA761JOWJD8dsaMYsia7CsoVr/PPL4vtBHeZWENLEmZq1e1poX4+P9so=
X-Received: by 2002:a17:90a:cb8a:b0:2d3:d7be:f740 with SMTP id 98e67ed59e1d1-2d3e0968036mr7865245a91.39.1723921563837; Sat, 17 Aug 2024 12:06:03 -0700 (PDT)
MIME-Version: 1.0
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org> <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com> <CAM5tNy7ELwEbE5z_VMC0ghePcMzkHAcEJDs4skvnxH4XJpeWLA@mail.gmail.com> <B0F6BCDA-CAE6-4985-AC0D-9DCAAEF68241@cert.org> <8CAD9D90-489B-45AC-A52E-6800E6AA0EAE@oracle.com> <EFD2C35A-9FC4-4381-82F2-475957CEE07B@cert.org>
In-Reply-To: <EFD2C35A-9FC4-4381-82F2-475957CEE07B@cert.org>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Sat, 17 Aug 2024 12:05:54 -0700
Message-ID: <CAM5tNy6EDNbjToQU7eo+0p8BEJsUbwJTOxx07mHL8N=70EtOGg@mail.gmail.com>
To: Chris Inacio <inacio@cert.org>
Content-Type: multipart/alternative; boundary="0000000000006eeb32061fe5c4ef"
Message-ID-Hash: CY3Q6TM2ISAGBFVU3GMUE2RQAN436I4A
X-Message-ID-Hash: CY3Q6TM2ISAGBFVU3GMUE2RQAN436I4A
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/GHMGCKfs1f-nv2qzrjPXF2g_Ueo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Fri, Aug 16, 2024 at 2:07 PM Chris Inacio <inacio@cert.org> wrote:

>
>
> > On Aug 16, 2024, at 4:42 PM, Chuck Lever III <chuck.lever@oracle.com>
> wrote:
> >
> > Warning: External Sender - do not click links or open attachments unless
> you recognize the sender and know the content is safe.
> >
> >
> >> On Aug 16, 2024, at 3:51 PM, Chris Inacio <inacio@cert.org> wrote:
> >>
> >>
> >>
> >>> On Aug 16, 2024, at 3:17 PM, Rick Macklem <rick.macklem@gmail.com>
> wrote:
> >>>
> >>> Warning: External Sender - do not click links or open attachments
> unless you recognize the sender and know the content is safe.
> >>>
> >>>
> >>>> On Fri, Aug 16, 2024 at 9:26 AM Chuck Lever III <chuck.lever=
> 40oracle.com@dmarc.ietf.org> wrote:
> >>>>
> >>>>
> >>>>> On Aug 16, 2024, at 11:39 AM, Chris Inacio <inacio@cert.org> wrote:
> >>>>>
> >>>>> Dave, All,
> >>>>>
> >>>>> INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR
> >>>>>
> >>>>> We need this super brief conversation in one of the interim meetings
> about how user identity is communicated across NFSv4, and there are 2
> options, UID/GID ‘integer's and then loosely defined ‘string’.  So I’ve
> been digging into this and I would say, most definitely, do NOT remove the
> string.  So what I can see so far, is that UID/GID numbers are used when
> auth ‘sys’ is the selected mechanism, where current the string is used when
> auth is tied to GSS-API.  As far as I can tell, the kerberos principal name
> should be the string in the field.  I certainly don’t yet have a full
> understanding about how everything is connected together.  (Just sending
> the principal is nice and everything, but you want to be able to verify it,
> and HOLY RAT HOLE ROBIN is that confusing in practice.)
> >>>>>
> >>>>> So, the thing I’m trying to make sense of, how hard would it be to
> support TLS identities (X.509 certs really) instead of Kerberos.
> >>>>
> >>>> A perhaps subtle distinction here:
> >>>>
> >>>> The current RPC-with-TLS protocol uses x.509 explicitly only for
> authenticating
> >>>> network peers (ie, hosts). RFC 9289 even says "not for user
> authentication". So
> >>>> I think the term "TLS" here is probably misplaced.
> >>>>
> >>>> You instead want to invent a new RPC security flavor or flavors that
> authenticates
> >>>> users (or, dare I say it, to extend GSSAPI to handle this for us) via
> an x.509
> >>>> certificate, or OAuth, or such like. Nothing to do with transport
> layer security,
> >>>> which doesn't know from users.
> >>> There is the specific case Chuck named "TLS identity squashing", where
> >>> the client's X.509 cert. identifies a single user for all RPCs done
> >>> via the TLS session.
> >>>
> >>> This works ok for cases where the client is just a single user, such
> >>> as a mobile device.
> >>>
> >>
> >> [ci] That’s really interesting.  I’ll have to look deeper at that.
> First order is that the tighter binding of user to host that allows that to
> work more easily?
> >
> > Rick implemented this for FreeBSD, and I have a plan to implement
> > this in Linux NFSD in a way that is hopefully compatible with his
> > implementation. It is merely a convention of adding a user identity
> > to the client certificate's SAN field; the receiving server then
> > squashes all RPC traffic from peers using that certificate to that
> > user ID.
> >
> > But I didn't mention it before because I assumed you were interested
> > in the more general multi-user case.
> >
>
> [ci] You’re right in that I’m primarily interested in the more general use
> case.  And I get some of the possible limitations / hiccups of the version
> you’re describing.  (Mount at boot before user auth, etc.)  If you add a
> field to the certificate, who and when is the signer?
>
> [ci] It might be more interesting about the “squashes all RPC traffic”
> part.  It seems a bit like a protocol hack, at first blush, to me.  But
> then I don’t understand NFS that deeply, so I could be /really/ off base on
> that point.  But even if it is, does that provide an avenue to think about
> how new/different auth might be achieved.
>
> [ci] Although back to your first point, to my current understanding of
> NFSv4, the "right way”* is most likely API extensions in GSS.  My thinking
> (at the moment) is that I would want to enable where auth is at today,
> especially if I think enterprise and things like hybrid clouds.  I guess
> that means things like OAUTH, SCIM(?), and still kerberos (and I guess add
> JWT/CWT).  What would make a seamless transition to accessing storage in
> the enterprise, being able to share to possibly local cloud compute, push
> up the cloud provider, extend to multi-cloud, and move back down allowing a
> client end point to have strong authentication and authorization across
> that.  And for bonus points, it would be /really/ nice to be able to
> smoothly grow up from 3 people in a “garage” to 1000 as an enterprise, and
> beyond.
>
> [ci] Free dinner on me if you and Rick have a prototype doing AA for that.
>
> [ci] I don’t know of any pain free strong AA solutions that I would want
> to run in my house.  I wish I could say that would be in scope - but I
> doubt my house compute / network is reasonable in 99% of the world's
> opinion.
>
>
> [ci] * - for some definition of right.
>
Once upon a time (over 20years ago) I recall asking "what does the domain
in owner
mean?". I think the response was something like "we are considering a new
DNS record
type for it".

Maybe this is worth visiting?
If there was a DNS record type (similar to MX for email) that provided IP
host address(es)
for a "user domain", then clients might be able to configure themselves
more easily?
For example, suppose the IP host address in the reply had a KDC and LDAP
server on it.
--> The client could configure Kerberos and LDAP to covert between
names<->numbers
    from that.
    --> Kerberos would still be needed, but the only work would be on the
server end.

Then there is the hassle of creating a Kerberos principal to be a machine
credential
for a client and creating/moving a keytab entry into the client.
--> For this one, I think that rfc5661bis might be able to fix the problem.
    Right now, RFC8881 specifies that SP4_MACH_CRED requires krb5i or krb5p.
    (Understandable, since that was all there was.)
    Now, RPC-over-TLS where the client provides a X.509 cert. during
handshake (mtls)
    should be sufficient to satisfy the requirements for SP4_MACH_CRED, I
think?
    (Then the machine principal could just be uid 0 over AUTH_SYS, since
the X.509
     cert. is the machine credential and TLS provides the on-the-wire
security.)
If you get rid of the need for a client to have a Kerberos keytab, all a
client
needs is a krb5.conf and a X.509 cert. If the krb5.conf can be created from
a DNS
"user domain" record, there is even less work.

Although I support ideas for alternatives to Kerberos for user
authentication, I
doubt they will be a lot simpler to setup/implement.

rick


> >
> > --
> > Chuck Lever
>
>
>

v2.38.3 | Report a Bug | By Email | System Status