[nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-acls-02
Rick Macklem <rick.macklem@gmail.com> Wed, 07 August 2024 23:15 UTC
Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71712C14F605 for <nfsv4@ietfa.amsl.com>; Wed, 7 Aug 2024 16:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xIUkeX7euRL for <nfsv4@ietfa.amsl.com>; Wed, 7 Aug 2024 16:15:50 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C67AC14F603 for <nfsv4@ietf.org>; Wed, 7 Aug 2024 16:15:50 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-2cdadce1a57so345998a91.2 for <nfsv4@ietf.org>; Wed, 07 Aug 2024 16:15:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723072550; x=1723677350; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=x9DsUwZVhnPHFU1YVfVGr5Wt/G6bPWsEVhpkn+1xWwc=; b=DBC1NcUNsZSN7Fkmj7144QNS0o8nNUkdKLmPRoMIX5e/m7GGgITSxgS8e6VUgMhD2v oRyRDfn+UnXPAwNC7mLRPirDpP7Zd7c9k7m9/xS70HX3r2cGrcZxG25qxf7MmvLLtgrm Vs5o60cT+KIR1NXSWuGujHYhnatkRI0KKBNNLGSgWQ1BM2btpHuyON9zYo2PPNwr4KvS B5nVlS+g+7g0EzOzsgVaaldykNio0i4gFmsDSuk1n2wTalokpCD/SV/gTSLhR6W++P5j kcg1lsTGGOZy2DoaS76aqBnoJ/2XilN5/Fq2P+3fYYkG69eNv4A0iOYkEfdnDhfBgETE 9UdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723072550; x=1723677350; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=x9DsUwZVhnPHFU1YVfVGr5Wt/G6bPWsEVhpkn+1xWwc=; b=IGLI4n1CaZSZyEZl65IJ3spt4b8cOu1pXAeab9sIwR6TUZqZwuvVbrBD3YnZ7MC/Lx Eh3WFab5qvRGAgtsLqBDHMntZiNO24JynfJTqyPBqXptyF0+GQa6XhA2tggHdHNdTXth Q3p2lOwFJNKlNK9q9yXSQ748zi3S43FCz+P/OicGEPF/v+p5GOuO5vA18Z7Fmc/hNchE bJpvsTDU/2XE5j33dYjAr1PNVtt8bl9VP0Mdc73XouUI6A/uy7JQvSEzWE82hX7MjsFW XO36g55P+DV/5eURv9kg2Ib4traTz6gRcn3y2r6Epd0ExLfNA6aC9YZbxjuvJtuy99Z6 s/NQ==
X-Gm-Message-State: AOJu0YzhwqzFK6DNn9bRefZmNltiIoHu5Uk+P9SauP8JOCYdReK2okDp zdkmwvGOuFcoWBkaXxjfb4h9/o1bmz0fzokwnYuq1VzNWenfljZBLY+fOUrkpwXNy9KBU6dRyEG SdWPxT4TVPSxOmZOcfvNkd6AhOQ==
X-Google-Smtp-Source: AGHT+IF44S9gBXqUWHPOQSef4xO9Qr5HJau6PQmxMZvUqn1WQDc8aREuszk6DxsyUn6uIoN1K85doFFeziKfWPjtizc=
X-Received: by 2002:a17:90b:1e51:b0:2bf:8824:c043 with SMTP id 98e67ed59e1d1-2d1c33ae989mr164430a91.18.1723072549640; Wed, 07 Aug 2024 16:15:49 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jdxWbC-5XUsRECL61kRkc5Ywmq2DogsaAxSdwyMAF15CA@mail.gmail.com>
In-Reply-To: <CADaq8jdxWbC-5XUsRECL61kRkc5Ywmq2DogsaAxSdwyMAF15CA@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Wed, 07 Aug 2024 16:15:39 -0700
Message-ID: <CAM5tNy5kkGGCYSdfthZ419tv1OoA18y6rjkCkxzS+=VqH1w47Q@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003e6403061f20173f"
Message-ID-Hash: ENNFVXV3FXNP2YOGIUAOARBI432XGNNW
X-Message-ID-Hash: ENNFVXV3FXNP2YOGIUAOARBI432XGNNW
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/HPl2iZ9fjrLH0VfxVRXRkSVXP0s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
I have updated the draft to draft-rmacklem-nfsv4-posix-acls-03. I think I have addressed all the comments in David's review. There are a few substantive changes: - The draft no longer refers to the setting of a 0 length NFSv4 ACL. (It appears that a 0 length NFSv4 ACL may just be a NFSv4 with no permissions. This is different from an erased Windows/SMB ACL, which was what I was using a 0 length NFSv4 ACL for.) - I changed the ordering of setting mode vs POSIX ACL to defining the order if they are in the set of setable attributes. - I think I now refer to mode/mode_set_masked/mode_umask correctly and require support of mode_umask and mode for this extension. - When a NFSv4 ACL is being replaced by a POSIX ACL, it now notes that the allow/deny ACEs will be deleted, so that the audit/alarm ACEs remain intact. - It now allows a SETATTR to flip between NFSv4 and POSIX ACLs when the scope is ACL_SCOPE_FILE_OBJECT. (The old draft restricted that.) Thanks go to David Noveck for his review. rick On Tue, Aug 6, 2024 at 8:26 AM David Noveck <davenoveck@gmail.com> wrote: > *Overall Evaluation * > > In good shape. There are a few non-editorial issues that need to be > dealt with but not many. > > I am prepared to support working group adoption as soon as the author is > ready to deal with the inevitable requests for a completion date. > > Based on what I have seen so far, I am planning to refocus work on > acls-05. I had been hoping to enhance the NFSv4 ACL model so that the > POSIX ACL model could be a submodel. As I read Andreas' document, this > kept getting more and more difficult and it now appears that, with the > document being reviewed, we have a reasonable path out of the existing ACL > mess 😳 > > *General Issues* > > *Dealing with Sacls* > > There are a number of places where sacls are treated as parts of acls. > They shouldn't be and I will discuss below ways of having posix acls > co-exist with use of the parts of NFSv4 ACLs that are not related to > authorization. > > *Interaction with Existing ACL Attributes* > > There are some missing cases in the list in *6. POSIX ACL vs NFSv4 ACL > Considerations.* The existing treatment which deals only with deleting > ACLs does not address issues involving creating new ACLs of either type. > > *Ordering Issues* > > My issues with the substance of the attribute ordering restrictions have > been addressed but I still have issues with the stated justification. See 5. > POSIX ACL Considerations for details. > > > *Per-section Issues* > > *Abstract * > > Suggest rewriting the first sentence as follows: > > This document describes a potential protocol extension involving the > addition of four new attributes to be used by server to provide support for > POSIX ACLs. > > *1. Introduction* > > I have problems with the first sentence which says that mapping was > attempted because of the semantic differences. This implies that if there > were no semantic differences, mapping would not have been attempted. In > fact, it still would have been attempted but would have been sucessful. I > would start the section with something like the following: > > In response to the very different over-the-wire formats, attempts have been made to map between these two sorts of ACLs. However, because of the > > large number of semantic differences, implementation experience with mapping between NFSv4 and POSIX ACLs has not been completely successful. > > For example, if a NFSv4 ACL is applied to a server file via SETATTR on a server that stores POSIX ACLs and then retrieved via > > GETATTR/READDIR, the ACL will often not be the same, since the mapping algorithm cannot do an exact mapping between them. > > > Suggest rewriting the last sentence of the last paragraph to read as > follows: > > In addition, issues related to the over-the-wire format of POSIX ACLs and the interactions among the various new attributes and with > > existing attributes are dealt with in this document. > > > *5. POSIX ACL Considerations* > > > In the first sentence, you are stating a true fact, but you need to make some normative statement to follow up. > > > I assume that that would be that setting a POSIX ACL that does not follow that is invalid. > > > In the second paragraph, know what you mean, but it is not clear that a reader would. Suggest the following: > > > In the who value within the posixace4 structure that appear in these new attributes, the field is interpreted as follows: > > > - For ACEs whose tag field is POSIXACE4_TAG_USER or POSIXACE4_TAG_GROUP the who value is a UTF8-encoded Unicode string. > > that has the same format as a user or group as represented within other NFSv4 operations and designates the same entity. > > In these cases, the distinction between users and groups derives from the tag rather than a flag bit, as is done in NFSv4 ACLs. > > This in in contrast to how the corresponding structures are described in <xref target="Grünbacher">, where numeric uids and gds are > > specified. > > > - For ACEs whose tag field has other values, the who field is ignored by the receiver and there is no reason for the sender to set it to any > > particular value. > > With regards to the third paragraph, I no longer object to the result. I had objected but you have made it clear why this is the way it is but that differs from what is in the document now. Below I quote the existing paragraph with my comments interspersed. > > For POSIX ACLs, setting of the low order 9 bits of mode can change the ACL and setting of the POSIX access ACL can change the low order 9 bits of mode. > > This is true. > > As such, the ordering of setting the attributes related to mode and POSIX ACLs is important. > > It is certainly significant. > > Therefore, a client MUST not set the low order 9 bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document. > > I don't agree with the "therefore". > > This is required because [RFC8881] does not specify an ordering for setting attributes in a SETATTR operation. > > That is* NOT *true. There is nothing in rfc8881 that prevents you from > specifying an ordering as rfcs8881 does for NFSv4 ACLs. > > You are as free to specify an ordering as you are to specify that these are incompatible. > > > I suggest rewriting this to say something like the following: > > > A client MUST not set any of the nine-low order bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document. Similarly, it MUST not set these together when creating a new file. These restrictions apply because: > > > - Setting these together is not required by the POSIX interface. > - To do so, would require dealing with difficult ordering issues left unaddressed by the existing definitionof SETATTR. > > For the last paragraph, I have the following editorial suggestions: > > > - Suggest replacing "low order 9" by "low-order nine" > - In the second sentence I suggest replacing "SHOULD" by "should". > - In the third sentence suggest replacing "may use" by "can use". > - In this last sentence suggest replacing "will avoid" by "would avoid" > > > *6. POSIX ACL vs NFSv4 ACL Considerations* > > > In the first sentence of the second paragraph, suggest replace "a" with "an". > > > Suggest rewriting the third paragraph as follows: > > For servers configured as described above, and not for any others, the following apply: > > For the third bulleted item, propose rewriting it as two paragraphs like > the following. > > Using SETATTR to set a zero-length posix_default_acl or posix_access_acl (for a file object with a true form ACL of ACL_MODEL_POSIX_DRAFT) > > will delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE. > > Similarly, using SETATTR to eliminate the authorization-related portions of the ACL for a file object with a true form ACL of ACL_MODEL_NFS4 will > > delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE. This can occur when setting the sacl or dacl to an array of length > > zero or by settting the acl attribute to an array of ACEs in which none are ALLOW or DENY ACEs. > > > Propose to add the following items to the existing list: > > - > > Using SETATTR to set a posix_default_acl or posix_access_acl of non-zero length (for a file object with a true form ACL of > > ACL_MODEL_POSIX_DRAFT) will result in the object's acl model being set > to ACL_MODEL_POSIX_DRAFT. In addition, if the object's acl model had > been ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be deleted so that > the value dacl attribute is a zero-length array. > - > > Using SETATTR to set the dacl attribute to an array of non-zero length or to st the acl attribute so that it contains one or more ALLOW or DENY ACEs > > will result in the object's acl model being set to > ACL_MODEL_POSIX_NFS4. In addition, if the object's acl model had been ACL_MODEL_POSIX_DRAFT, > the existing default and access ACLs ae to be deleted. > > >
- [nfsv4] Review of draft-rmacklem-nfsv4-posix-acls… David Noveck
- [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-… Rick Macklem
- [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-… Rick Macklem