[nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-acls-02

Rick Macklem <rick.macklem@gmail.com> Wed, 07 August 2024 23:15 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71712C14F605 for <nfsv4@ietfa.amsl.com>; Wed, 7 Aug 2024 16:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xIUkeX7euRL for <nfsv4@ietfa.amsl.com>; Wed, 7 Aug 2024 16:15:50 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C67AC14F603 for <nfsv4@ietf.org>; Wed, 7 Aug 2024 16:15:50 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-2cdadce1a57so345998a91.2 for <nfsv4@ietf.org>; Wed, 07 Aug 2024 16:15:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723072550; x=1723677350; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=x9DsUwZVhnPHFU1YVfVGr5Wt/G6bPWsEVhpkn+1xWwc=; b=DBC1NcUNsZSN7Fkmj7144QNS0o8nNUkdKLmPRoMIX5e/m7GGgITSxgS8e6VUgMhD2v oRyRDfn+UnXPAwNC7mLRPirDpP7Zd7c9k7m9/xS70HX3r2cGrcZxG25qxf7MmvLLtgrm Vs5o60cT+KIR1NXSWuGujHYhnatkRI0KKBNNLGSgWQ1BM2btpHuyON9zYo2PPNwr4KvS B5nVlS+g+7g0EzOzsgVaaldykNio0i4gFmsDSuk1n2wTalokpCD/SV/gTSLhR6W++P5j kcg1lsTGGOZy2DoaS76aqBnoJ/2XilN5/Fq2P+3fYYkG69eNv4A0iOYkEfdnDhfBgETE 9UdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723072550; x=1723677350; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=x9DsUwZVhnPHFU1YVfVGr5Wt/G6bPWsEVhpkn+1xWwc=; b=IGLI4n1CaZSZyEZl65IJ3spt4b8cOu1pXAeab9sIwR6TUZqZwuvVbrBD3YnZ7MC/Lx Eh3WFab5qvRGAgtsLqBDHMntZiNO24JynfJTqyPBqXptyF0+GQa6XhA2tggHdHNdTXth Q3p2lOwFJNKlNK9q9yXSQ748zi3S43FCz+P/OicGEPF/v+p5GOuO5vA18Z7Fmc/hNchE bJpvsTDU/2XE5j33dYjAr1PNVtt8bl9VP0Mdc73XouUI6A/uy7JQvSEzWE82hX7MjsFW XO36g55P+DV/5eURv9kg2Ib4traTz6gRcn3y2r6Epd0ExLfNA6aC9YZbxjuvJtuy99Z6 s/NQ==
X-Gm-Message-State: AOJu0YzhwqzFK6DNn9bRefZmNltiIoHu5Uk+P9SauP8JOCYdReK2okDp zdkmwvGOuFcoWBkaXxjfb4h9/o1bmz0fzokwnYuq1VzNWenfljZBLY+fOUrkpwXNy9KBU6dRyEG SdWPxT4TVPSxOmZOcfvNkd6AhOQ==
X-Google-Smtp-Source: AGHT+IF44S9gBXqUWHPOQSef4xO9Qr5HJau6PQmxMZvUqn1WQDc8aREuszk6DxsyUn6uIoN1K85doFFeziKfWPjtizc=
X-Received: by 2002:a17:90b:1e51:b0:2bf:8824:c043 with SMTP id 98e67ed59e1d1-2d1c33ae989mr164430a91.18.1723072549640; Wed, 07 Aug 2024 16:15:49 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jdxWbC-5XUsRECL61kRkc5Ywmq2DogsaAxSdwyMAF15CA@mail.gmail.com>
In-Reply-To: <CADaq8jdxWbC-5XUsRECL61kRkc5Ywmq2DogsaAxSdwyMAF15CA@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Wed, 07 Aug 2024 16:15:39 -0700
Message-ID: <CAM5tNy5kkGGCYSdfthZ419tv1OoA18y6rjkCkxzS+=VqH1w47Q@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003e6403061f20173f"
Message-ID-Hash: ENNFVXV3FXNP2YOGIUAOARBI432XGNNW
X-Message-ID-Hash: ENNFVXV3FXNP2YOGIUAOARBI432XGNNW
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/HPl2iZ9fjrLH0VfxVRXRkSVXP0s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

I have updated the draft to draft-rmacklem-nfsv4-posix-acls-03.
I think I have addressed all the comments in David's review.

There are a few substantive changes:
- The draft no longer refers to the setting of a 0 length NFSv4
  ACL. (It appears that a 0 length NFSv4 ACL may just be a NFSv4
  with no permissions. This is different from an erased Windows/SMB ACL,
  which was what I was using a 0 length NFSv4 ACL for.)
- I changed the ordering of setting mode vs POSIX ACL to defining the
  order if they are in the set of setable attributes.
- I think I now refer to mode/mode_set_masked/mode_umask correctly
  and require support of mode_umask and mode for this extension.
- When a NFSv4 ACL is being replaced by a POSIX ACL, it now notes that
  the allow/deny ACEs will be deleted, so that the audit/alarm ACEs
  remain intact.
- It now allows a SETATTR to flip between NFSv4 and POSIX ACLs when
  the scope is ACL_SCOPE_FILE_OBJECT. (The old draft restricted that.)

Thanks go to David Noveck for his review.

rick


On Tue, Aug 6, 2024 at 8:26 AM David Noveck <davenoveck@gmail.com> wrote:

> *Overall Evaluation *
>
> In good shape.  There are a few  non-editorial issues that need to be
> dealt with but not many.
>
> I am prepared to support working group adoption as soon as the author is
> ready to deal with the inevitable requests for a completion date.
>
> Based on what I have seen so far, I am planning to refocus work on
> acls-05.  I had been hoping to enhance the NFSv4 ACL model so that the
> POSIX ACL model could be a submodel.  As I read Andreas' document, this
> kept getting more and more difficult and it now appears that, with the
> document being reviewed, we have a reasonable path out of the existing ACL
> mess 😳
>
> *General Issues*
>
> *Dealing with Sacls*
>
> There are a number of places where sacls are treated as parts of acls.
> They shouldn't be and I will discuss below ways of having posix acls
> co-exist with use of the parts of  NFSv4 ACLs  that are not related to
> authorization.
>
> *Interaction with Existing ACL Attributes*
>
> There are some missing cases in the list in *6. POSIX ACL vs NFSv4 ACL
> Considerations.* The existing treatment which deals only with deleting
> ACLs does not address issues involving creating new ACLs of either type.
>
> *Ordering Issues*
>
> My issues with the substance of the attribute ordering restrictions have
> been addressed but I still have issues with the stated justification.  See 5.
> POSIX ACL Considerations for details.
>
>
> *Per-section Issues*
>
> *Abstract *
>
> Suggest rewriting the first sentence as follows:
>
> This document describes a potential protocol extension involving the
> addition of four new attributes to be used by server to provide support for
> POSIX ACLs.
>
> *1. Introduction*
>
> I have problems with the first sentence which says that mapping was
> attempted because of the semantic differences.   This implies that if there
> were no semantic differences, mapping would  not have been attempted.  In
> fact, it still would have been attempted but would have been sucessful.  I
> would start the section with something like the following:
>
> In response to the very different over-the-wire formats, attempts have been made to map between these two sorts of ACLs.  However, because of the
>
> large number of semantic differences, implementation experience with mapping between NFSv4 and POSIX ACLs has not been completely successful.
>
>  For example, if a NFSv4 ACL is applied to a server file via SETATTR on a server that stores POSIX ACLs and then retrieved via
>
> GETATTR/READDIR, the ACL will often not be the same, since the mapping algorithm cannot do an exact mapping between them.
>
>
> Suggest rewriting the last sentence of the last paragraph to read as
> follows:
>
> In addition, issues related to the over-the-wire format of POSIX ACLs and the interactions among the various new attributes and with
>
> existing attributes are dealt with in this document.
>
>
> *5.  POSIX ACL Considerations*
>
>
> In the first sentence, you are stating a true fact, but you need to make some normative statement to follow up.
>
>
> I assume that that would be that setting a POSIX ACL that does not follow that is invalid.
>
>
> In the second paragraph, know what you mean, but it is not clear that a reader would.  Suggest the following:
>
>
> In the who value within the posixace4 structure that appear in these new attributes, the field is interpreted as follows:
>
>
>    - For ACEs whose tag field is POSIXACE4_TAG_USER or POSIXACE4_TAG_GROUP the who value is a UTF8-encoded Unicode string.
>
> that has the same format as a user or group as represented within other NFSv4 operations and designates the same entity.
>
> In these cases, the distinction between users and groups derives from the tag rather than a flag bit, as is done in NFSv4 ACLs.
>
> This in in contrast to how the corresponding structures are described in <xref target="Gr&#252;nbacher">, where numeric uids and gds are
>
> specified.
>
>
>    - For ACEs whose tag field has other values, the who field is ignored by the receiver and there is no reason for the sender to set it to any
>
> particular value.
>
> With regards to the third paragraph, I no longer object to the result.  I had objected but you have made it clear why this is the way it is but that differs from what is in the document now.  Below I quote the existing paragraph with my comments interspersed.
>
> For POSIX ACLs, setting of the low order 9 bits of mode can change the ACL and setting of the POSIX access ACL can change the low order 9 bits of mode.
>
> This is true.
>
> As such, the ordering of setting the attributes related to mode and POSIX ACLs is important.
>
> It is certainly significant.
>
> Therefore, a client MUST not set the low order 9 bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document.
>
> I don't agree with the "therefore".
>
> This is required because [RFC8881] does not specify an ordering for setting attributes in a SETATTR operation.
>
> That is* NOT *true. There is nothing in rfc8881 that prevents you from
> specifying an ordering as rfcs8881 does for NFSv4 ACLs.
>
> You are as free to specify an ordering as you are to specify that these are incompatible.
>
>
> I suggest rewriting this to say something like the following:
>
>
> A client MUST not set any of the nine-low order bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document.  Similarly, it MUST not set these together when creating a new file. These restrictions apply because:
>
>
>    - Setting these together is not required by the POSIX interface.
>    - To do so, would require dealing with difficult ordering issues left unaddressed by the existing definitionof SETATTR.
>
> For the last paragraph, I have the following editorial suggestions:
>
>
>    - Suggest replacing "low order 9" by "low-order nine"
>    - In the second sentence I suggest replacing "SHOULD" by "should".
>    - In the third sentence suggest replacing "may use" by "can use".
>    - In this last sentence suggest replacing "will avoid" by "would avoid"
>
>
> *6.  POSIX ACL vs NFSv4 ACL Considerations*
>
>
> In the first sentence of the second paragraph, suggest replace "a" with  "an".
>
>
> Suggest rewriting the third paragraph as follows:
>
> For servers configured as described above, and not for any others,  the following apply:
>
> For the third bulleted item, propose rewriting it as two paragraphs like
> the following.
>
> Using SETATTR to set a zero-length posix_default_acl or posix_access_acl (for a file object with a true form ACL of ACL_MODEL_POSIX_DRAFT)
>
> will delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE.
>
> Similarly, using  SETATTR to eliminate the authorization-related portions of the ACL for a file object with a true form ACL of ACL_MODEL_NFS4  will
>
> delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE.  This can occur when setting the sacl or dacl to an array of length
>
> zero or by settting the acl attribute to an array of ACEs  in which none are ALLOW or DENY ACEs.
>
>
> Propose to add the following items to the existing list:
>
>    -
>
>    Using SETATTR to set a posix_default_acl or posix_access_acl of non-zero length (for a file object with a true form ACL of
>
>    ACL_MODEL_POSIX_DRAFT) will result in the object's acl model being set
>    to ACL_MODEL_POSIX_DRAFT. In addition, if the object's acl model had
>    been  ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be deleted so that
>    the value dacl attribute is a zero-length array.
>    -
>
>    Using SETATTR to set the dacl attribute to an array of non-zero length or to st the acl attribute so that it contains one or more ALLOW or DENY ACEs
>
>    will result in the object's acl model being set to
>    ACL_MODEL_POSIX_NFS4. In addition, if the object's acl model had been  ACL_MODEL_POSIX_DRAFT,
>    the existing default and access ACLs ae to be deleted.
>
>
>