IETF Logo Mail Archive

Re: [nfsv4] allowed delayed writes via AUTH_GSS

Carl Burnett <cburnett@us.ibm.com> Thu, 02 October 2003 18:34 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18995 for <nfsv4-archive@odin.ietf.org>; Thu, 2 Oct 2003 14:34:23 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A58H4-0001we-Rl for nfsv4-archive@odin.ietf.org; Thu, 02 Oct 2003 14:34:03 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h92IY2iP007470 for nfsv4-archive@odin.ietf.org; Thu, 2 Oct 2003 14:34:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A58H4-0001wP-N5 for nfsv4-web-archive@optimus.ietf.org; Thu, 02 Oct 2003 14:34:02 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18948 for <nfsv4-web-archive@ietf.org>; Thu, 2 Oct 2003 14:33:53 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A58H2-00050E-00 for nfsv4-web-archive@ietf.org; Thu, 02 Oct 2003 14:34:00 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A58H1-000509-00 for nfsv4-web-archive@ietf.org; Thu, 02 Oct 2003 14:33:59 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A58H3-0001vF-BO; Thu, 02 Oct 2003 14:34:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A58GM-0001ty-LC for nfsv4@optimus.ietf.org; Thu, 02 Oct 2003 14:33:18 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18884 for <nfsv4@ietf.org>; Thu, 2 Oct 2003 14:33:08 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A58GJ-0004z1-00 for nfsv4@ietf.org; Thu, 02 Oct 2003 14:33:16 -0400
Received: from e35.co.us.ibm.com ([32.97.110.133]) by ietf-mx with esmtp (Exim 4.12) id 1A58GJ-0004yY-00 for nfsv4@ietf.org; Thu, 02 Oct 2003 14:33:15 -0400
Received: from westrelay04.boulder.ibm.com (westrelay04.boulder.ibm.com [9.17.193.32]) by e35.co.us.ibm.com (8.12.10/8.12.2) with ESMTP id h92IWixu455400; Thu, 2 Oct 2003 14:32:44 -0400
Received: from d03nm130.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.193.82]) by westrelay04.boulder.ibm.com (8.12.9/NCO/VER6.6) with ESMTP id h92IWh7B093910; Thu, 2 Oct 2003 12:32:44 -0600
To: Nicolas Williams <Nicolas.Williams@sun.com>
Cc: nfsv4@ietf.org
MIME-Version: 1.0
Subject: Re: [nfsv4] allowed delayed writes via AUTH_GSS
X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001
Message-ID: <OF6E537138.F92C229C-ON87256DB3.00655E03@us.ibm.com>
From: Carl Burnett <cburnett@us.ibm.com>
X-MIMETrack: Serialize by Router on D03NM130/03/M/IBM(Release 6.0.2CF2|July 23, 2003) at 10/02/2003 12:32:43, Serialize complete at 10/02/2003 12:32:43
Content-Type: text/plain; charset="us-ascii"
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 2 Oct 2003 13:32:41 -0500
Date: Thu, 02 Oct 2003 13:32:41 -0500

In my earlier post, I was assuming the client already had successfully 
pushed dirty data back to the server using the user's authentication, 
which is what you really have to do.

But the client at some point will return the delegation if it has not 
already been revoked. For example if its recycling a vnode. That's really 
the case I was thinking about.

Carl

Carl Burnett
AIX Kernel Architecture - Network File System
(512) 838-8498, TL 678-8498
(please reply to cburnett@us.ibm.com)





Nicolas Williams <Nicolas.Williams@sun.com>
10/02/2003 12:46 PM

 
        To:     Carl Burnett/Austin/IBM@IBMUS
        cc:     nfsv4@ietf.org
        Subject:        Re: [nfsv4] allowed delayed writes via AUTH_GSS



On Thu, Oct 02, 2003 at 07:17:59AM -0500, Carl Burnett wrote:
> Why wouldn't the client be able to use its host authentication (used in 
> SETCLIENTID) when doing DELEGRETURN? That seems like exactly what you 

Because that would also require that the client host have permission to
WRITE dirty buffers.  That's too much permission to grant implicitly to
client host principals, methinks.

Fortunately, delegation revocation is per-open file, not per-clientid.

So:

 - user goes away

 - clients keeps RENEWing using its hostbased principal creds

 - server recalls delegations

 - client can't flush dirty buffers or return the delegations

 - server revokes those delegations

 - user comes back, refreshes his/her creds, but finds that his/her app
   that had dirty state lost that state and got sent some signal that
   killed it (say, SIGLOST).

I think this is fine.

Though I think we could consider an operation that allows the user to
explicitly delegate to the client host permission to do DELEGRETURN and
WRITE on his behalf for his open files.

> would want to do. Of course one barrier I see is that it takes a 
> filehandle via PUTFH, and PUTFH will be checking the authentication 
> against the allowed security flavors for the exported data. This is 
> unfortunate since a client would like to be able to hang on to and 
manage 
> its granted delegation across many opens for potentially many users. The 

> client should not have to carefully watch all the authentication 
contexts 
> for the accessing users in order to know that it must do a DELEGRETURN 
> when the last related context is about to expire or be destroyed. And 
then 
> what if an admin actually removes the principal from the KDC or some 
async 
> event happens that makes the last applicable user context at the client 
> unusable. Now you have a client holding a delegation that it can 
> successfully return.

What if the network goes away permanently?  That's pretty much the
effect of having the credentials of all involved go away permanently.

There's always going to be failure modes we can't easily recover from.
Even with plain AUTH_NONE and AUTH_SYS!  :)

Oh well.

> To me, this looks fundamentally flawed that primarily state oriented 
> operations are so closely tied to user authentication when in fact state 

> is a client to server. This is especially true for delegations. Client 
IDs 
> own delegations, not users.

The more I think about it, the happier I am that delegations are
per-principal, rather than per-clientid.  That's because returning a
write delegation means writing dirty buffers and that's too much
permission to be implicitly granting to client host principals.

Cheers,

Nico
-- 




_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email