[nfsv4] Mail regarding draft-dnoveck-nfsv4-acls

Chris Inacio <inacio@cert.org> Tue, 21 May 2024 04:04 UTC

Return-Path: <inacio@cert.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 593FCC151707; Mon, 20 May 2024 21:04:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ZiAUAwGazg0; Mon, 20 May 2024 21:04:22 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0068.outbound.protection.office365.us [23.103.209.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E998C1516EA; Mon, 20 May 2024 21:04:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=VegG2W7orCqDzfvGND8fVB59FkUsbxU041HuMKKtjUl0gT0+1mAOqyVhEuT9X0rKzVwx7QqzIM658l5ZmFsoMpKrgP4ykvxP+B2sjQrewefYS9McgA3ILXKOsmur5bwFCa2vFOfBuIp4XfM5fVc/WKIruHgDNWLT1LSvbiLOFBVtIdtHgEMSHnypMeOIZP7tOdvirIGc+fbX9lKk+WQzivIVHRRLkS1DPdtDKaSUgnOvY9jyCmuUfyNMA+OlNOOJKoez+HNcasoORasoOq5cTSGyhk9KuVKuGSfKyjx0C0hEbNHEewXx4TY11dpwE+FZ0M/HiWTWP4glAqR4flbUbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=blPdYLLeL674nLJAwKqo9vFOgXOmITpE0aIGovNyrjo=; b=Ubr4UGMLuGtyw1sLz2aTvicUzCrPrNTzthk3WZy++eqh1JHTAXDbJyspIq/f2zzv1BpnQpt3y7A4MDhuKn+lCvjRJK/1cF6033n5AQ/TwjYHX5NarGaJZqV8Cs4uN67mIqckpi4p3uOD6/VBU5R0/WpaqqdTx3BxIlJoYhQTOKMZbPSsRAYVmsLxZrfZMVzUAzfCCPLlpjOUQP4faC6rtOpXrIoaSY5aVw1vSrT2Pe0IxERTLQrG6J9zWY2n2VyuMTa6nz+UA3FPUjdWBFix/YEOCc/2ojwXO8c6q1XW4RPAQdX/rrFREuTEoeh1HrQMwHNjIF/eWheOVtB0DJkCWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=blPdYLLeL674nLJAwKqo9vFOgXOmITpE0aIGovNyrjo=; b=jKYDnQMp1p7U4NyroJLeD2PSTMq+kAZa6CnVEV+L2e7zfUeT57nLbOKWVXtChKyB6QNHZRwJJn1o0z5ahwueUxMRusgUPbG3Yu/HVJQOLhA57XEoZOjzb9EWpDb+WzuYdXefeN7oUQq0uXZJXHDlFNta4S4G2oymEc+UYYtUuzo=
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:172::5) by SA1P110MB1294.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:194::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7587.35; Tue, 21 May 2024 04:04:17 +0000
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::a3db:dad5:a49e:1312]) by SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::a3db:dad5:a49e:1312%7]) with mapi id 15.20.7587.030; Tue, 21 May 2024 04:04:16 +0000
From: Chris Inacio <inacio@cert.org>
To: "draft-dnoveck-nfsv4-acls@ietf.org" <draft-dnoveck-nfsv4-acls@ietf.org>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: Mail regarding draft-dnoveck-nfsv4-acls
Thread-Index: AQHaqzPy8HBvCAf2sE2LJnJH7+uGwg==
Date: Tue, 21 May 2024 04:04:16 +0000
Message-ID: <20EDB915-DEEC-4632-9CD0-9D090554C3E9@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.600.62)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1P110MB0975:EE_|SA1P110MB1294:EE_
x-ms-office365-filtering-correlation-id: 7f828db0-5b3d-44b8-6ac5-08dc794b1575
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230031|366007|41320700004|1800799015|38070700009;
x-microsoft-antispam-message-info: c8pMv6f+e+dkb/zwAlS/5go28EKvyknfSTsIyLwGar2wjtNGIaET1Yh9xo4Py0+NFLDNMaFn/v5sblYbUoEJaseu1VMZigG6YyO7b/xspzEgtR35cwpVhaouHgAVjlnKGSxzoFoRzDwWS135OakzrJlwDamMv65lc21GV0EsDzVGX5Z8GySoHalwEi8zUoPwPG6NKCsZyHr5est0hkLA0e09IOdn8ZlTSq1gyFbqn8IJeY6YKm/0gWCXvowApwL5FDgwDp5EOvK+Zwr7V8MHuRoV7SwJaZbxS/pfcpduhX+Li8m7oIuVynhJHhDvh/rhWOqNJDhQMzFGnpM5P+wuvtXJhGhQZQs2sLEWsqSN6HvuzbgZjj198MqEgwj2nJQVg/owEV9g92a6Cv/80gKTidJL1pgezIQ8Cvbd8NiRoVGP5rcVeIjURC+JRbDCeUPB8TQALsTAl1+5BN55pHTwJL4Fg9lefevGY7oS6MYjD9ui7czn5svExd1vRb1qSTfExGm6rjHO2JofgfifliChoiSnW2yEYpov0SOuCUgAd1P32uwOsOoHDL0glwwJ0EiM3oNdRApxfLKXakVoGbAZ3SVu0jWxR4pVXHhpJUFNoAk981XGhtXg8VYYZxD1wn+g3GAtWuwKQgRi8NOF/Rw/J4o0geTfyr/K3lS87obY7tFeRZqUySB4sTHTwEUBe4J7ogW2No+fXDkTKoEoQxMZGqhg1HP/e/PAR9qE0z8lS9Lesgas8BNRXXKGvDmx2b7hWsZE+EKuBtLEA+sqkULzWFFYAL80BsfjuPN6fJfwp4oqWcmlezRqpm5/4IJ+5tSj+Rxp2BKhRukkiRYqETmKVTHMIAI4ke30fqgDeqTMN9XEgNzGCqtD1abmzh/BTpLRLzvdBDkDRxpNEVvXvkh8ck0wM+DzUhPPEPjYuVNeL3mLFat2aIImiaUg4m/eb84JRK7CAgJncYHvZNfR/aSxY5AufXHwfazylWnU9hs4hn9+itXrGimDpXhiWA4rWl2rAKegMLwT/Jc8RJpxD5j4eZL9vsAZfghX8ayvOoX0IizuvlM1AGNBN3iFkVAeFK2tFZOISnxgy6MHb5N+veH0wTaP27aCoG6hgUIxlNxcvpZNSgaXOozWmQeuOArV4vpMufWjrVc93fydR4bdNyhQF9ItkiQBaQNq3gK7Qp6+xcvRogPRN++uEEzQHHc5Jq6cN6iveb0nsrHU652i9o1KJwBTAIr5s/eErMvRy+MVaoFK32/wMTn/C6RbifdmHqJnturRfu1UhQXmWRW9GJBhOw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(366007)(41320700004)(1800799015)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2+bqu6PMQXWO8SbsFiGQZ7mL0TRZBk1xOrtFxjF8bMzXFE6O668K66rd24FP7V6yNEtipw4ylTm9kj3MC4B0NaFbr4575Rs7iu7qs/M/PvRHT+y08FdQpi/WtdVvfdX0VBKGcwawmmyT7BGypKmN9Ihh1fcgl6/jK3MvQi99OknkYEaFnHZv8CUgiXUW/Mvu8TyuBF04UJCQOC4RL7hTdpqqFUZK4NrLqGLALJyU9MTLU/zgSU+4GfhALBvvigM4InkS8Dc0uAiWzQEpeenAoxAvWLkPwTshzsIYQEtsALfhFoV/X5M1UbetbwxPgQaj45cnI+8EqtPoo7Zxtq3Rt5ZAFLgKq3q9mdesxyCJnNez25XO/hYZy43+2MTd6ewajDDyncd4ZPvXoN/bOj9xQ+J5OdUzPXt+43TCeLb16ivcE+voAho/wiP0oygerENJ3Fd+zDt+TQkC6dZKzp3SHqrXKoz24kG0ZFbMHcQZNMST7xrtOpbr9uBxStXRJwjZdHr1ihxFhJI4WvdCWbOpZ9PPkr5sShjcUEpmjelEqDVvieKWF2QFJhACvNCLh9BkABK+il16eaQtnhys5BFzYIJFoQdWaedKw3veHgLeEATBRH1HKnAXlciPpc6HALmsgTas7L9ykhkITP+MuAWfWfBzDjNn1M1QvmsrgnxO53uCVj9ZCOEbO023gTvBZGg8HNXXRFXRIpwWzfbZm1OZ5wx+uykUWLlMqNSm7FJvUe26POgpZzpXfSbVyxP864IMhRtLMJ3CFTB7RLJE0K0SN1c5NzXXvHKjNgY/5ZOpDapiSuJafSrEX4sGRzT34pTJD7r/EKxz9BVFvUs1diNG4SDG+/9bO8e/crjQ4KfAVncW/J9cJUyfdknx1dVSVYtiL6T/rpKiiugakOAHXVrfWXW7bAcmqv15tLbRlpiPXxQxBEZlYubnRWgXiLu+iD9cn0zDyN69NVsgNKKUbq+BkMx9pKOvE+z5NEjSJx41SfP3awjBv+ln+vNGHaxPK/X4YzaLW0y7uWMKwXEcFJs0LJ0Zmq+iAKgu4Dpk4sl8ycbWOhYIAdwf6k2oHTdOiKIrkd+f1DnJ4sc4YUen66Rqt7+9NDjpzl3Xuk/p0T148moFf18LiV8XOxCMitx2Jy/wfepYBp/i5Ft77PPc9g6CHuMUsu52lJuyULcf4FSnBeYTqbPo3FS371bbvNXAcyXkur8zTsmkfBG+/DPEWXPRQRnrD8PVsVMeIqIR2fyIbs7IGTZ076gTpotjPW9IiZLgrzcZUXNFEA1NpCXMiVduaxK0663nwwnayJAumGTEgP/T/EoBLIugZvB/+tl9iuyhlhkg8JOXbqDjZ4td1LLzsl6VwZuMXGh3XUEbhzcgrwfM4FBSUBM/GJPTGh1EtoDa/Cb+YIyAHIYSWCMloTtQ9cgpmzXhsdEU4syzhUvWQaQBi4Z/RpUy0C47Y6RCq8l2qVEAKSfQgvAcWGCy5k3V3AJNZ/EUHU+9ixCfMN6YM2mFDtHGU2cjPJRljtc6EB2q
Content-Type: text/plain; charset="utf-8"
Content-ID: <637D5666F4556241967F732C79F8F889@NAMP110.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f828db0-5b3d-44b8-6ac5-08dc794b1575
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 May 2024 04:04:16.8725 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1P110MB1294
Message-ID-Hash: IHAMCID7J6PDKVG2G4LZI4FYWQEKXXET
X-Message-ID-Hash: IHAMCID7J6PDKVG2G4LZI4FYWQEKXXET
X-MailFrom: inacio@cert.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Mail regarding draft-dnoveck-nfsv4-acls
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/LNKZ2zYr2JpiQahRq7cx13S3h_0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

Dave,

I’m not as far as I want to be reading through this, but I have some questions.  First, help me do my homework some (it’s going slowly for me to read this); where are SACL and DACL defined?  (I have to read up on a lot of things you’re referencing in the ACL doc as I go.). I’m only 1/3 through reading, but I’ve skimmed a lot more of the document; please forgive me if I haven’t made it far enough and my questions are covered later in the document.

Second, reading the PSARC description of how ZFS did ACLs, there is mention of ACEs for “owner” and “group” per normal POSIX filesystems; but then entries are also created for “owner@“, “group@“, and “everyone@“.  Adding these ACEs, according to the somewhat dated doc, really seemed to help with Windows/SMB and Unix/NFS interoperability.  I also noticed that this is discussed in the NetApp ONTAP implementation report.  

Could this be related to NetApp filers generally not having local filesystem access; e.g. no one is `chmod`ing permissions/ACLs locally on NetApp filers?

I’m torn between the very simple approach from the PSARC reference and your more complete approach.  It isn’t clear to me that they are in any way exclusive of one another.  In fact, as far as I can tell, it might be enough to say, by default, entries exist for those labels for each object.

Thanks
Chris



(PSARC reference on the NFSv4 mailing list: https://mailarchive.ietf.org/arch/msg/nfsv4/U-yLqp0MiCyFp7kgGfooLAyCQQQ/)