[nfsv4] Re: New Version Notification for draft-rmacklem-nfsv4-posix-acls-00.txt
David Noveck <davenoveck@gmail.com> Fri, 02 August 2024 16:07 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F91DC1840D9 for <nfsv4@ietfa.amsl.com>; Fri, 2 Aug 2024 09:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 422Tqq7x6J_R for <nfsv4@ietfa.amsl.com>; Fri, 2 Aug 2024 09:07:05 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74EB5C1CAE97 for <nfsv4@ietf.org>; Fri, 2 Aug 2024 09:07:05 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id 6a1803df08f44-6b79293a858so41118306d6.3 for <nfsv4@ietf.org>; Fri, 02 Aug 2024 09:07:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722614824; x=1723219624; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tvT5yma3QqNmAM6HlDi1Gfn+Dwe0B6TUfg3377VUnnY=; b=N79zn1tizB+rq3YK5TgGeQnk0CuSNAzW+QSYFOwty2W3uf/NXucH053Qkug2kPTH4e V0Nt0DNZNTLbWXOCSOLt/x/Zg2HS5J1eG7zrds8aTUglD2k3q+9qwcck7+ijXoKAomC3 N+WtYYrrv1kr30bt9oq6dl1WMohLd9M0XaCcVSjqwHLVZwif31mbpVN4UUXT7mc07Xj8 2ZEk2VYSAEo+nyY6QGFKHkIjUIqgX3n5gmbzyAdeyeZI0I9yE5T0X75J7sOZcIpfy2S3 /Q97BjoiQP/ZDPVPta1ou+HNU2v9JrLrsg0E2UmjFwmCOzpMGgdNjNF+21vVS+7hlMU1 LE0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722614824; x=1723219624; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tvT5yma3QqNmAM6HlDi1Gfn+Dwe0B6TUfg3377VUnnY=; b=S+a4VX/ecWu2nZpGwZnRIIVRaPbhYNcpCEJvbLRyd1UI36D2XGEJFjB0NAIahIoG6A YaSDt+GibkDROygbcw3RjHvv5CoI+2MCzhqD3sWP3/iPrj6VxMskgD+a/sOvnQfr6Q+S bqN/QPTCftU5XTQ5zl6dfWAiqtifSkCWKhjVLJFBFJYya4SYv7OAqNCDj+E3/v58lz4l BVBo7s9U+BA8F1JEFFz0NfPLQ4pkEpNhzxgiYsQZvhH1igEgtWo/ahC9EM7jExbxHndf 646/aGT0qiOfqeVbnzziOzv13XQ0nxOobCJB1TE91EX7cZvalWP3XEyGr9Mb9aSm0M0x VS5A==
X-Gm-Message-State: AOJu0Ywhvufd2ygXl1+HM3IIJoTYIqrZ8MNVAJLggS8k+mhUGOvnvSRy 6FeZSo6qNblvU65aMi+Lw8z6cmCzKMzHABFPODOUWzIpXDHm5j2Zcq2LSwTWui78AuOwLqAYd0F fMStOorrzsnteeoVqNeZ0I15Hrts23rcJ
X-Google-Smtp-Source: AGHT+IFUsQpeuVZFU1cpCO7SV+EVZtVTqACsoMG9s405fe3NQwFzLuCskDbSCXmkVnQuv2/XWkxmsWlCyl+ekX7aYSM=
X-Received: by 2002:a05:6214:5546:b0:6b9:5d27:92 with SMTP id 6a1803df08f44-6bb983a96cemr50564016d6.8.1722614823996; Fri, 02 Aug 2024 09:07:03 -0700 (PDT)
MIME-Version: 1.0
References: <172247136172.2230520.10372959849936316507@dt-datatracker-659f84ff76-9wqgv> <CAM5tNy7-1m2Xsz3hAAWwbehzqEWw_kzKZe_vc4YXcZrTsAx6ww@mail.gmail.com>
In-Reply-To: <CAM5tNy7-1m2Xsz3hAAWwbehzqEWw_kzKZe_vc4YXcZrTsAx6ww@mail.gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 02 Aug 2024 12:06:52 -0400
Message-ID: <CADaq8jd=XXKWLZJHt_V75WQFSUvxE9xtG61GTJo_WVCafuDHrQ@mail.gmail.com>
To: Rick Macklem <rick.macklem@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000ab5467061eb58416"
Message-ID-Hash: 7T7JMFO2CN2OYY4VSGSMHMOLKI6MJTX4
X-Message-ID-Hash: 7T7JMFO2CN2OYY4VSGSMHMOLKI6MJTX4
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>, Rick Macklem <rmacklem@uoguelph.ca>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: New Version Notification for draft-rmacklem-nfsv4-posix-acls-00.txt
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Mj9ScqU_oQb1eIJqYpBpbFb_vyM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
On Wed, Jul 31, 2024 at 8:22 PM Rick Macklem <rick.macklem@gmail.com> wrote: > I've put a first draft of a POSIX ACLs document in the datatracker. > Please take a look when you have time. > > It currently specifies "per-file system" for the attribute that > reports what ACL model is being stored in the server. > That scope does not address cases that are important to me. > --> This could be changed to "per file". > Works for me, > or "per server". > That would make things much worse. > Opinions? > Lots of them. See *Document Review *below. > > Thanks, rick > > > On Wed, Jul 31, 2024 at 5:16 PM <internet-drafts@ietf.org> wrote: > >> CAUTION: This email originated from outside of the University of Guelph. >> Do not click links or open attachments unless you recognize the sender and >> know the content is safe. If in doubt, forward suspicious emails to >> IThelp@uoguelph.ca. >> >> >> A new version of Internet-Draft draft-rmacklem-nfsv4-posix-acls-00.txt has >> been successfully submitted by Rick Macklem and posted to the >> IETF repository. >> >> Name: draft-rmacklem-nfsv4-posix-acls >> Revision: 00 >> Title: POSIX Draft ACL support for Network File System Version 4, >> Minor Version 2 (NFSv4.2) >> Date: 2024-07-31 >> Group: Individual Submission >> Pages: 9 >> URL: >> https://www.ietf.org/archive/id/draft-rmacklem-nfsv4-posix-acls-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-rmacklem-nfsv4-posix-acls/ >> HTML: >> https://www.ietf.org/archive/id/draft-rmacklem-nfsv4-posix-acls-00.html >> HTMLized: >> https://datatracker.ietf.org/doc/html/draft-rmacklem-nfsv4-posix-acls >> >> >> Abstract: >> >> This document describes the addition of three new attributes that are >> used by servers to support POSIX ACLs. The term POSIX ACLs refers to >> the ACL component of the Portable Operating System Interface (POSIX) >> 1003.1e draft 17 [IEEE] document for which sponsorship was withdrawn >> in January 1998. Although the draft POSIX standard that describes >> these ACLs was never ratified, several POSIX based operating systems, >> such as Linux, Solaris and FreeBSD include support for them. The NFS >> Version 4 ACLs described in [RFC8881] henseforth referred to as NFSv4 >> ACLs, use a different model and attempts to map between the ACLs of >> these two models has not been completely successful. As such, this >> document proposes three new attributes that may optionally be used by >> an NFSv4.2 server to support ACLs that conform the afor mentioned >> POSIX 1003.1e draft 17. >> >> >> >> The IETF Secretariat >> >> >> _______________________________________________ > nfsv4 mailing list -- nfsv4@ietf.org > To unsubscribe send an email to nfsv4-leave@ietf.org *Document Review * *Overall Evaluation* This is a good start on addressing an important security issue. I feel the use of the new attribute currently called "server_acl_model" is an excellent choice. There are a number of major issues that need to be addressed before document adoption. Most of these are discussed in *General Comments*. For the few within *Per-section Comments*, that status is specially noted below if necessary. *General Comments * *Needed Changes in Direction* The changes I am referring to all derive, in some way, from the need to provide better support for the case in which support for both NFSv4 ACLs and POSIX ACLs are available. While this is partially addressed by shifting server_acl_model to be a per-fs-object attribute as discussed in *7.1 Attribute NN: server_acl_model*, this makes necessary other changes specifying how other actions affect the value of this attribute. Some of those are discussed in *Per-section Comments* while others are mentioned in *Things That are Missing.* I'd appreciate your response to comments in this section as soon as possible and in advance of a next draft. Right now, I am fairly far along in draftng acl-05 and beliee that if we can come to agreement on these matters, I can shift and produce a different acl-05 that fits together with your v4.2 extensons. *Things That are Missing.* I think the following thing needs to be done: - I think you have to look at the issues related to XDR extraction and how the updated v4.2 XDR is to be arrived a . I think you should look at how this is addressed in other v4.2 extensions. - I think you need a section describing the differences between the two ACL models. This is to address the part of the audience who will be adding your extensions to an implementation supporting the NFSv4 ACL model. The current document is oriented to those that do not have an such an existing. While this is a large part of the audience, it is not all of it. *Per-section Comments* *Abstract* Suggest replacing "POSIX based" by "POSIX-based". Suggest replacing "henseforth" by "henceforth". Suggest replacing "has not been completely successful" by "have not been completely successful" Suggest replacing "as such" by "In order to adequately support these ACLs," Suggest replacing "the afor mentioned" by "to the aforementioned". *1, Introduction* The current first sentence assumes that there needs to be mapping without giving the reader any basis for that feeling, which seems to come from out of nowhere. Suggest the following replacement for the existing first sentence: Because of the semantic differences between the two ACL models involved, attempts have been made to map between these two sorts of ACLs. However, implementation experience with mapping between NFSv4 and POSIX ACLs has not been completely successful. The last sentence of the paragraph, as currently written may provoke unhelpful may-vs-MAY discusssion. Suggest starting "A server has the option of choosing". In the second paragraph suggest replacing "as such" by "In order to provide better support for POSIX ACLs.". In the second sentence of the paragraph, suggest replacing "these attributes" by "any of these attributes". The current third paragraph leaves me mystified. Is the following more like what you want? The semantics relevant to the implementation of POSIX ACLs by the server, are described in [Grünbacher]. In addition, issues related to the over-the-wire format of POSIX ACLs and the interactions among the various new attributes are dealt with in this document. * 4. XDR definitions for new attributes* If the attribute returning aclmodel4 is, as I believe it should be, of per-fIle scope, you are missing an enum value to cover the case in which a file has a neither an NFSv4 ACL nor a POSIX ACL. ACL_MODEL_NEITHER? *5. POSIX ACL Considerations* As far as I can see from Andreas' paper, the first clause of the first sentence of the third paragraph is not true. Regarding the second sentence of that paragraph: - I can't see how "Therefore" is justfied. - I don't think it is possible to use set_mode_masked in this case. Regarding the third sentence of that paragraph, I think it is relevant that RFC8811 does address both these being set for the NFSv4 ACL model, casting doubt on the implication that the choices you made were somehow forced on you. I don't think your choices are bad ones, but you cannot claim here that you had no other choice. In the fourth paragraph, the reference to "POSIX system call" is inapproprIate. I think you need to refer to the NFSv4 operation. *7.1. Attribute NN: server_acl_model* I'd like to suggest a change in this name to something like "acl_model". In my view, this is not particularly server-specific although it is determined on the server based on server attributes supported and client action. In any case, we don't do this for other attributes. For example, fh is chosen by the server but is not called "server_fh. While I have previous said that this should be per-object, you need to make additional changes with that for the whole thing to make sense, Suggest the following: This attribute is a read-only attribute that indicates the ACL model of the ACL used to regulate access authorization for the current file object . Distinct values indicate whether: - This is controlled by a draft POSIX ACL. - This is controlled by ALLOW and DENY ACEs as part of an ACL set by the acl or dacl attributes or by ACL inheritance within NFSv4 ACLs. Note that this is not affected by the presence of a sacl attribute value or of AUDIT and ALARM ACEs within an acl atribute value. - This is not controlled by an acl but only by the mode attribute. It is a per-file system object attribute. *7.1.1 Rationale* The current first sentence ignores the problem that doing this as suggested cost one extra client-sever round ttrip. The current second sentence is kind of misleading in that the real reason your proposal does no mapping is that it specifes you do no mapping It appears that you have decided that mapping is impossible to do correctly. In any case, I would suggest deleting this section and adding the following to 7.1: This attribute provides a convenient low-overhead means of determining the acl model in use without the effort of obtaining the acl itself. Often, clients are not prepared to interpret acls (of eiter model) that are fetched and rely on ACCESS to determine authorization decisions. *7.2.1. Rationale* I suggest replacing this by something like the following either in this section or the preceding section: Without this attribute the client would have no way to set or interrogate the default acl, as provided for by the structure of the POSIX ACL model. While it is theoretically possible to somehow map NFSv4 ACLs to POSIX ACLs, important semantic differences make this a poor choice, In addition, the fundamentally different approaches taken to ACL inheritance compounds the associated difficulties, and no provision to do such mapping has been provided in this specification. *7.3. Attribute NN: posix_access_acl* I suggest adding a paragraph like the following: When this attribute is set to to a contain an ACL of length greater than zero, it has the effect of changing the value of server_acl_model to ACL_MODEL_POSIX. *7.3.1. Rationale* I suggest replacing this by something like the following either in this section or the preceding section: Without this attribute the client would have no way to set or interrogate the access ACL, as provided for by the structure of the POSIX ACL model. While it is theoretically possible to somehow map NFSv4 ACLs to POSIX ACLs, important semantic differences make this a poor choice, *9. References* We have an unfortunate difference of opinion between David B. and Chris. So far, the only conclusion I can draw is that at least one of them is wrong. It is true that there is a lot of material that characterizes the distinction between normative and informative references between as David says they are to be distinguished. Nevertheless the terms "Normative" and "Informative" are used and it is hard to ignore Chris's point that these also should have the role. I have considered the possibility of three reference subdivisions for - "normative references" - "essential non-prescriptive references" - "other informative references" but could see how you might not want to do that. Nevertheless, regardless of the IETF's possible attachment to this Procrustean bucket, it needs to be made clear that the knowledge in thisdocument cannot be dispensed with. While you can kinda sorta understand this document without it, if an implementer did not get this knowledge somehow, the resulting implementation is not of any value. In any case, although you might not want to say this explcitly, reading this document is more important than reading most of the current normative references. I know this is heretical, but, so far I know, the IETF has never burned anyone at the stake.
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… David Noveck
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Frank Filz
- [nfsv4] Re: New Version Notification for draft-rm… David Noveck
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… David Noveck
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… David Noveck
- [nfsv4] Re: New Version Notification for draft-rm… David Noveck
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… David Noveck
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem
- [nfsv4] Re: New Version Notification for draft-rm… Frank Filz
- [nfsv4] Re: New Version Notification for draft-rm… Rick Macklem