[nfsv4] Comments for draft-rmacklem-nfsv4-posix-acls-04

Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> Sat, 10 August 2024 00:32 UTC

Return-Path: <pali-ietf-nfsv4@ietf.pali.im>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5FFAC1522A0 for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 17:32:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pali.im
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-TV_-LcfeWz for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 17:31:59 -0700 (PDT)
Received: from pali.im (mail.pali.im [IPv6:2a02:2b88:6:5cc6::2a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40550C14CE45 for <nfsv4@ietf.org>; Fri, 9 Aug 2024 17:31:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pali.im; s=mail; t=1723249914; i=@pali.im; bh=Y2q3OXVmS4p6G5mKEHQQa/hlHFo0YuKeh1v5jobiE7U=; h=Date:From:To:Subject:From; b=nzncj9ei3Its61oy4te/gy/ljVwNcPkazK6CppYUT6h2R9dhWiU9Gaygh20V5A8g2 0vHzUhiUq+6feE/qNrsISRmVFUD7Ac6hyUACnAAF1Fb/3z4U+EKr+3N+RU9W5ZO9z7 pxdgn8eLQpjBc7NimYNEUheSEGn3kemaDn0NTM8wYpoIt2pplLPXKJ6fnQJB4pBZHi uHCtOvCAoxRin2Ih9sPaxTSqmSTu6iN/g730Em6DcFgDYUGJfzxepTKLcetJRsrGM/ RMPtH0/XMhvu/v9wqEECfX8Zn3+YhUSdsjLsIrFD9mmQKn5x3Go/hVnWw+hO7vA4OZ Hvzg7msC/guiQ==
Received: by pali.im (Postfix) id C1BB2435; Sat, 10 Aug 2024 02:31:54 +0200 (CEST)
Date: Sat, 10 Aug 2024 02:31:54 +0200
From: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
To: nfsv4@ietf.org, Rick Macklem <rick.macklem@gmail.com>
Message-ID: <20240810003154.xw4gnos6fqr2yw54@pali>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: NeoMutt/20180716
Message-ID-Hash: YAZZE27BTKDUOQK3PGBHV3M5JZT54UM3
X-Message-ID-Hash: YAZZE27BTKDUOQK3PGBHV3M5JZT54UM3
X-MailFrom: pali-ietf-nfsv4@ietf.pali.im
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Comments for draft-rmacklem-nfsv4-posix-acls-04
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/O1eCsiKIPO8lmmCbL7by1q0umDw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

Hello Rick,

I have read your new version -04 of extension document and just now I
have figured out some new things there.

For better readability I have one small suggestion for section 9.
In description of each attribute could be list of all possible values.
Currently the possible values are defined only in XDR section 4. And it
is quite hard for me to read this section 9, because I need to scroll up
(to read list of possible values) and then back down to the description.
When I first time read this section in -02 I was quite lost and I had to
read it more times.


My comment from -02 which still applies for -04 is version is ambiguity
of NFS4 mode attribute which does not match POSIX mode as required by
POSIX ACL.


New comments for each section are below.


Section 5. POSIX ACL Considerations

> in a directory that has a POSIX default ACL, the low-order nine bits
> of the mode MUST be specified by mode_umask in the setable attributes
> for the operation.

I think that here is missing an important fact that mode is specified in
"mu_mode member of mode_umask" attribute and that the "mu_umask member
of mode_umask" is being ignored in this case (when POSIX default ACL is
being used).

Because from current description is not clear how mode_umask is being
used as this attribute contains two members ("mu_mode" and "mu_umask").


Section 6. POSIX ACL vs NFSv4 ACL Considerations

> Using SETATTR to set the dacl attribute to an array of non-zero length
> ... will result in the object's acl model being set to ACL_MODEL_NFS4.

Why setting NFS v4.1 dacl attribute to zero length is excluded here?
I think it is perfectly fine to set dacl with ACL4_PROTECTED flag and
with zero length (empty list of) ACEs. This is fully valid NFS4 model
ACL which overwrites automatic inheritance to ACL with no access.

In my opinion using SETATTR on dacl attribute should always change acl
model to ACL_MODEL_NFS4. I'm expecting that as a user I'm setting NFS4
dacl attribute which refers to NFS4 model, so I'm unconditionally
setting model to NFS4.

> In addition, if the object's acl model had been ACL_MODEL_POSIX_DRAFT,
> the existing default and access ACLs are to be deleted.

I think that in this document it is a good idea to always explicitly
mention ACL type. Because sometimes it can be really confusing. For
example: "existing POSIX default and access ACLs" make it clear.


Section 7. GETATTR/SETATTR Atomicity should handle VERIFY and NVERIFY
atomically in the same way as GETATTR.

For example, NFS4 client may want to check if POSIX ACL is set to some
specific structure, and VERIFY with both acl_trueform and
posix_access_acl attributes is the appropriate operation for it.

Maybe VERIFY/NVERIFY should be covered also in other sections which
refers to GETATTR/READDIR?


Section 9.3. Attribute 90: posix_default_acl

> Since a POSIX default ACL only applies to directories, a SETATTR of
> the posix_default_acl for a non-directory object MUST reply
> NFS4ERR_INVAL.

I guess that this MUST applies also for OPEN/OPEN4_CREATE and
CREATE/NON-NF4DIR operations.


Section 9.4. Attribute 91: posix_access_acl

> a successful setting of this attribute sets the value of acl_trueform
> to ACL_MODEL_POSIX_DRAFT. In addition, if the object's acl model had
> been ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be deleted so that
> the value of the dacl attribute is a zero-length array.

In other email I already wrote similar comment which applies here too.
I think that this contradicts RFC 8881. Why?

* Per section 1. Introduction: "If the server chooses to support
  posix_default_acl and posix_access_acl for a file system, it MUST
  support the mode/mode_umask attributes for the file system."

* It is not explicitly mentioned but ACL_MODEL_NFS4 should imply that
  NFS4 server has to support dacl (or acl) attribute. (It would be nice
  to explicitly mention it.)

* Per RFC 8881 section 6.4. Requirements: "The server that supports both
  mode and ACL must take care to synchronize the MODE4_*USR, MODE4_*GRP,
  and MODE4_*OTH bits with the ACEs that have respective who fields of
  "OWNER@", "GROUP@", and "EVERYONE@". This way, the client can see if
  semantically equivalent access permissions exist whether the client
  asks for the owner, owner_group, and mode attributes or for just the
  ACL."

So we are in situation when mode, acl/dacl and posix_access_acl
attributes are supported.

And successful setting of posix_access_acl attribute results in
zero-length array of dacl attribute. This removal of dacl ACEs results
in synchronization of dacl to mode attribute. As there is no "OWNER@",
"GROUP@", and "EVERYONE@" ACE entry in dacl anymore (because dacl is
empty), this will result in synchronization of mode to empty access 000.

Per POSIX ACL, mode is being synchronized to POSIX ACL entities
user_obj, group_obj/mask, other.

If my understanding and steps above are correct then successful setting
of posix_access_acl attribute to any value results in immediate no
access for user_obj, group_obj/mask and other POSIX entities. And I
guess that this is not intended behavior.


> If SETATTR of a POSIX extended ACL does not have a POSIXACE4_TAG_MASK
> ACE, the SETATTR of the ACL MUST reply NFS4ERR_INVAL.

I think there should be also mentioned that SETATTR of POSIX ACL (does
not have to be extended) which does not have POSIXACE4_TAG_USER_OBJ,
POSIXACE4_TAG_GROUP_OBJ or POSIXACE4_TAG_OTHER ACE MUST result in
NFS4ERR_INVAL too. (Except zero-length.)


Regards,
Pali