IETF Logo Mail Archive

[nfsv4] Re: Interim meeting agenda topics

Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> Mon, 09 September 2024 08:14 UTC

Return-Path: <pali-ietf-nfsv4@ietf.pali.im>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDF96C14F6FA for <nfsv4@ietfa.amsl.com>; Mon, 9 Sep 2024 01:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pali.im
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ncPFYBRmJ3zQ for <nfsv4@ietfa.amsl.com>; Mon, 9 Sep 2024 01:14:54 -0700 (PDT)
Received: from pali.im (mail.pali.im [IPv6:2a02:2b88:6:5cc6::2a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23E8BC14F5F5 for <nfsv4@ietf.org>; Mon, 9 Sep 2024 01:14:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pali.im; s=mail; t=1725869688; i=@pali.im; bh=FIlEHGAVE6jRCwq2nut8EnLOX6h7Jet+hCChpCLb67M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dnhvNFMoaGeL1SpCBiO6WMpyo1vl0BbE8LmNkTKLg6h2y9K3+Q21i3BgXOYGl8VGc ZkdXxReemkrxZydaNqKsHlOfX7TLFAa+yTqpWhAVkZ2h0HCq3s+VWQlBi8CAWePhKQ V6rBt9ZWv8zo3bLQhBdiDjA+whWYESaNEbI8a92p4No98qSNmCWFFPtWnMDjZMXkAt 9yrRYzLK8C7HQtMEjArEipWxkgqizFWUyajosHGW5j+Fad1hsOoRzt0IE9TFzPJEf4 tz5g8hNw6Jfz38j9++Vl9yIz3hmzUaHCjoML6YnVsDeU37JhcwYRIfS8P8M6KZWHTY nZthbyENX2PmQ==
Received: by pali.im (Postfix) id DE8745E9; Mon, 9 Sep 2024 10:14:48 +0200 (CEST)
Date: Mon, 09 Sep 2024 10:14:48 +0200
From: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
To: David Noveck <davenoveck@gmail.com>
Message-ID: <20240909081448.hyuald3xhz3ctmpc@pali>
References: <F2FA0129-5780-4257-8E18-E04865D6BCC4@cert.org> <CAM5tNy7fhU5s+EufRS3aq2zYSdjrtD_ijj1RgHcTv0WzGcbT0Q@mail.gmail.com> <CADaq8jey55znu5J1amhRj6F5uwoE=hO81ghEqZtrnsVw=_N5Pw@mail.gmail.com> <20240908163411.e2vobyl7yhaz6sdt@pali> <CAM5tNy601LJAW2q98ntkiWKDriVXbOchmY0VsNqy=Qye3d9Luw@mail.gmail.com> <CADaq8jdPDWWHNZpqw7fPubXbaH9YZahuCcOj84+b9=k3y9Z5zg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADaq8jdPDWWHNZpqw7fPubXbaH9YZahuCcOj84+b9=k3y9Z5zg@mail.gmail.com>
User-Agent: NeoMutt/20180716
Message-ID-Hash: AEQZW6AMBXYFIP7CUWSL6Z62TEFQD625
X-Message-ID-Hash: AEQZW6AMBXYFIP7CUWSL6Z62TEFQD625
X-MailFrom: pali-ietf-nfsv4@ietf.pali.im
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Interim meeting agenda topics
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/OSnESIG7W5KIYlOU-axvBp7VcS4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Sunday 08 September 2024 19:24:27 David Noveck wrote:
> On Sun, Sep 8, 2024, 6:12 PM Rick Macklem <rick.macklem@gmail.com> wrote:
> 
> > On Sun, Sep 8, 2024 at 9:34 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
> > wrote:
> > >
> > > On Sunday 08 September 2024 12:05:54 David Noveck wrote:
> > > > On Fri, Sep 6, 2024, 4:35 PM Rick Macklem <rick.macklem@gmail.com>
> > wrote:
> > > > > What is left to be resolved / is controversial on the POSIX_ACL
> > draft?
> > > >
> > > > Nothing from my point of view.  I don't know of any issues Rick has.
> >  It
> > > > is reasonable to expect that anyone who does have issues to raise them
> > on
> > > > the list.   We may need to confirm the non-existence of such issues at
> > the
> > > > forthcoming interim meeting.  I think we should allocate five minutes
> > for
> > > > this.
> > >
> > > Hello, I have already pointed one issue on the list - problem with mode
> > > attribute (two meaning modes: NFS4 and POSIX) and its backward/forward
> > > compatibility on existing NFS4 servers for clients without POSIX ACL
> > > extension.
> > I'll admit I just do not understand what you are thinking.
> >
> 
> My response is the same.  I guess we need to discuss this at the next
> interim meeting.

Sorry for that, I was not clear enough. Model is fine, POSIX ACL
extension and POSIX ACL attributes are fine too.

My point was about existing NFS4 attributes 33 (mode) and 74 (mode_set_masked).
Meaning of these NFS4 mode attributes (in both NFS4.0 and NFS4.1/NFS4.2) is
slightly different than what IEEE POSIX ACL draft requires.

It is similar to the issue that NFS4 ACL attributes 12, 58 and 59 are
different than IEEE POSIX ACL. And this was solved in extension document
by allocating a new attributes which would serve POSIX ACL structures.

In my personal opinion, the best would be if also for POSIX ACL mode
would be allocated new attribute, in exactly same way as was added POSIX
ACL attributes. So it would be present only if file has POSIX true ACL
form. And let existing attribute 33 for its original meaning (from
RFC8881) independently of what is the true form.

> For the proposal, at any one moment in time, a file object on the server
> > will have, at most, one "true form" ACL. (Where "true form" is the ACL
> > that is stored for the file object and used to determine access to the
> > file.)
> >
> 
> The treatment in the latest acl draft is consistent with that model.  It
> provides for extensions such as yours, which define additional ACL models
> with the assumption being that there will be at most one ACL model in
> effect for any fike system object at any time.  The job of defining new ACL
> models is left to extensions as such as yours.
> 
> >
> > As such, I cannot understand why you would think there are two modes?
> > (Where "mode" refers to the low order 9 bits of the mode attribute.)
> >
> > The interaction between setting of the low order 9 bits of mode and the
> > setting of an ACL is determined by which "true form" the ACL has.
> >
> 
> Yes.  According to the latest ACL draft, the job of defininin those
> interactions in job of the acl document only when the ACL model in effect
> for that object I'd the NFSv4 ACL model.  When it is any other ACL model,
> it is the job of the standards-track extension defining that new ACL
> model.
> 
> >
> > For the weird case where a SETATTR is allowed to set an ACL of the
> > other "true form" for a file object, the mode bits will be updated the
> > same way as they would be if that ACL was set for the file object at
> > any other time (ie. no previous ACL or a previous ACL of the same "true
> > form"
> >
> 
> Agree. Although you describe this case as wierd, I cannot disagree but have
> to point out that this is much less weird than a number of presidential
> candidates :-)
> 
> >
> > W.r.t. clients that do not support the extension...
> > These clients might set the mode bits and the effect would be no
> > different than what occurs now.
> > --> For a server that uses a "true form" of POSIX draft ACL, that
> >      ACL might change, just as would happen now. It's just that the client
> >      cannot actually "see" the ACL.
> >
> > W.r.t. servers that do not support the extension...
> > The attributes will not be in the supported_attrs list and any
> > attempt to GET/SET them should fail.
> >
> > rick
> >

The problem is with existing server which via MODE4_RGRP, MODE4_WGRP and
MODE4_XGRP controls permissions of the OWNER_GROUP-only (per RFC8881).
So changing these bits never affects principals with kerberos ticket
which does not contain OWNER_GROUP in it. Clients using this NFS4 server
can have a contract that this would always apply as a security thing.

Now, if the existing server implements POSIX ACL extension then for
files which are in POSIX ACL true form would have to change meaning of
MODE4_RGRP, MODE4_WGRP and MODE4_XGRP bits. This server can serve data
to both new POSIX clients (which will implement this extension) and also
to clients from previous paragraph (without POSIX extension). So the
NFS4 POSIX client with the POSIX extension (e.g. Linux or FreeBSD) can
set ACL on new (or existing) file (ACL for more ACL_USER and ACL_GROUP),
and server will automatically change true acl from from NFS4 to POSIX.
All this is fine. The problem happens now when the non-POSIX NFS4 client
from previous paragraph wants to just change permissions for users
affected by primary group. So this client from previous paragraph per
contract arguments will just change MODE4_*GRP bits and it will expect
that this change does not affect permissions of other users. But in
reality it will change access to everybody except ACL_USER_OBJ and
ACL_OTHER, per IEEE ACL draft (as MODE4_*GRP controls MASK). And this
will break the contract for existing clients from previous paragraph.

So if these existing servers do not want to break contract with existing
non-POSIX NFS4 clients then they either are disallowed to implement
POSIX ACL extension. Or they would have to somehow figure out if the
connected client is POSIX-compatible or is not with this POSIX
extension. For server one option could be to inspect OP_EXCHANGE_ID
request (client put there its identification) and based on this the
server can "detect" if the client is POSIX or not, and "process"
attribute 33 in different way for POSIX and non-POSIX clients.

Now if I'm looking at this, the best for these scenarios can be to
separate POSIX ACL mode bits into new NFS4 attribute. So existing NFS4
clients can use attribute 33 as before, server would process attribute
33 always as before (so server can MODE4_*GRP map just to group owner,
not to mask). And for files in ACL true form there would be new
attribute and POSIX client with this extension would know that the
MODE4_*GRP of this new attribute would be MASK (if the POSIX ACL has
MASK entry). This would allow for existing servers to have coexistence
with existing non-POSIX NFS4 clients, new POSIX NFS4 clients with
extension. And also would allow servers to continue serving in attribute
33 what was there before, independently of the true ACL form. Like for
attribute 12, where server can provide POSIX-MAPPED-to-NFS4 form.

Hopefully, this is more clear what I mean about forward and backward
compatibility.

Anyway, it is up to you. I'm just trying to show some examples of the
real issues and solution for it, to prevent future problems.

v2.39.1 | Report a Bug | By Email | System Status