Re: [nfsv4] Fwd: New Version Notification for draft-haynes-nfsv4-flex-filesv2-00.txt

Trond Myklebust <trondmy@gmail.com> Wed, 09 August 2017 19:18 UTC

Return-Path: <trondmy@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71B771324A4 for <nfsv4@ietfa.amsl.com>; Wed, 9 Aug 2017 12:18:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SLsz0yDeme-b for <nfsv4@ietfa.amsl.com>; Wed, 9 Aug 2017 12:17:59 -0700 (PDT)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4CBC13249D for <nfsv4@ietf.org>; Wed, 9 Aug 2017 12:17:39 -0700 (PDT)
Received: by mail-vk0-x22e.google.com with SMTP id n125so29309130vke.1 for <nfsv4@ietf.org>; Wed, 09 Aug 2017 12:17:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bNZIGJU+8InUErZrdttHRBXbEmEL04qgUPwMJomAW40=; b=dMXbZpJv++pja7cU64JEhl95ycuFUJSSULZ5TYiY2qMO4u77bViLeDcEsB8/kFiJMH Jdd00qO27lvkLa28qtP44AmR9yiOaEpWhHQtj5+mLH0Z/+MTzAg6pBp7m5/t4NSbF0r4 tmzPsUY5mVmcG6Mpz7cUUdKLyE4qB2L4YeY+ZZEWqXw3FCKzPKSQqYCK+/PerSHGal2L SEXE5dv2BR4OGk6lXvkn1Ycxlx9eW3KvdBcl45UUM3sE9ZLleFBv4JuCsSCaebJnlPZT wZN+t9oc1iwcfB6qvwCMzp8qstipkaVeqilDGAVfPyg+KkXidphaqDlOC6POvukqpGKj L5Dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bNZIGJU+8InUErZrdttHRBXbEmEL04qgUPwMJomAW40=; b=rYVhM5vaC6rc9qpqMdNr1Ee7htezAnL9psa6w+t8F3TJ2m0urbE8UwDkLhgw/ch0m+ X7WQaLNNUurXJ4IqkV6d0bNazgNeFt0A3nfbwe4f03qgnwTplOIrI2SaXM/wQ83SHB9N EcP1kvaodJkEUD05gG04UXpeQlj3HmXpNZfbxzth82y6xNfMkLKWa/2UV+qqjuxHq/yd Ove347LRmThL09BvbhST3WNzg29FeEj6fjuoEEQ/sparBFXneaCPYrXh7AXlEiHmg3pJ O3JSOdsjlh7pH5yROMcqtZPouxi4MNc8ZafZRxncUp+nzzdvyLL7kAORl3hIB+5O/D5v v0MA==
X-Gm-Message-State: AHYfb5gb21BnBCbuM0VGPIapFnQzVi0Y7/EbY2c95gjn10RM+IQfbk7w PNDlsK11f/VToSlgaGTM2PVVdq/nnA==
X-Received: by 10.31.212.5 with SMTP id l5mr6322189vkg.73.1502306258619; Wed, 09 Aug 2017 12:17:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.27.28 with HTTP; Wed, 9 Aug 2017 12:17:37 -0700 (PDT)
In-Reply-To: <CAN-5tyHqFwdeFsTvje-F-9DbwhAcKWLg6eHxxEtnE5O26A7WwQ@mail.gmail.com>
References: <2CA259E3-BD3A-482B-BFBF-3B90425AD3EA@primarydata.com> <CAN-5tyETNMCPVC5wJ-_77vM5+hVB+-uasd37kn+M=hoCeK6P7w@mail.gmail.com> <CAABAsM6rmrDU4BR6Ho7YFjjYA2amEkwuRGtzN537VXUZ-Eh-hg@mail.gmail.com> <20170808185803.GQ70977@kduck.kaduk.org> <CAABAsM7xOpbopPa3v1YMtfcFZbNZ=Jygap37Bg6qGfDDAvRHhQ@mail.gmail.com> <20170808194916.GR70977@kduck.kaduk.org> <CAABAsM5dAUxbrNA754nxN0iJpkJ-Zep37xnbycRsZXbPQi+hwQ@mail.gmail.com> <CAN-5tyGTZUgCDtVGhCbiXt4Hs6iGNKrhaKcQp8Vo8AveEX04hw@mail.gmail.com> <CAABAsM7iB_KRNFVmd8p4UTmEZSBj01uZoDhHt+827DzpmveuHQ@mail.gmail.com> <CC8CD648-2657-4CC1-ACDD-C7FF8B3BEADB@gmail.com> <20170808232729.GU70977@kduck.kaduk.org> <CAABAsM4xo7-TWktFTcQJ92RCeBfJ0s9ukbAe8LB_X1sguqgpKA@mail.gmail.com> <CAN-5tyHqFwdeFsTvje-F-9DbwhAcKWLg6eHxxEtnE5O26A7WwQ@mail.gmail.com>
From: Trond Myklebust <trondmy@gmail.com>
Date: Wed, 9 Aug 2017 15:17:37 -0400
Message-ID: <CAABAsM4PNpLvpnFTLxEj1puPTOFfey8OPAmQA+WUeS1OqOsNyA@mail.gmail.com>
To: Olga Kornievskaia <olga.kornievskaia@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "nfsv4@ietf.org" <nfsv4@ietf.org>, Thomas Haynes <loghyr@primarydata.com>
Content-Type: multipart/alternative; boundary="001a114eea8ee395aa055656eed9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/QYXksgmWLkBNckIwlI8PjVPhdms>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-haynes-nfsv4-flex-filesv2-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 19:18:02 -0000

On 9 August 2017 at 14:36, Olga Kornievskaia <olga.kornievskaia@gmail.com>
wrote:

> On Tue, Aug 8, 2017 at 7:55 PM, Trond Myklebust <trondmy@gmail.com> wrote:
> >
> >
> > On 8 August 2017 at 19:27, Benjamin Kaduk <kaduk@mit.edu> wrote:
> >>
> >> On Tue, Aug 08, 2017 at 06:01:48PM -0400, Olga Kornievskaia wrote:
> >> >
> >> >
> >> > > On Aug 8, 2017, at 5:44 PM, Trond Myklebust <trondmy@gmail.com>
> wrote:
> >> > >> >
> >> > >>
> >> > >> Since MDS = KDC then it would know which encryption scheme to use.
> >> > >
> >> > > The client will usually authenticate to the MDS using the corporate
> >> > > KDC. The KDC on the MDS itself is not required to be the same.
> >> >
> >> >
> >> > But mds has access/copy of the principal database so it knows
> encryption
> >> > types for the client server keys
> >>
> >> There is a possible design where the MDS has access to the KDC's
> database,
> >> yes.
> >> There are a couple other possible designs, though, and I don't think
> we've
> >> ruled them out yet (whether due to technical constraints that cause them
> >> to not actually work, policy decisions, or other).
> >>
> >> (1) MDS is colocated with KDC or otherwise has access to the KDC
> database.
> >>
> >> It's easy to get policy consistency between the KDC and MDS, find out
> >> about
> >> supported enctypes, etc.  Issuing tickets is also easy and can be done
> >> with
> >> direct database access and reuse a lot of code; the normal policy checks
> >> are applied, authorization data can be included as usual, etc.  Actual
> >> principal
> >> entries can be created/destroyed on demand for handing out as synthetic
> >> credentials.  Access control can be done via synthetic client principal
> >> name or authorization data in the tickets.
> >>
> >> But, it adds more code running on the highly-privileged KDC machine,
> and a
> >> bug
> >> in the MDS risks compromising the entire Kerberos realm -- a monstrous
> >> rekeying/re-enrolling task.
> >>
> >> (2) MDS is permitted by the KDC to use S4U2Proxy
> >>
> >> This has some nice properties, like letting the KDC keep an audit trail
> >> from the initial client authentication to the issued synthetic ticket
> and
> >> separating the MDS from the KDC.  But, it is harder to create/destroy
> >> client principal entries on demand, and most likely access control would
> >> need to be done via authorization data in the resulting ticket.  (The
> KDC
> >> might need to know to preserve and/or validate that authorization data
> >> as part of the S4U2Proxy flow, but generally it should allow unknown
> >> authorization data in the request to be preserved in the resulting
> >> ticket.)
> >> The data server might need modification to use the Kerberos
> authorization
> >> data for access control decisions.
> >>
> >> (3) MDS knows data server's private key
> >>
> >> This essentially makes the MDS trusted to emulate/hijack the data
> server's
> >> NFS role, by making the key formerly shared between just the data server
> >> and the KDC also shared by the MDS.  That key is used for authentication
> >> and integrity (source) validation, so the MDS could impersonate the KDC
> >> to the data server or vice versa.
> >>
> >> This is very flexible about ticket "issuance", again allowing arbitrary
> >> synthetic client principal names to be used and authorization data to be
> >> inserted.  But, it causes the KDC to lose visibility into what is
> >> happening
> >> in the Kerberos protocol and may have weaker auditability properties.
> >>
> >> It also requires sharing the private key of the data server with another
> >> party, which is in general something that should be avoided when using
> >> Kerberos -- this sort of problem is one of the things that S4U2Proxy was
> >> designed to address.
> >>
> >>
> >> All three of these are only considering how to get a Kerberos ticket
> that
> >> the MDS and/or client can ues to authenticate to the data server using
> >> GSS-API; the details of how credentials and/or keys are conveyed from
> the
> >> MDS to the client are a different problem, one that seems independent
> >> of which of the above three options is taken.
> >>
> >
> > There is a fourth option.
> >
> > Give the MDS its own KDC and own domain that is completely separate and
> > untrusted by the corporate domain. The DSes would be required to
> recognise
> > principals from that domain, and not from the corporate domain.
> >
> > The reason why that might be compelling is to ensure that principals that
> > are generated to support synthetic uids and gids may not be used to
> > authenticate to anything else in the corporate domain.
> >
> > It also ensures that someone with a principal from the corporate domain
> has
> > no special privileges to access data on the DSes unless granted a layout
> by
> > the MDS.
> >
> > IOW: the idea is to keep the authentication domain for the pNFS data path
> > entirely private to the storage system, while using the corporate domain
> to
> > authenticate to the MDS.
>
> I keep coming back to the question of what's different about assuming
> that MDS and storage server belong to the same Kerberos realm (whether
> or not it's corporate or private) and the tightly-coupled model where
> everybody belongs to the same realms and normal ACL-based control is
> used? Why is using normal principals and ACLs is ok in the
> tightly-coupled model but it's not for loosely-coupled?
>

In the tightly coupled model, the server has a special control channel to
the DS, and which it uses to enforce the layout semantics.

In the loosely coupled model, the control channel is NFSv3 and so layout
enforcement needs to be done by other means; in practice the only way to do
so is to use access controls. Please see the discussion about synthetic
uids and gids in the existing flex files draft for how it works.

The options I see for how to send the ticket back,  if it's a private
> realm, then krb5p must be used and encrypt the secret that's also in
> the service ticket. If it's a corporate realm, then krb5i could be
> used and secret encrypted with the user's key. Maybe you can create a
> return structure such that allows for either of the approaches. If
> this flag is set, then client should decrypt with one and with another
> otherwise. Then the implementors/administrators can decide whether
> they want private realms or shared MDS/KDC appoarch.
>
>
The expectation is that the client would need to use krb5p to protect the
LAYOUTGET call to the MDS.

An alternative that might be worth exploring is to have the LAYOUTGET
return a stateid representing the credential to use, and then add a
separate LAYOUTAUTH call to convert the stateid into something that could
be used to set up the RPCSEC_GSS session to the DS.
The reason why that might be interesting is that it could allow the client
to reuse an existing RPCSEC_GSS session if one is already available.
It might also allow the client to share information such as supported
encryption types, etc as extra arguments to the LAYOUTAUTH call.