[nfsv4] Re: Feedback on user ID for any bis work

Chris Inacio <inacio@cert.org> Thu, 05 September 2024 16:12 UTC

Return-Path: <inacio@cert.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1781C151071 for <nfsv4@ietfa.amsl.com>; Thu, 5 Sep 2024 09:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R2W02Bvyniuk for <nfsv4@ietfa.amsl.com>; Thu, 5 Sep 2024 09:12:48 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0043.outbound.protection.office365.us [23.103.209.43]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8B12C151065 for <nfsv4@ietf.org>; Thu, 5 Sep 2024 09:12:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=HpKa7swFpCtoF1h7gnZc9IouE/HOqyj+kW4G3epzS0XG7lqz37f43EE4oRM7xJhUfe0RDyLFtsg/dhJDP09fDbtI3aCjUwnMpnqZMMmF8hpFv/Oy+2OGxCPZmD+nFO7dG9bKH7ZBBJ8tUPnU4S67EqjC47I5/3ne4S/wXVVf+zefiQNpOLcBxrnRjCHuCADLd1iZFVKfct+8aerZx1aXq/8j058tAF54IwqlIri5gH2KctWUn0vNpZzITvUiDAkZKGbEgYDRfaZDmGY84tv8YSC4XXHT8hPI8SisPXQLgQRgICpfhHQt2GJ5742/UOrK22lxA0fwwqD1U3V4R3ezUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9ahlN9WVg4c1Qfoj5HekxIUeS3zKqmqZkqHehJ3TXCM=; b=kFClZYJzE2oYcfw1wb1qGbp4VTywoX5/0Nzjg5unJiyDdB2IdrMvivttk0/bGtogN/iH1gu2aKZ9lwtJDOZzgI3iJ77px4kyySipG8Bnrqh6LljqUgL0rdZwNU8/6d5sEbsR/E0oJDkZy0HaszFbBVj/JkRKBJ7sC/aVR71cq7MvJyoAuC0PO+y7EJRpAdRa+t9FMUvetvV5E5aXJdoTxkvUK3J2PEgLXZxBztvZt7ulb6DNlzlAtqMXnRi6j1FuwMrptyECt96YyeFBKvVBOJaWHUunMThBh/G2B+1KdItRN+5kcfIj2gOdOgCqKEyZskktN/ghjMEWE0p9OKQARA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9ahlN9WVg4c1Qfoj5HekxIUeS3zKqmqZkqHehJ3TXCM=; b=IEX+YqJuQsF70cXUSy5fNTeawUJvNcCyjCaONHk/lnsgJ/K/eYU1xHdBeo1YhgCm0mX6VkqFL7QgOCxyA06au2SRhqPfxkEKcEuMevwTIGdL70wXS84h3XHzYPs4T/BGjFNeqBX3Vd9RxO1RruHlX59GMI2mqF6ADDCjhMcvBMk=
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:172::5) by SA1P110MB1783.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:1ac::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.27; Thu, 5 Sep 2024 16:12:45 +0000
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::5528:443b:d3d9:a02b]) by SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::5528:443b:d3d9:a02b%3]) with mapi id 15.20.7875.034; Thu, 5 Sep 2024 16:12:45 +0000
From: Chris Inacio <inacio@cert.org>
To: Chuck Lever III <chuck.lever@oracle.com>
Thread-Topic: [nfsv4] Feedback on user ID for any bis work
Thread-Index: AQHa8LbEvnI4unYR/0inUXlvBCKK47I+Z2UAgArrxYCAACg/gA==
Date: Thu, 05 Sep 2024 16:12:45 +0000
Message-ID: <8DC86A0E-BFC5-4738-B0C3-6C9BCBFB755A@cert.org>
References: <EFD2C35A-9FC4-4381-82F2-475957CEE07B@cert.org> <1452890090.47955225.1723888278946.JavaMail.zimbra@z-mbx-2> <2C377184-60B5-43B3-9FAD-33F682DBAC5D@oracle.com> <1086079167.54167075.1724943726342.JavaMail.zimbra@desy.de> <D5C0C2E4-0791-4970-93A5-C2DFDF566946@oracle.com>
In-Reply-To: <D5C0C2E4-0791-4970-93A5-C2DFDF566946@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3776.700.51)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1P110MB0975:EE_|SA1P110MB1783:EE_
x-ms-office365-filtering-correlation-id: dfd116b7-b44f-4bb4-47db-08dccdc5942a
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: p6kP4M1al3PXvex5RSY5ETBZqBfAUilNCxC43LVv2sjMgo019Qsiyb1aOWz1c7YqDKjDTU8eFeLLSjW+3dRklFyHncqhCv0PBTxTI49vQ5nrE17hvlDgk7rgh8XU5EQNyuMlMuYPlrAkarw+n2WE9IyxS4/u3274GB4lON8ITZjom8tPWH4Qxh/WW8A1DD18ILAaooAqXKKpKUJ8jLvwKa1p4FKWF8hRt2+ig59wfbyHHQGeRYNlhrG6ZTGRgk1Ud14AJiGLxloGOV5hOYda9mOoDAsqWU5dG8n2e57Mfp4oWmB8CYUCrAr12ZewifFI/VVuo5SimiQZlud04XHsBAPPj0E9QFvKhXCIEYCz+mzZ6pVRdHEk0tT6K6Xy2VmXfs9840iltF3DD7bvaPyYFxHg18cpGdmhn9MQstfC4c3OBfFHktUcNAbPS+xeCPV9+D3qwfvar6GobDQB/BVryjGxilALWnDkleRgidWAUTh5VmNbex0AmR211dCKLDYSImZDHpusLdlntbLBxtyYs+dtAMqTboUSXDbJrc8gHKS8eg7gxwUHbi1ZQoBKJo0fd5C2xRUsCfbZGHoSzAN6tl3grbnw4ElkB/Sr7QSCcDuygK9oYzFyk3WzebvpQjjZeokWQhF5PxdP6+is4qT/0mCFl5J2Lzc28qrrIhg3diMXJ8hzGyEvUhmUmgCe3M+/BolTXPZtq8DpBQKWnsd9e08OXyZdIwqIKGPU1cm9h5GivOsKuTILAmVliaQnno+up2VkYHkg270YeXQEkFxM6hj6HlkKk1nr8Um+7naXgLDULfLCL55kZZONzFl2UEASgh9OCmKJksgM5U89vmySWFlgzOmyRftOoSm7nX73BV/pLCI33dXpxlA4b0r6Wv9B3xpX6AkxS4r9jSrBQSdbI3xOeeRl8vetuAI3Djn0xnb4qOqemf8/w/WK9Mdr9b9+z5i2m7V39spEVbcGKRrwcJXQVwrrU7UtClNbXh0yKsG4wSbSNn8vOLjlFRnO4pTgXONFlQrKYfls1RIyXlcXeotxxU8UitlqJlBp8dPUvRw1IYBGkM96reLgG488w7vt98WB4ZxuMiSaaFwa0QMgC3ErqwNwv1hf5GyVYQgumVqAvDzbkBm7YHc+woDW5zA5kPpl2WlBzBnE9dMWY+NH2wnAB70u8kVZBE3OXqG/k9L4VIVHFjkvAxpMlinWn7pSJ0WYCcjD6R4x8XOgyc1/veMWPT3RYs2Gc8cbcJVOxYaYEfpcZUDuyF2vvFM0pjLI8xFa+IWYrQ/9PFs5DLTk9jvLd+kBRp/LtqFglpjCbyqdKUIFuDp36hA9Z/+assFnSdQhNFta2Aw/uoZI9fsrLiyaUNWGSkCz4uy+DeDbtSy5EAhYSFPXa6eHS2FBO7Ynr+RoLX9odw9q/A92pnuX2A==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ArVQOM8N1o28IXXu66uR/wFvHdu9jFRkkN22vn527vb3XpJoGsnJQm34yfdRUJWelq1WFQ4/gSY4Rg4wNy7grLGaAo2Kh4EjwQt+7oFsiLgSYJu+gjYdWtAf0fJdvaMPvpunVTQ481qXA+ZMBxynPV7MhP1iMFeFAKuPSq8CEGtvMO4FaIICMWbWcyr6WmZELNurkBq3qTB7LhaJUF5r1LvV1U0JLb5oNtPxeK6tL+5OjaedulvL6MblrW6fASijiGrY49w6LXYgMcv0nWWeed75pRK06tvqltUFGLvZuRR+j3C1xuGQoUVwE/YwlFsb5pRjx3sPiDAPGhmyJVY+HoQ+DkpTa+LjbE15Dk4ALsyu5JIcxi3MH5BJ014To4hdPOX4qoZCHyfURmermejerx0bmPrv9zEUWKrqsRD5L8Io6YkTQ/Vubd+QB9sqxPLS1FDvAKpaAZxiV8ygULxRm2wLISECapnMTwObHuZOocVosQsiBRc6mK6Gj4TVCsfQl+l0gi+GYxVWEoi/D+JsunrSllYpO2sBHV6mPKq8fPoyjfpE/oI0jjby9Rp9NVeEg8IvPEqRI6vX3Wxsx6XCLULlfvTPFta/LBtSHDBH5XStkfrxECQula1MJVq8D4nRlqF+Vv+85kobiOopR/nYGnl/SlirUKoKeUccHOCDzu9t+AbcaBq4nNBi9mFv1HRN+4MRA0A63grQ3IfCSCeq1ZIz0dmqJYphqqbRWkfFEFejCiFzLEMpzpVVHXPXfetZghzRGpgYNatGEQkgG18SddfoDkg4whCJh2zxsKbS0TUJnETtMl6IRlSz248h330syourNderK0jLeM7ORuwx03kNVnm+GDjymDBdBwueIzu41TDU7eFQecYu2mhZVwSFwfajGGx/cekzIXNcrZSIU9Fu1jQFN+Iah1sP+QL67HLiA2XtmxlDh67uMKGPJG07RT2DcEP19hXVZIsgP0XjPxNBOCU7N42diET9/8yRDTOhy+1DiJh9kJW2QXDz55YOpW9hr1uxZ0HKmPVrXmZmqeC6P5WdNlqgqmhCLkBqKyXHR8jVNgqa946pKForH+0x1Q0uIgtxSicrMGJtyxxioj5n7ycMuy9sVQw5RA6sbNmqOxW+pBB0Wi2meYOYfW1dIJP7nw0I+m4riepUq17KYCmEs1o9PGDZ4XS/fzhUHPncjJlFUZt4fcv7UFAMziTpPb4e/LKs54S005iIEbUj7agLoDdoWhVVdMlM4FTMW6woJsKWPqftYAJVStVOZSk6q+d0oSOVmKjLJkxY7QliSccteozIIUAxMg7XAomnRrJalmhYzbwHkMeZDy6ufkei4+QeJotu5PthUZQw4dRTBnU2uOaIFjtXJl4fBy0s5Nmx+PICeGFIUyoflJYemZJJrLOAepJYJdEVPXn4zBI2aJstSiQgr+3OCSoI0Wxiff/6mcBhRYIUrKouDHmxlt7YnGgowHEnPSNl56PUbzrER8cYGqzOfoXIA4Gbs9phcLjIEqx0fWv0CDnyIeIQzHEP
Content-Type: text/plain; charset="utf-8"
Content-ID: <B00A5B2CD316E746A7F6EA3D1D19DC21@NAMP110.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: dfd116b7-b44f-4bb4-47db-08dccdc5942a
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Sep 2024 16:12:45.7548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1P110MB1783
Message-ID-Hash: DYWFTVCTFZC4PXRSDQEJBA3BNESWIG2D
X-Message-ID-Hash: DYWFTVCTFZC4PXRSDQEJBA3BNESWIG2D
X-MailFrom: inacio@cert.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/RvgNhh4mSnqRLBLg1j7eU3Fkwmo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

Tigran,

This is great; really what I had in mind.  I had been trying to puzzle through this myself.  For me (and its because I don’t know the mechanics of NFS well enough, at this point) the thing I am mentally tied up in is some form of “mapping” from these external identities to file system UIDs.  LDAP provides a binding of directory authentication to a local UID which makes basic permissions easy to do on POSIX file systems.  Would another service / configuration mechanism be necessary to provide these remote ID to local UID mappings?  This gets a lot easier for filesystems that actually provide workable ACLs, as far as I can tell.  Then you have the ability to at least provide a binding (even if it isn’t cryptographically strong at rest) of a permission on the server filesystem to the remote identity service.

Correct me if I have any of this wrong, please.  When I last worked at a file systems company, I did TCP/IP interface and acceleration.  So the real mechanics and nuances of NFS aren’t totally clear to me.

Side note: I was trying to understand how this works by reading the NFSv42 XDR.  That does not seem to really include anything with regards to authentication in there.  There is an include of “auth.h” which seems a little less than ideally portable to me.

Chris


> On Sep 5, 2024, at 9:48 AM, Chuck Lever III <chuck.lever@oracle.com> wrote:
> 
> Warning: External Sender - do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> 
>> On Aug 29, 2024, at 11:02 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
>> 
>> 
>> 
>> Hi Chick,
>> 
>> The current state is available at:
>> 
>> https://github.com/kofemann/rpc-sec-oidc/blob/main/draft-tigran-nfsv4-rpcsecoidc.md
>> 
>> It is still quite raw, but indeed, if people comment, this will give me some guidelines and momentum.
> 
> Thanks for posting, Tigran! I will make some time in the next
> couple of weeks to study the draft.
> 
> 
> --
> Chuck Lever