MIME-Version: 1.0
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org>
 <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com>
In-Reply-To: <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Sat, 17 Aug 2024 06:50:16 -0400
Message-ID: 
 <CADaq8je1QU+iQ+XtvHRY6AhMmVcV=aKPZ5Z0xMg7jNBBrRGsuw@mail.gmail.com>
To: Chris Inacio <inacio@cert.org>
Content-Type: multipart/alternative; boundary="0000000000000e2a73061fded8f5"
Message-ID-Hash: COO53RQJ2B3IFJWDVTADJSB3YITATA5K
CC: NFSv4 <nfsv4@ietf.org>,
 Chuck Lever III <chuck.lever=40oracle.com@dmarc.ietf.org>,
 nfsv4-chairs <nfsv4-chairs@ietf.org>
Precedence: list
Subject: =?utf-8?q?=5Bnfsv4=5D_Re=3A_Feedback_on_user_ID_for_any_bis_work?=
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/nfsv4/SFdYPyfkwO6c3BcrdRMs3YI3NE0>

--0000000000000e2a73061fded8f5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I want to respond to Chris's email, although Gmail has somehow swallowed it=
.

At the risk of contributing to an ongoing case of multiple personality
disorder =F0=9F=98=95,  Chris as wg member is alone on the To line,  while =
Chris, the
wg chair, is part of the cc list as a member of nfsv4-chairs.

I don't  have all that much to contribute to discussion of possible
authentication extensions but there are a few peripheral remarks below that
relate to Chris's email.


   - I believe Chris is right about the desirability of a discussion of
   this at a subsequent interim.  I think we need Chris wg-chair to schedul=
e
   an interim meeting.  Not clear who would lead the discussion if Chris di=
d
   not want to do it with his chair hat on but Chuck and Chris wg-member se=
em
   like likely candidates.
   - With regard to the suggestion that we might address this as part of
   the bis, I think this is not doable, given the need to bring this work t=
o
   closure.  If the wg can quickly arrive at some likely future direction,
   there is some preparatory work that could be done as part of the bis. I'=
m
   thinking we might define the uid/gid string as beginning with a preparat=
ory
   type:: and providing that future formats can be done as extensions in la=
ter
   extension documents.  The case in which there is no such type can be fix=
ed
   as it is now: either a numeric value or name@domain.
   - It appears to me that Chris's remarks about the confused state if the
   uid/gid string might reflect an earlier  version of the security spec.  =
As
   a result of Chris's earlier remarks, I  took some steps to clarify this.
   If those are not adequate, we can discuss that issue at the next interim=
,
   assuming it can be scheduled without undue angst.





On Fri, Aug 16, 2024, 12:26=E2=80=AFPM Chuck Lever III <chuck.lever=3D
40oracle.com@dmarc.ietf.org> wrote:

>
>
> > On Aug 16, 2024, at 11:39=E2=80=AFAM, Chris Inacio <inacio@cert.org> wr=
ote:
> >
> > Dave, All,
> >
> > INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR
> >
> > We need this super brief conversation in one of the interim meetings
> about how user identity is communicated across NFSv4, and there are 2
> options, UID/GID =E2=80=98integer's and then loosely defined =E2=80=98str=
ing=E2=80=99.  So I=E2=80=99ve
> been digging into this and I would say, most definitely, do NOT remove th=
e
> string.  So what I can see so far, is that UID/GID numbers are used when
> auth =E2=80=98sys=E2=80=99 is the selected mechanism, where current the s=
tring is used when
> auth is tied to GSS-API.  As far as I can tell, the kerberos principal na=
me
> should be the string in the field.  I certainly don=E2=80=99t yet have a =
full
> understanding about how everything is connected together.  (Just sending
> the principal is nice and everything, but you want to be able to verify i=
t,
> and HOLY RAT HOLE ROBIN is that confusing in practice.)
> >
> > So, the thing I=E2=80=99m trying to make sense of, how hard would it be=
 to
> support TLS identities (X.509 certs really) instead of Kerberos.
>
> A perhaps subtle distinction here:
>
> The current RPC-with-TLS protocol uses x.509 explicitly only for
> authenticating
> network peers (ie, hosts). RFC 9289 even says "not for user
> authentication". So
> I think the term "TLS" here is probably misplaced.
>
> You instead want to invent a new RPC security flavor or flavors that
> authenticates
> users (or, dare I say it, to extend GSSAPI to handle this for us) via an
> x.509
> certificate, or OAuth, or such like. Nothing to do with transport layer
> security,
> which doesn't know from users.
>
>
> > That also opens a fairly different control domain.  Kerberos is well
> suited to local enterprise control.  You can do that with X.509, but
> really, my anecdotal experience says, X.509 certs for enterprise are too
> heavy a lift, but they=E2=80=99re the answer when you want a more global =
identity.
> That raises the question of target users of NFS protocol.  And if we=E2=
=80=99re (or
> maybe that=E2=80=99s just me doing it?) opening a wound there =E2=80=93 t=
hen maybe we want
> to be able to support authentication and authorization that is more cloud
> compatible, which is potentially more than X.509.
> >
> > These are just thoughts and feedback on some discussions.
> >
> > Chris
> >
> >
> > P.S.
> >
> > The complexity of auth is BONKERS!!!  So to kind of dig into this I hav=
e
> a freenas server running with ZFS as the backing store.  It=E2=80=99s the=
 FreeBSD
> variant 13.0 stream.  I then deployed an LDAP and Kerberos solution
> (freeipa on Fedora) to have that running on an RPi4.  (This is all in my
> house, by the way.) For clients, I have a _real_ menagerie of machines: M=
ac
> OS 14.6, RPi Raspbian, FreeBSD, and Win 11.  For fun, that means NFS
> versions running are:  Mac OS 14.0 - NFSv4.0, Raspbian/Linux NFSv4.2,
> FreeBSD 13.x - NFSv4.1, Win 11 - NFSv3.  I can get most of the unixen to =
at
> least get a Kerberos user principal TGT.  Machine-to-machine, host
> principals are still a bit of a challenge.  The Windows machine seemingly
> would rather piss in my Cheerios than do what I want.  (What engineer whe=
re
> convinced their UI people to be able to give error messages as =E2=80=981=
450
> resource unavailable=E2=80=99 and then you need to type `net helpmsg 1450=
` to get
> an actual error message, which is completely useless anyway?  That person
> is either my hero or the devil.) And while Windows doesn=E2=80=99t want t=
o
> cooperate at all, the unixen management of authentication identities is i=
ts
> own entire disjoint universe!  =E2=80=98SSSD' on Linux, =E2=80=98nfsuserd=
' on FreeBSD, and
> I haven=E2=80=99t even tried to cross that bridge on Mac.  So I=E2=80=99m=
 still trying to
> get this collection of stuff to attempt to do full kerberos/gss-api
> negotiation on a mount.
> >
> >
> > Maybe this is why people run with auth sys!
>
> No "maybe" about it, this /is/ why people stick with auth_sys.
>
>
> --
> Chuck Lever
>
>
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org
>

--0000000000000e2a73061fded8f5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"auto">I want to respond to Chris&#39;s email, =
although Gmail has somehow swallowed it.<div dir=3D"auto"><br></div><div di=
r=3D"auto">At the risk of contributing to an ongoing case of multiple perso=
nality disorder =F0=9F=98=95,=C2=A0 Chris as wg member is alone on the To l=
ine,=C2=A0 while Chris, the wg chair, is part of the cc list as a member of=
 nfsv4-chairs.</div><div dir=3D"auto"><br></div><div dir=3D"auto">I don&#39=
;t=C2=A0 have all that much to contribute to discussion of possible authent=
ication extensions but there are a few peripheral remarks below that relate=
 to Chris&#39;s email.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><=
ul><li>I believe Chris is right about the desirability of a discussion of t=
his at a subsequent interim.=C2=A0 I think we need Chris wg-chair to schedu=
le an interim meeting.=C2=A0 Not clear who would lead the discussion if Chr=
is did not want to do it with his chair hat on but Chuck and Chris wg-membe=
r seem like likely candidates.</li><li>With regard to the suggestion that w=
e might address this as part of the bis, I think this is not doable, given =
the need to bring this work to closure.=C2=A0 If the wg can quickly arrive =
at some likely future direction, there is some preparatory work that could =
be done as part of the bis. I&#39;m thinking we might define the uid/gid st=
ring as beginning with a preparatory type:: and providing that future forma=
ts can be done as extensions in later extension documents.=C2=A0 The case i=
n which there is no such type can be fixed as it is now: either a numeric v=
alue or name@domain.</li><li>It appears to me that Chris&#39;s remarks abou=
t the confused state if the uid/gid string might reflect an earlier=C2=A0 v=
ersion of the security spec.=C2=A0 As a result of Chris&#39;s earlier remar=
ks, I=C2=A0 took some steps to clarify this.=C2=A0 If those are not adequat=
e, we can discuss that issue at the next interim, assuming it can be schedu=
led without undue angst.</li></ul></div><div dir=3D"auto"><div dir=3D"auto"=
><br></div><div dir=3D"auto"><br><div dir=3D"auto"><br></div></div></div></=
div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_at=
tr">On Fri, Aug 16, 2024, 12:26=E2=80=AFPM Chuck Lever III &lt;chuck.lever=
=3D<a href=3D"mailto:40oracle.com@dmarc.ietf.org" rel=3D"noreferrer norefer=
rer noreferrer" target=3D"_blank">40oracle.com@dmarc.ietf.org</a>&gt; wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
&gt; On Aug 16, 2024, at 11:39=E2=80=AFAM, Chris Inacio &lt;<a href=3D"mail=
to:inacio@cert.org" rel=3D"noreferrer noreferrer noreferrer noreferrer" tar=
get=3D"_blank">inacio@cert.org</a>&gt; wrote:<br>
&gt; <br>
&gt; Dave, All,<br>
&gt; <br>
&gt; INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR<br>
&gt; <br>
&gt; We need this super brief conversation in one of the interim meetings a=
bout how user identity is communicated across NFSv4, and there are 2 option=
s, UID/GID =E2=80=98integer&#39;s and then loosely defined =E2=80=98string=
=E2=80=99.=C2=A0 So I=E2=80=99ve been digging into this and I would say, mo=
st definitely, do NOT remove the string.=C2=A0 So what I can see so far, is=
 that UID/GID numbers are used when auth =E2=80=98sys=E2=80=99 is the selec=
ted mechanism, where current the string is used when auth is tied to GSS-AP=
I.=C2=A0 As far as I can tell, the kerberos principal name should be the st=
ring in the field.=C2=A0 I certainly don=E2=80=99t yet have a full understa=
nding about how everything is connected together.=C2=A0 (Just sending the p=
rincipal is nice and everything, but you want to be able to verify it, and =
HOLY RAT HOLE ROBIN is that confusing in practice.)<br>
&gt; <br>
&gt; So, the thing I=E2=80=99m trying to make sense of, how hard would it b=
e to support TLS identities (X.509 certs really) instead of Kerberos.<br>
<br>
A perhaps subtle distinction here:<br>
<br>
The current RPC-with-TLS protocol uses x.509 explicitly only for authentica=
ting<br>
network peers (ie, hosts). RFC 9289 even says &quot;not for user authentica=
tion&quot;. So<br>
I think the term &quot;TLS&quot; here is probably misplaced.<br>
<br>
You instead want to invent a new RPC security flavor or flavors that authen=
ticates<br>
users (or, dare I say it, to extend GSSAPI to handle this for us) via an x.=
509<br>
certificate, or OAuth, or such like. Nothing to do with transport layer sec=
urity,<br>
which doesn&#39;t know from users.<br>
<br>
<br>
&gt; That also opens a fairly different control domain.=C2=A0 Kerberos is w=
ell suited to local enterprise control.=C2=A0 You can do that with X.509, b=
ut really, my anecdotal experience says, X.509 certs for enterprise are too=
 heavy a lift, but they=E2=80=99re the answer when you want a more global i=
dentity.=C2=A0 That raises the question of target users of NFS protocol.=C2=
=A0 And if we=E2=80=99re (or maybe that=E2=80=99s just me doing it?) openin=
g a wound there =E2=80=93 then maybe we want to be able to support authenti=
cation and authorization that is more cloud compatible, which is potentiall=
y more than X.509.<br>
&gt; <br>
&gt; These are just thoughts and feedback on some discussions.<br>
&gt; <br>
&gt; Chris<br>
&gt; <br>
&gt; <br>
&gt; P.S.<br>
&gt; <br>
&gt; The complexity of auth is BONKERS!!!=C2=A0 So to kind of dig into this=
 I have a freenas server running with ZFS as the backing store.=C2=A0 It=E2=
=80=99s the FreeBSD variant 13.0 stream.=C2=A0 I then deployed an LDAP and =
Kerberos solution (freeipa on Fedora) to have that running on an RPi4.=C2=
=A0 (This is all in my house, by the way.) For clients, I have a _real_ men=
agerie of machines: Mac OS 14.6, RPi Raspbian, FreeBSD, and Win 11.=C2=A0 F=
or fun, that means NFS versions running are:=C2=A0 Mac OS 14.0 - NFSv4.0, R=
aspbian/Linux NFSv4.2, FreeBSD 13.x - NFSv4.1, Win 11 - NFSv3.=C2=A0 I can =
get most of the unixen to at least get a Kerberos user principal TGT.=C2=A0=
 Machine-to-machine, host principals are still a bit of a challenge.=C2=A0 =
The Windows machine seemingly would rather piss in my Cheerios than do what=
 I want.=C2=A0 (What engineer where convinced their UI people to be able to=
 give error messages as =E2=80=981450 resource unavailable=E2=80=99 and the=
n you need to type `net helpmsg 1450` to get an actual error message, which=
 is completely useless anyway?=C2=A0 That person is either my hero or the d=
evil.) And while Windows doesn=E2=80=99t want to cooperate at all, the unix=
en management of authentication identities is its own entire disjoint unive=
rse!=C2=A0 =E2=80=98SSSD&#39; on Linux, =E2=80=98nfsuserd&#39; on FreeBSD, =
and I haven=E2=80=99t even tried to cross that bridge on Mac.=C2=A0 So I=E2=
=80=99m still trying to get this collection of stuff to attempt to do full =
kerberos/gss-api negotiation on a mount.<br>
&gt; <br>
&gt; <br>
&gt; Maybe this is why people run with auth sys!<br>
<br>
No &quot;maybe&quot; about it, this /is/ why people stick with auth_sys.<br=
>
<br>
<br>
--<br>
Chuck Lever<br>
<br>
<br>
_______________________________________________<br>
nfsv4 mailing list -- <a href=3D"mailto:nfsv4@ietf.org" rel=3D"noreferrer n=
oreferrer noreferrer noreferrer" target=3D"_blank">nfsv4@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:nfsv4-leave@ietf.org" rel=
=3D"noreferrer noreferrer noreferrer noreferrer" target=3D"_blank">nfsv4-le=
ave@ietf.org</a><br>
</blockquote></div>

--0000000000000e2a73061fded8f5--