IETF Logo Mail Archive

[nfsv4] Re: Interim meeting agenda topics

Rick Macklem <rick.macklem@gmail.com> Mon, 09 September 2024 22:02 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9475EC1D4A8F for <nfsv4@ietfa.amsl.com>; Mon, 9 Sep 2024 15:02:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hjljHjALF9B for <nfsv4@ietfa.amsl.com>; Mon, 9 Sep 2024 15:02:22 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1A9DC1D4A6E for <nfsv4@ietf.org>; Mon, 9 Sep 2024 15:02:21 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-3787e067230so3025792f8f.1 for <nfsv4@ietf.org>; Mon, 09 Sep 2024 15:02:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725919340; x=1726524140; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1FcTL3hRhCB2NfLtjTfGQGW4q8RthSriMs/v114gVCE=; b=i7ddQIg/1FlbovQ80slQVoBDIvjUzjPehQLBFTlZxRqLxqDHL7BoDk0SYsGZo/qmBR yVuEzVrD+hXA58xSi5Ma7AZDxhel4eJQRYZzcrtPVjYhcuHPNoILAkkn+h0Q5hJezjos Mil8h1T8PXYj+dcgOtgoUVmjROCQeQQrnCP/YBUWVqvF8267m+fFDgbcB2SRpFh7GFdD 5vq1Atcedk5x4NxF/lzvw0aoniMRbOQVmAzjaL4yZ8+TnFoQ4jfaWW9gqAP0YS05T9z0 q8RA622JtCaife3qX6VeqtVKGeKBlPuoKC+bqErMQs2og7v46a2iOu7WmnZTQDXNVqO4 F27w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725919340; x=1726524140; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1FcTL3hRhCB2NfLtjTfGQGW4q8RthSriMs/v114gVCE=; b=QhLLKy/STW5vHrC+BoZN72wje4op3wE+uJlEoh4b9xNR9+IeA0r/9M7bTBTJ7oQPTj DTm/DRAhxWixwZRHQUGSWgUrmA4wRm7l9Lhk4saBzDAcx0OdbXyoJ/UEJUtgGb9U1PiQ 5lguzhrTGD7UkMBwq0+3r7x2vAWFgx21rnfGGQQR5vc/HionoK4pXP9gtCB7j999WnkN gbT5iP2OYYrQfyyv17jP62Ziito5eTUalqChoM1SChtu6ebhSlOZsrkaCmL9eHP+2l4F Gj806Omy2S2DwD3lJHeLwCnahB5GofUJh+Bamyvff1nb2o/N4nH4TjjahuX31j8AVsPj xjOQ==
X-Forwarded-Encrypted: i=1; AJvYcCW/t5mW4l8qXeguH0KX7FZnLkBCxjYJLCUoUB1Kuq7GbX5TXV1C6839HJgxMvSLEI5kKT53Cw==@ietf.org
X-Gm-Message-State: AOJu0YzO6cgqOypbCjCkctK2ViAUsjolc0hOPvmKFBPbaTfK52QUkmpr nyN6UI4b8BLeY6zZPKxuYd395wBZ6BUhAWR65Qb+ObvT8ydrR7QnNKWB0Ckkz0Mo7zL48WPjCWd ejgzPF0WellogPoMQbr+MxgLtOIFdid0Erw==
X-Google-Smtp-Source: AGHT+IENkMZV3wxng8SSMapSxabp7DVxcZVoTLCGumWswXsWcgKLoukfLi9Ooa6K3xvXrFP3FIJsMXQIMWZkqcrck7M=
X-Received: by 2002:adf:a312:0:b0:374:ce9a:ff11 with SMTP id ffacd0b85a97d-378896795c1mr7403424f8f.50.1725919339804; Mon, 09 Sep 2024 15:02:19 -0700 (PDT)
MIME-Version: 1.0
References: <F2FA0129-5780-4257-8E18-E04865D6BCC4@cert.org> <CAM5tNy7fhU5s+EufRS3aq2zYSdjrtD_ijj1RgHcTv0WzGcbT0Q@mail.gmail.com> <CADaq8jey55znu5J1amhRj6F5uwoE=hO81ghEqZtrnsVw=_N5Pw@mail.gmail.com> <20240908163411.e2vobyl7yhaz6sdt@pali> <CAM5tNy601LJAW2q98ntkiWKDriVXbOchmY0VsNqy=Qye3d9Luw@mail.gmail.com> <CADaq8jdPDWWHNZpqw7fPubXbaH9YZahuCcOj84+b9=k3y9Z5zg@mail.gmail.com> <20240909081448.hyuald3xhz3ctmpc@pali>
In-Reply-To: <20240909081448.hyuald3xhz3ctmpc@pali>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Mon, 09 Sep 2024 15:02:09 -0700
Message-ID: <CAM5tNy66amiLB2Xnf_dYkNiyDe1QATQ=tcuqzemdjOzQGJyqqw@mail.gmail.com>
To: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: VFSMVUV2DEOXWH73HKTKLNUEJU55LFSG
X-Message-ID-Hash: VFSMVUV2DEOXWH73HKTKLNUEJU55LFSG
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Interim meeting agenda topics
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/T1sOxd3sZ0vMUmIETniLsp2eiRM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Mon, Sep 9, 2024 at 1:14 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> wrote:
>
> On Sunday 08 September 2024 19:24:27 David Noveck wrote:
> > On Sun, Sep 8, 2024, 6:12 PM Rick Macklem <rick.macklem@gmail.com> wrote:
> >
> > > On Sun, Sep 8, 2024 at 9:34 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
> > > wrote:
> > > >
> > > > On Sunday 08 September 2024 12:05:54 David Noveck wrote:
> > > > > On Fri, Sep 6, 2024, 4:35 PM Rick Macklem <rick.macklem@gmail.com>
> > > wrote:
> > > > > > What is left to be resolved / is controversial on the POSIX_ACL
> > > draft?
> > > > >
> > > > > Nothing from my point of view.  I don't know of any issues Rick has.
> > >  It
> > > > > is reasonable to expect that anyone who does have issues to raise them
> > > on
> > > > > the list.   We may need to confirm the non-existence of such issues at
> > > the
> > > > > forthcoming interim meeting.  I think we should allocate five minutes
> > > for
> > > > > this.
> > > >
> > > > Hello, I have already pointed one issue on the list - problem with mode
> > > > attribute (two meaning modes: NFS4 and POSIX) and its backward/forward
> > > > compatibility on existing NFS4 servers for clients without POSIX ACL
> > > > extension.
> > > I'll admit I just do not understand what you are thinking.
> > >
> >
> > My response is the same.  I guess we need to discuss this at the next
> > interim meeting.
>
> Sorry for that, I was not clear enough. Model is fine, POSIX ACL
> extension and POSIX ACL attributes are fine too.
>
> My point was about existing NFS4 attributes 33 (mode) and 74 (mode_set_masked).
> Meaning of these NFS4 mode attributes (in both NFS4.0 and NFS4.1/NFS4.2) is
> slightly different than what IEEE POSIX ACL draft requires.
>
> It is similar to the issue that NFS4 ACL attributes 12, 58 and 59 are
> different than IEEE POSIX ACL. And this was solved in extension document
> by allocating a new attributes which would serve POSIX ACL structures.
>
> In my personal opinion, the best would be if also for POSIX ACL mode
> would be allocated new attribute, in exactly same way as was added POSIX
> ACL attributes. So it would be present only if file has POSIX true ACL
> form. And let existing attribute 33 for its original meaning (from
> RFC8881) independently of what is the true form.

For the most part, I agree with what David said.

I will admit that this sentence in RFC8881 Sec. 6.2.4 could be construed
as misleading when the server has a extended POSIX draft ACL stored
on the file object on the server.
   Bits MODE4_RGRP, MODE4_WGRP, and
   MODE4_XGRP apply to principals identified in the owner_group
   attribute but who are not identified in the owner attribute.
However, since this sentence doesn't say "only applies to principals"
and does not describe how they apply to the principals in the owner_group,
I would argue it is sufficiently vague such that it still applies to
the above case,
where there is a POSIX draft extended ACL on the file object on the server.

Further, I think it is clear that a NFSv4 client should not try and
interpret the
semantics of mode.  It should use a Access operation to determine permission.

rick

>
> > For the proposal, at any one moment in time, a file object on the server
> > > will have, at most, one "true form" ACL. (Where "true form" is the ACL
> > > that is stored for the file object and used to determine access to the
> > > file.)
> > >
> >
> > The treatment in the latest acl draft is consistent with that model.  It
> > provides for extensions such as yours, which define additional ACL models
> > with the assumption being that there will be at most one ACL model in
> > effect for any fike system object at any time.  The job of defining new ACL
> > models is left to extensions as such as yours.
> >
> > >
> > > As such, I cannot understand why you would think there are two modes?
> > > (Where "mode" refers to the low order 9 bits of the mode attribute.)
> > >
> > > The interaction between setting of the low order 9 bits of mode and the
> > > setting of an ACL is determined by which "true form" the ACL has.
> > >
> >
> > Yes.  According to the latest ACL draft, the job of defininin those
> > interactions in job of the acl document only when the ACL model in effect
> > for that object I'd the NFSv4 ACL model.  When it is any other ACL model,
> > it is the job of the standards-track extension defining that new ACL
> > model.
> >
> > >
> > > For the weird case where a SETATTR is allowed to set an ACL of the
> > > other "true form" for a file object, the mode bits will be updated the
> > > same way as they would be if that ACL was set for the file object at
> > > any other time (ie. no previous ACL or a previous ACL of the same "true
> > > form"
> > >
> >
> > Agree. Although you describe this case as wierd, I cannot disagree but have
> > to point out that this is much less weird than a number of presidential
> > candidates :-)
> >
> > >
> > > W.r.t. clients that do not support the extension...
> > > These clients might set the mode bits and the effect would be no
> > > different than what occurs now.
> > > --> For a server that uses a "true form" of POSIX draft ACL, that
> > >      ACL might change, just as would happen now. It's just that the client
> > >      cannot actually "see" the ACL.
> > >
> > > W.r.t. servers that do not support the extension...
> > > The attributes will not be in the supported_attrs list and any
> > > attempt to GET/SET them should fail.
> > >
> > > rick
> > >
>
> The problem is with existing server which via MODE4_RGRP, MODE4_WGRP and
> MODE4_XGRP controls permissions of the OWNER_GROUP-only (per RFC8881).
> So changing these bits never affects principals with kerberos ticket
> which does not contain OWNER_GROUP in it. Clients using this NFS4 server
> can have a contract that this would always apply as a security thing.
>
> Now, if the existing server implements POSIX ACL extension then for
> files which are in POSIX ACL true form would have to change meaning of
> MODE4_RGRP, MODE4_WGRP and MODE4_XGRP bits. This server can serve data
> to both new POSIX clients (which will implement this extension) and also
> to clients from previous paragraph (without POSIX extension). So the
> NFS4 POSIX client with the POSIX extension (e.g. Linux or FreeBSD) can
> set ACL on new (or existing) file (ACL for more ACL_USER and ACL_GROUP),
> and server will automatically change true acl from from NFS4 to POSIX.
> All this is fine. The problem happens now when the non-POSIX NFS4 client
> from previous paragraph wants to just change permissions for users
> affected by primary group. So this client from previous paragraph per
> contract arguments will just change MODE4_*GRP bits and it will expect
> that this change does not affect permissions of other users. But in
> reality it will change access to everybody except ACL_USER_OBJ and
> ACL_OTHER, per IEEE ACL draft (as MODE4_*GRP controls MASK). And this
> will break the contract for existing clients from previous paragraph.
>
> So if these existing servers do not want to break contract with existing
> non-POSIX NFS4 clients then they either are disallowed to implement
> POSIX ACL extension. Or they would have to somehow figure out if the
> connected client is POSIX-compatible or is not with this POSIX
> extension. For server one option could be to inspect OP_EXCHANGE_ID
> request (client put there its identification) and based on this the
> server can "detect" if the client is POSIX or not, and "process"
> attribute 33 in different way for POSIX and non-POSIX clients.
>
> Now if I'm looking at this, the best for these scenarios can be to
> separate POSIX ACL mode bits into new NFS4 attribute. So existing NFS4
> clients can use attribute 33 as before, server would process attribute
> 33 always as before (so server can MODE4_*GRP map just to group owner,
> not to mask). And for files in ACL true form there would be new
> attribute and POSIX client with this extension would know that the
> MODE4_*GRP of this new attribute would be MASK (if the POSIX ACL has
> MASK entry). This would allow for existing servers to have coexistence
> with existing non-POSIX NFS4 clients, new POSIX NFS4 clients with
> extension. And also would allow servers to continue serving in attribute
> 33 what was there before, independently of the true ACL form. Like for
> attribute 12, where server can provide POSIX-MAPPED-to-NFS4 form.
>
> Hopefully, this is more clear what I mean about forward and backward
> compatibility.
>
> Anyway, it is up to you. I'm just trying to show some examples of the
> real issues and solution for it, to prevent future problems.

v2.39.1 | Report a Bug | By Email | System Status