[nfsv4] Re: Mail regarding draft-dnoveck-nfsv4-acls

Rick Macklem <rick.macklem@gmail.com> Tue, 21 May 2024 15:23 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C8C50C14F6E3; Tue, 21 May 2024 08:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1c13KUhKjCzk; Tue, 21 May 2024 08:23:27 -0700 (PDT)
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0274C14F6E1; Tue, 21 May 2024 08:23:26 -0700 (PDT)
Received: by mail-pg1-x52f.google.com with SMTP id 41be03b00d2f7-53fbf2c42bfso306258a12.3; Tue, 21 May 2024 08:23:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716305006; x=1716909806; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=7YdBToc54Qin+0vhGnsl0BdH2/t5yLoIG44t5N5ycKA=; b=jHjMIUERWWYe2c6NN4fhjrn2g2XrGGB4UREZiREdkYTUPTwiT5ZuQxOrxDKJgeG2wh aNSYte/PdWsFB6xotX/MyxhQsH/s3da145JeEgtZBlB1gtdYu5K8ZS0oRNhMwqdH318i ZPvoXTzFwFKZNemS4lJfoJHyqBYzshacuzjdPBzrnzgs8xoCfs3QWwpyb3osWmXxLFzx ZjS7EmZ/9XPilIDkqssCdinyJcouwJOmYlFiAXpKKLwOWFqrsktzkLrNEHB7CK26Ex1a LW+Gsi1xXCRT6+E/I+luQWKxb9b/v1JjHRReiYFQZttpUoURRUt+vnzGoXEKaxPy26ov j+YA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716305006; x=1716909806; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7YdBToc54Qin+0vhGnsl0BdH2/t5yLoIG44t5N5ycKA=; b=pjznqrWnc4469VbaqBPYeM2ibOS/xRA2XXJYK8FbRB57qbEpaawVvxrAtsBMKqDMO/ thTI1TkoSDzjkXbd2ItjcDsZlfYRUqtTocptiMx6P460Zr4uBrkt4Pvq7es2pO1Ic/73 Jepo5L/1Kb4nNU/noMzs4fPJD1ZQ9YqujxjfFRNtC/6YK6TQye11P4V9rXSl32/WEyHM Av/Jl9iagG6Iy8GbYyke4T2BVxYjEXHxFsC/RGNhxiXHQgNAeUwXRfCFA07PqBeBlE9A Y4Ot133cufGEWbEQRuxSj0PA70x1d2XceGNPj9GXawviSETePOo4fh2LoLdlntW03PAr 63dw==
X-Forwarded-Encrypted: i=1; AJvYcCXaVSFkrfL6H+E8+IKymR2QOtyDIJcFcMBnUC8C/MK0JjbYPbx6u1fBSMe5hwjIxelKKpdbigRk58gBKhmoeA==
X-Gm-Message-State: AOJu0YwH/T0ymOg7ZZSrqyDv+sqzfS5KRQsL7iTRPPgmgi5qYV32bRoD pykKQrFICLVQF013MF4bvdXNQUZFSA0nd0edaabnTqnH1DPlY8Q+ZAflPabkUAPuDNuiKlTQ/yy V483+6KHEtGM8e0opkwvP+NOdwWy4
X-Google-Smtp-Source: AGHT+IFE+sALjgE+Bn20xNI0wZf86lN6ZqmTKglxp3PFkOmxQum3UGJkZY0mkEvFJxIddZFYHz+hfGg7hsVRX8Pk5Ic=
X-Received: by 2002:a17:90a:1042:b0:2b9:30b:1c18 with SMTP id 98e67ed59e1d1-2b9030b1d6cmr25719532a91.0.1716305006190; Tue, 21 May 2024 08:23:26 -0700 (PDT)
MIME-Version: 1.0
References: <20EDB915-DEEC-4632-9CD0-9D090554C3E9@cert.org>
In-Reply-To: <20EDB915-DEEC-4632-9CD0-9D090554C3E9@cert.org>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Tue, 21 May 2024 08:23:10 -0700
Message-ID: <CAM5tNy5KYThxhik+xb3Mm0XLxZ86S97if5bUwSG1C1DZDh2qmQ@mail.gmail.com>
To: Chris Inacio <inacio@cert.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-dnoveck-nfsv4-acls@ietf.org" <draft-dnoveck-nfsv4-acls@ietf.org>, "nfsv4@ietf.org" <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Mail regarding draft-dnoveck-nfsv4-acls
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/UaUEYCIKNb8bHE5mA0GuFTvWNcs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Mon, May 20, 2024 at 9:05 PM Chris Inacio <inacio@cert.org> wrote:
> Dave,
> I’m not as far as I want to be reading through this, but I have some questions.  First, help me do my homework some (it’s going slowly for me to read this); where are SACL and DACL defined?  (I have to read up on a lot of things you’re referencing in the ACL doc as I go.). I’m only 1/3 through reading, but I’ve skimmed a lot more of the document; please forgive me if I haven’t made it far enough and my questions are covered later in the document.
> Second, reading the PSARC description of how ZFS did ACLs, there is mention of ACEs for “owner” and “group” per normal POSIX filesystems; but then entries are also created for “owner@“, “group@“, and “everyone@“.  Adding these ACEs, according to the somewhat dated doc, really seemed to help with Windows/SMB and Unix/NFS interoperability.  I also noticed that this is discussed in the NetApp ONTAP implementation report.
> Could this be related to NetApp filers generally not having local filesystem access; e.g. no one is `chmod`ing permissions/ACLs locally on NetApp filers?
> I’m torn between the very simple approach from the PSARC reference and your more complete approach.  It isn’t clear to me that they are in any way exclusive of one another.  In fact, as far as I can tell, it might be enough to say, by default, entries exist for those labels for each object.
Just fyi, I did some of the simple examples in the PSARC reference and
did find one difference between FreeBSD
and the document. (I think FreeBD gets this correct, since the POSIX
"w" bit refers to both write and append.)
For the mode 477 example, FreeBSD has the "p" (append_data) set for
the deny ACEs:

Mode 477 file.1
group@:-wxp--------:-----: deny
(whereas the example in the PSARC doc. does not have the "p" flag.)

Kinda trivial, but important if stuff from the PSARC doc. goes into this draft.

ps: I am also slowly working through the draft, but do not really have
any comments yet.

> Thanks
> Chris
> (PSARC reference on the NFSv4 mailing list: https://mailarchive.ietf.org/arch/msg/nfsv4/U-yLqp0MiCyFp7kgGfooLAyCQQQ/)
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org