[nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-04
Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> Sun, 18 August 2024 07:28 UTC
Return-Path: <pali-ietf-nfsv4@ietf.pali.im>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF065C14F69A for <nfsv4@ietfa.amsl.com>; Sun, 18 Aug 2024 00:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pali.im
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9-CglEXYJVIL for <nfsv4@ietfa.amsl.com>; Sun, 18 Aug 2024 00:28:02 -0700 (PDT)
Received: from pali.im (mail.pali.im [IPv6:2a02:2b88:6:5cc6::2a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6BAFC14F5E5 for <nfsv4@ietf.org>; Sun, 18 Aug 2024 00:28:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pali.im; s=mail; t=1723966077; i=@pali.im; bh=kpOoRpoztc4dkLvfB4SBNnp1rkwl6QPz4X091n7KKkU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=FFZ3H6b5ot74C9lRvPRfZlm5aWWEInDAeEWB3ZpARKO97/yR1CeskD1QkePx7E8zK Uybm9ZCh17UioEjOSV2iwhKlw7YEbn5mHTMCJKfgShtPag8Uyf8ZU5mwJwGJ2+EM5I zLXt/PYLQ2VaJQKw5xL+KzCdf5yNEKqJjsYKcdzabFsYX594Ds85shI2Pqj460WPnu bcAPLWwzCoGzfFFbgoo04X+GUiUxm3y8Qu3xftxQyC2s+RF5oW1DkVgDm5DzGdFKx3 H/QzR7soFQ7sj5yQWBAasLF6cMuQpoDxfpAIYWInxjJHaKI/Gxui9AntTddQp+v68T AaZiIvK14dR4g==
Received: by pali.im (Postfix) id 3EE427D5; Sun, 18 Aug 2024 09:27:57 +0200 (CEST)
Date: Sun, 18 Aug 2024 09:27:57 +0200
From: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
To: David Noveck <davenoveck@gmail.com>
Message-ID: <20240818072757.pn2ugaakismjfykd@pali>
References: <CAM5tNy4fo=8wzbM8qbRwtiPycSLTKPd7sVaBQZk72zZDJyq93Q@mail.gmail.com> <20240810223629.dukpymniqn3uy2s6@pali> <CAM5tNy6+XHApuCu=N6RKLTgWToU7JQpp4QTxV9T2EE_dJQcGsQ@mail.gmail.com> <20240811101105.iuiyk7ygelhs7crv@pali> <CAM5tNy412=y44uFNLet0_Q6gZRKu4bOKF_Q0dGfO0v7sqf-U1A@mail.gmail.com> <20240812181732.nylecnp6lyrishgg@pali> <CAM5tNy60R69+ky3FaJ5guMYRhdY-A1_7qn4+5RzWtv8J+W0aaQ@mail.gmail.com> <20240817194734.ozzhrppu2psrka6k@pali> <CAM5tNy6cXogDyrYWkjBvek+M0tBn_4pVe=+ZC930Syw51ueboA@mail.gmail.com> <CADaq8jfxqW8RHBQ9nGtKTPV16+WRJDQYQ1G_FzQL+yX_O4B3pA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADaq8jfxqW8RHBQ9nGtKTPV16+WRJDQYQ1G_FzQL+yX_O4B3pA@mail.gmail.com>
User-Agent: NeoMutt/20180716
Message-ID-Hash: 2NFHBTTDS7AASG4AEXI6NGVPATKP2O6N
X-Message-ID-Hash: 2NFHBTTDS7AASG4AEXI6NGVPATKP2O6N
X-MailFrom: pali-ietf-nfsv4@ietf.pali.im
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-04
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/XD_UTb8bojhemfAh1sqCxVLt2lw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
On Saturday 17 August 2024 19:03:36 David Noveck wrote: > On Sat, Aug 17, 2024, 6:28 PM Rick Macklem <rick.macklem@gmail.com> wrote: > > > > > > > On Sat, Aug 17, 2024 at 12:47 PM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> > > wrote: > > > >> On Monday 12 August 2024 18:03:09 Rick Macklem wrote: > >> > I am only going to make a few generic statements... > >> > >> Ok, if you have a time, try to look at my comments from previous > >> message. I would like to know if my ideas at least makes some sense or > >> how hard would be to design this NFS4 POSIX ACL extension compatible > >> with NFS4 servers with any possible RFC 8881 compatible meaning of > >> "mode" attribute. > >> > >> Or if it is not clear, I could try to show it on more / other examples. > >> > >> > Before I started writing this draft, I prototyped > >> > the posix_access_acl/posix_default_acl in FreeBSD. > >> > Both client and server changes took about 3hrs. > >> > Why was it so easy? > >> > Because all of the stuff related to POSIX draft ACL > >> > semantics was already there. Handling of mode vs POSIX > >> > draft ACL was already there. > >> > --> All I had to do was translate between the XDR format > >> > and FreeBSD's internal format for a POSIX draft ACL. > >> > By using a file system configured to use POSIX draft ACLs > >> > for testing, that was all there was to it. > >> > > >> > What I cannot easily do is change any of the POSIX draft ACL > >> > semantics, including how mode vs ACL are handled. Those are in > >> > functions written by others at least 15years ago and trying > >> > to change the semantics in any way would get serious pushback. > >> > > >> > I am not conversant with the Linux sources, but I suspect > >> > that the situation is similar. > >> > > >> > I have trouble understanding your concerns w.r.t. mode for > >> > a couple of reasons: > >> > 1 - A NFSv4 client just sets/gets the mode bits. How setting > >> > them affects ACLs and vice versa, are handled internally > >> > by the server. > >> > >> Yes, it is handled by server and server is relatively free to choose one > >> of the option what to do with it. But IEEE POSIX ACL does not allow to > >> choose more options how to handle it. > >> > >> > 2 - Right now, there may some words in RFC8881 related to > >> > NFSv4 ACLs vs mode bits, but in the end, it is whatever > >> > the server implementation chooses to do. > >> > >> Yes, this is the primary problem related to mode as I detailed > >> described. Servers can chose and existing servers have already chosen > >> one of the option how to handle it. And if server implementation has > >> chosen option incompatible with IEEE POSIX ACL draft then such server > >> cannot implement this NFS4 POSIX ACL extension if backward compatibility > >> is priority of the server. > >> > > When I first started working on this draft, I assumed that a file system > > would choose to do POSIX draft ACLs or it would choose to do NFSv4 ACLs. > > As such, the file system would maintain mode based on which it chose. > > (Or, put another way, the mode vs ACL algorithms will be different for > > the different true form ACLs.) > > > > Then David Noveck indicated that he thought a "per-file object" scope > > was useful (and Frank Filz noted that IBM's GPFS could do this already). > > I would like to know how IBM's GPFS handles mode when the true form > > ACL (lets say NFSv4) is replaced by a POSIX draft ACL? > > (I'd guess that the mode gets set to whatever the POSIX draft ACL requires, > > > > Yes. > > essentially replacing both mode and ACL at the same time, but I do not > > know.) > > > > "at the same time" suggests atomicity. I'm not sure the draft POSIX ACLs > requires that, bit if it does, you have to do the same. > > > > > Now, if you meant the mode would be replaced when you talked about "two > > modes" > > then, yes, I would agree. > > > > David, do you have an opinion w.r.t. what should happen to mode when a ACL > > of one true form is replaced by an ACL of the other true form for a file > > object? > > > > Yes. The mode should be that required by the new true to reflect the new > ACL. I don't see how you could do anything else. What else can be done? I proposed an idea to introduce attribute "posix_mode" which would refers to the mode of true POSIX ACL form. And let _second_ mode (NFS4 "mode" attribute) as is, so it can be anything which RFC 8881 currently allows (including any of those 4 ZFS modes, or anything what other NFS4 servers currently reports in "mode" attr). So NFS4 POSIX ACL client on files in true POSIX ACL would use "posix_mode" attribute. In the same way as NFS4 POSIX ACL client has to use "posix_access_acl" instead of "dacl"/"acl" attributes. > > > rick > > > > > >> If server implementation already chosen option fully compatible with > >> IEEE POSIX ALC draft (which I guess is the case of Linux and FreeBSD > >> servers) then implementation of NFS4 POSIX ACL extension is > >> straightforward. > >> > >> > For OpenZFS, there is a knob (they call them properties) > >> > called "aclmode". It controls what happens when either > >> > a NFSv4 ACL is set or the 9 bits of mode is set. > >> > The knob currently has 4 possible settings. > >> > Does any of these four settings conform to the > >> > vague requirements in RFC8881? I am not sure, but again, > >> > changing those semantics now would not be easy. (Maybe > >> > yet another knob setting?) > >> > (If you google for "man zfsprops", you can read what they are.) > >> > >> I looked at it. I think that all four options are "compatible" with NFS4 > >> server according to RFC 8881. Just because RFC 8881 allows server to do > >> lot of options. > >> > > > 🤢 > > > >> On the other hand, IEEE POSIX ACL draft is exact and strict how chmod > >> modifies (POSIX) ACL. > >> > >> > The case my prototype does not implement is the per file object scope > >> > case (ACL_SCOPE_FILE_OBJECT), because no file system on FreeBSD can > >> > do NFSv4 and POSIX draft ACLs on the same file system. > >> > > >> > Btw, if there is a server implementor that wants to implement > >> > posix_access_acl/posix_default_acl and the system they are working > >> > on does not have a POSIX draft ACL implementation, there are at > >> > least 3 open source implementations (with different licenses) they > >> > can work from, plus the Grunbacher paper. > >> > >> I guess that this would apply for industry environment where is mainly > >> used Windows-style/NFS4 ACLs. > >> > >> > rick > >> > > >> > > >> > On Mon, Aug 12, 2024 at 11:17 AM Pali Rohár < > >> pali-ietf-nfsv4@ietf.pali.im> > >> > wrote: > >> > > >> > > On Sunday 11 August 2024 17:09:44 Rick Macklem wrote: > >> > > > On Sun, Aug 11, 2024 at 3:11 AM Pali Rohár < > >> pali-ietf-nfsv4@ietf.pali.im > >> > > > > >> > > > wrote: > >> > > > > >> > > > > On Saturday 10 August 2024 16:54:39 Rick Macklem wrote: > >> > > > > > On Sat, Aug 10, 2024 at 3:36 PM Pali Rohár < > >> > > pali-ietf-nfsv4@ietf.pali.im > >> > > > > > > >> > > > > > wrote: > >> > > > > > > >> > > > > > > On Saturday 10 August 2024 13:55:36 Rick Macklem wrote: > >> > > > > > > > I have updated the draft to -05. I think I have > >> > > > > > > > addressed your comments. > >> > > > > > > > > >> > > > > > > > A few inline responses below. > >> > > > > > > > > >> > > > > > > > On Fri, Aug 9, 2024 at 5:31 PM Pali Rohár < > >> > > > > pali-ietf-nfsv4@ietf.pali.im> > >> > > > > > > > wrote: > >> > > > > > > > > >> > > > > > > > > Hello Rick, > >> > > > > > > > > > >> > > > > > > > > I have read your new version -04 of extension document > >> and just > >> > > > > now I > >> > > > > > > > > have figured out some new things there. > >> > > > > > > > > > >> > > > > > > > > For better readability I have one small suggestion for > >> section > >> > > 9. > >> > > > > > > > > In description of each attribute could be list of all > >> possible > >> > > > > values. > >> > > > > > > > > Currently the possible values are defined only in XDR > >> section > >> > > 4. > >> > > > > And it > >> > > > > > > > > is quite hard for me to read this section 9, because I > >> need to > >> > > > > scroll > >> > > > > > > up > >> > > > > > > > > (to read list of possible values) and then back down to > >> the > >> > > > > > > description. > >> > > > > > > > > When I first time read this section in -02 I was quite > >> lost > >> > > and I > >> > > > > had > >> > > > > > > to > >> > > > > > > > > read it more times. > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > My comment from -02 which still applies for -04 is > >> version is > >> > > > > ambiguity > >> > > > > > > > > of NFS4 mode attribute which does not match POSIX mode as > >> > > required > >> > > > > by > >> > > > > > > > > POSIX ACL. > >> > > > > > > > > > >> > > > > > > > I think I have addressed this now. It notes that mode is > >> > > sychronized > >> > > > > > > > with the true form ACL for the file object. > >> > > > > > > > >> > > > > > > I think that there is still an issue. Meaning of the mode > >> > > attribute is > >> > > > > > > defined differently in RFC 8881. > >> > > > > > > > >> > > > > > > RFC 8881 6.2.4. Attribute 33: mode says: "Bits MODE4_RGRP, > >> > > MODE4_WGRP, > >> > > > > > > and MODE4_XGRP apply to principals identified in the > >> owner_group > >> > > > > > > attribute but who are not identified in the owner attribute." > >> > > > > > > > >> > > > > > > RFC 8881 6.3.2.1. Discussion says: "Some server > >> implementations > >> > > also > >> > > > > add > >> > > > > > > bits permitted to named users and groups to the group bits > >> > > (MODE4_RGRP, > >> > > > > > > MODE4_WGRP, and MODE4_XGRP). Implementations are discouraged > >> from > >> > > doing > >> > > > > > > this." > >> > > > > > > > >> > > > > > > So according to meaning of mode attribute, MODE4_RGRP, > >> MODE4_WGRP, > >> > > and > >> > > > > > > MODE4_XGRP bits matches POSIXACE4_TAG_GROUP_OBJ. Which is not > >> > > > > compatible > >> > > > > > > with IEEE POSIX draft. > >> > > > > > > > >> > > > > > > I see that you have added following requirement into > >> description. > >> > > > > > > > >> > > > > > > "If the true form is ACL_MODEL_POSIX_DRAFT, synchronization > >> is > >> > > > > > > described in [Grünbacher]." > >> > > > > > > > >> > > > > > > Which sounds like that it wants to override what is defined > >> in the > >> > > > > > > "RFC 8881 6.2.4. Attribute 33: mode", and change meaning of > >> the > >> > > NFS4 > >> > > > > > > mode attribute. > >> > > > > > > > >> > > > > > > I do not think that it is a good idea if some optional > >> extension is > >> > > > > > > going to change meaning or wants that server should implement > >> > > something > >> > > > > > > which RFC 8881 6.3.2.1. says that "Implementations are > >> discouraged > >> > > from > >> > > > > > > doing this". It it contradiction. > >> > > > > > > > >> > > > > > > Example scenario why it is a bad idea. > >> > > > > > > > >> > > > > > > Some existing NFS4 server implements mode attribute according > >> to > >> > > > > > > RFC 8881 and always synchronize group bits with owner_group > >> (who > >> > > is not > >> > > > > > > owner). So group bits are never POSIX mask. And also > >> implements > >> > > NFS4 > >> > > > > > > ACL support. > >> > > > > > > > >> > > > > > > There is some NFS4 client which is using that NFS4 server, > >> and this > >> > > > > > > client uses only mode attribute (does not touch > >> acl/dacl/sacl), > >> > > and is > >> > > > > > > using chmod with group bits to set access for owner_group > >> (who is > >> > > not > >> > > > > > > owner). > >> > > > > > > > >> > > > > > > Everything is working fine up to here. > >> > > > > > > > >> > > > > > > Now that NFS4 server wants to implement per-file scope POSIX > >> ACL > >> > > > > > > support. The only requirement is not break that existing NFS4 > >> > > client. > >> > > > > > > As the NFS4 client does not look or touch any ACL, POSIX ACL > >> > > support on > >> > > > > > > server filesystem should be harmless. > >> > > > > > > > >> > > > > > > But problem is that such server cannot implement POSIX ACL > >> support > >> > > > > > > according to this extension because of "mode" compatibility > >> issues > >> > > with > >> > > > > > > that NFS4 client. For compatibility reasons for every file, > >> server > >> > > has > >> > > > > > > to return MODE4_RGRP/MODE4_WGRP/MODE4_XGRP bits from > >> owner_group > >> > > (like > >> > > > > > > before). But this POSIX ACL extension requires that mode > >> group bits > >> > > > > > > would be synchronized with POSIX MASK, so chmod of group bits > >> stops > >> > > > > > > working and breaks that NFS4 mode-only client. > >> > > > > > > > >> > > > > > That is a choice the server implementer makes. It is no > >> different > >> > > > > > than local use of POSIX draft ACLs on systems such as Linux. > >> > > > > > The user chooses to set a POSIX draft ACL on the local file > >> object > >> > > > > > and in doing so, gets POSIX draft ACL semantics. If they do not > >> set > >> > > > > > a POSIX draft ACL on the object, they get "mode only" semantics. > >> > > > > > >> > > > > By implementing this extension there is no choice for server in > >> above > >> > > > > example to allow it to return GETATTR(mode) attribute according to > >> > > > > preferred way as in RFC 8881. > >> > > > > > >> > > > > It is not same as on local Linux system, because on local Linux > >> system, > >> > > > > all get-mode operations (stat or statx, ...) can already return > >> MASK in > >> > > > > mode group bits. > >> > > > > > >> > > > > RFC 8881 say that "Implementations are discouraged from doing > >> this." > >> > > > > Local Linux systems do not say anything like this. > >> > > > > > >> > > > > So it is different situation. > >> > > > > > >> > > > I am aware from home until Friday, so I cannot do any actual > >> > > > test on Linux until then. However, I expect to see the following: > >> > > > - Given a typical server running knfsd, where the server's file > >> > > > system uses POSIX draft as its true form. > >> > > > Locally on the server: AC > >> > > > - create a file in a directory without any default ACL. > >> > > > ls -l <-- shows the default mode > >> > > > setfacl of an extended POSIX ACL > >> > > > ls -l <-- shows the mode has changed, as expected > >> > > > - Mount this file system via NFSv3 and do the same as above. > >> > > > - create a file in a directory without any default ACL. > >> > > > ls -l <-- shows the default mode > >> > > > setfacl of an extended POSIX ACL > >> > > > ls -l <-- shows the mode has changed, as expected > >> > > > Bottom line, Since both the Linux client and knfsd server > >> > > > support the undocumented NFSACL sideband protocol, I would > >> > > > >> > > I'm not sure if NFS3 ACL is really undocumented, year ago when I was > >> > > looking for it I found some documentation, XDR definitions and also > >> some > >> > > Sun or Oracle descriptions. But I do not have references in hands. > >> > > > >> > > > expect the outcome to look identical to what happens when > >> > > > the same commands are done locally on the file system. > >> > > > (As I said, I cannot actually try this until I get home > >> > > > at the end of the week and will post if do not see the above.) > >> > > > >> > > Yes, IIRC last time when I checked it, over NFS3 network protocol, > >> this > >> > > behavior of Linux NFS3 client and Linux knfsd NFS3 server was same as > >> on > >> > > the local Linux ext4 filesystem. Matches what you described above. > >> > > > >> > > > Now, remount using NFSv4.1/4.2 > >> > > > - setfacl fails with an error. > >> > > > >> > > Yes, this is truth, as Linux NFS4 client does not allow to access > >> > > Linux NFS4 server's ACLs via setfacl, even that Linux NFS4 knfsd > >> server > >> > > provides mapping in "acl" attribute. > >> > > > >> > > > The user has to go back to NFSv3 to do the setfacl. > >> > > > Now, wouldn't it be nice if NFSv4 worked exactly the > >> > > > same way as NFSv3 and local file system access? > >> > > > >> > > Yes, it would be really nice and I hope that this your extension would > >> > > allow to implement it. > >> > > > >> > > > The object of this extension is to permit the semantics for > >> > > > NFSv4 to be identical to NFSv3 and locally on the server file > >> > > > system. That is what this extension is all about. > >> > > > >> > > Yes, I agree. > >> > > > >> > > > Until the Linux folk do an implementation, I cannot be sure what > >> > > > will be needed, but I am confident that the Linux developers > >> > > > will figure it out. > >> > > > >> > > The important is that _both_ Linux NFS4 client and Linux NFS4 knfsd > >> > > server have to be modified to support this new extension. Just one > >> part > >> > > (e.g. only client or only server) is not enough. So it would be > >> required > >> > > to upgrade all clients and server. > >> > > > >> > > > Since [Grunbacher] describes how this is done on Linux, that > >> > > > is the "standard" for handling mode when a server chooses to > >> > > > support posix_access_acl for a true form of POSIX draft ACL. > >> > > > >> > > Here I would say that it (mode) is _not_ standard way of handling. I > >> > > would say that standard way of mode is only what is descried in > >> released > >> > > RFCs, therefore in RFC 8881. More NFS4 servers do not handle NFS4 mode > >> > > attribute in this way as Linux NFS4 server (which is allowed by RFC > >> 8881 > >> > > but not preferred). > >> > > > >> > > But Linux NFS4 knfsd server is handling it in this way as you > >> described > >> > > So for combination of Linux NFS4 client and Linux knfsd NFS4 server > >> > > would work it fine. > >> > > > >> > > > Maybe the draft needs a sentence clarifying this. > >> > > > Something like: > >> > > > For a server file system that supports the posix_access_acl > >> > > > attribute and file objects where acl_trueform is > >> ACL_MODEL_POSIX_DRAFT, > >> > > > if there is a discrepancy between the semantics for mode handling as > >> > > > described > >> > > > in [RFC8881] vs the semantics for mode handling in {Grunbacher], the > >> > > > semantics > >> > > > specified in [Grunbacher] MUST be used. > >> > > > >> > > I still do not think it is a good idea. It will work perfectly fine > >> for > >> > > Linux knfsd server and Linux client. But would not work for > >> combination > >> > > of Linux client with some non-Linux NFS4 server which cannot (for > >> > > existing backward compatibility) provide existing NFS4 mode attribute > >> > > according to [Grunbacher] mapping, even when some optional extension > >> > > will be implemented. > >> > > > >> > > I'm trying to show that this way is not universal for any NFS4 server. > >> > > I understand that it will work fine for Linux and FreeBSD NFS4 servers > >> > > and this ecosystem around but as I described it would not work for > >> some > >> > > other servers. > >> > > > >> > > I'm looking at this from other perspective: to be usable for more > >> > > servers and ecosystems, not just Linux<-->Linux or FreeBSD<-->Linux > >> > > but also for industry<-->Linux. > >> > > > >> > > And I would like to see this POSIX extension to be implementable also > >> > > for other NFS4 server which do not provide current NFS4 mode attribute > >> > > according to [Grunbacher] but provide it according to [RFC8881]. > >> > > > >> > > Changing mode mapping in industrial NFS software, just for > >> implementing > >> > > some optional extension, is a huge risk and can be a big stop gap to > >> not > >> > > implement this optional extension at all. Changing behavior of > >> anything > >> > > (does not matter what it is) is always a problem. So if some > >> industrial > >> > > NFS server returns in MODE4_*GRP bits permissions only and only for > >> > > owner_group then this server would have to do it in any future > >> versions > >> > > under any conditions, and changing this behavior does not have to be > >> > > acceptable. Industrial software is lot of times "certificated" or > >> > > "tested" for behavior to ensure forward and backward compatibility > >> under > >> > > any condition (for this case, "any condition" means also any value of > >> > > acl_trueform setting). > >> > > > >> > > That is why I'm trying to say that it is better to not change meaning > >> of > >> > > NFS4 mode attribute, let it as is in RFC 8881 (and discrepancy handle > >> as > >> > > defined in RFC 8881) and instead for POSIX ACL extension purposes > >> > > provide a way for client to retrieve the real POSIX mode from some > >> other > >> > > attribute which will be according to POSIX ACL specification. I > >> proposed > >> > > two alternatives how it could be done. > >> > > > >> > > This should work with any NFS4 server, any NFS4 client, including > >> Linux, > >> > > and also allows NFS4 servers which needs to have existing NFS4 mode > >> > > attribute to stay according to RFC 8881, to implement optional > >> per-file > >> > > POSIX ACL support. > >> > > > >> > > > > >> > > > > >> > > > > > If a server chooses to implement the extension proposed in this > >> > > draft, > >> > > > > > then there is no NFSv4 ACL and the behaviour looks exactly the > >> same > >> > > > > > as for local uses with/without POSIX draft ACLs on file objects > >> on > >> > > the > >> > > > > > system. > >> > > > > > >> > > > > In above example there no usage of NFS4 ACL. So this issue is not > >> > > > > related to NFS4 ACL. It is related to NFS4 mode. > >> > > > > > >> > > > > I do not see a choice how could that NFS4 server in above example > >> > > > > implement this POSIX extension without violating some MUST parts > >> of > >> > > > > description. > >> > > > > > >> > > > > > > >> > > > > > > So how could this NFS4 server implements POSIX ACL support for > >> > > Linux or > >> > > > > > > FreeBSD client without breaking that one mentioned NFS4 > >> client? > >> > > > > > > >> > > > > > > >> > > > > > > I think that it is needed to define a new posix_mode > >> attribute. I > >> > > do > >> > > > > not > >> > > > > > > see right now any option how to not break backward > >> compatibility > >> > > for > >> > > > > > > existing mode-only clients (which wants behavior of mode group > >> > > bits as > >> > > > > > > written in RFC 8881 / 6.2.4) and at the same time support > >> POSIX ACL > >> > > > > > > which requires that mode group bits contains either MASK (or > >> > > group_obj > >> > > > > > > if MASK is not defined). > >> > > > > > > > >> > > > > > > Or another option, putting content of POSIX-correct "mode" > >> > > attribute > >> > > > > > > into the "posix_access_acl" attribute (e.g. at beginning of > >> the > >> > > > > > > structure) as it is used only when POSIX ACL mode is active. > >> > > > > > > > >> > > > > > I do not think a separate mode is a good idea, just like I do > >> not > >> > > > > > think having both POSIX draft ACL(s) and a NFSv4 ACL > >> stored/used for > >> > > > > > permission checking on the same file > >> > > > > > object at a given time is a good idea (the true form). > >> > > > > > > >> > > > > > The simple summary for all this is the following: > >> > > > > > RFC8881 was written for only one kind of ACL (NFSv4), so any > >> > > discussions > >> > > > > > in it w.r.t. the relationship between ACLs and mode are > >> implicitly > >> > > for > >> > > > > > NFSv4 ACLs only and, understandably, did not take the POSIX > >> draft > >> > > ACLs > >> > > > > > into account. > >> > > > > > --> This optional extension changes all the above, so that > >> server > >> > > > > > implementers > >> > > > > > can choose to implement POSIX draft ACLs and use POSIX draft > >> > > rules > >> > > > > > related > >> > > > > > to ACLs and mode, if they choose to do so. > >> > > > > > >> > > > > What is in RFC 8881 written: > >> > > > > > >> > > > > "Bits MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP apply to principals > >> > > > > identified in the owner_group attribute but who are not > >> identified in > >> > > > > the owner attribute." > >> > > > > > >> > > > > This does not imply NFS4 ACL usage. At least this is how I > >> understand > >> > > it. > >> > > > > > >> > > > > It if the extension is suppose to change all this above then this > >> > > > > extension is not backward compatible with existing RFC 8881 > >> > > > > implementations and NFS4 servers for which is backward > >> compatibility > >> > > > > crucial part, cannot implement this extension at all. > >> > > > > > >> > > > > In my opinion, backward compatible extension should not change > >> meaning > >> > > > > of some parts or require servers to implements something which is > >> > > marked > >> > > > > as "discourage do it". > >> > > > > > >> > > > > For me this is really too restrictive. > >> > > > > > >> > > > > From one direction I'm seeing it quite inconsistent if POSIX ACL > >> is > >> > > > > stored in separate attribute than NFS4 ACL, but POSIX mode is > >> stored in > >> > > > > same attribute as NFS4 mode. For an engineer who is going to > >> implement > >> > > > > this extension it looks to be a mess. > >> > > > > > >> > > > > > >> > > > > I have just another option without need for a new posix_mode > >> attribute > >> > > > > (if you think that new separate attribute is not a good idea) how > >> to > >> > > > > make the extension backward compatible and allow NFS4 server in > >> above > >> > > > > example implement it without braking that NFS4 client: > >> > > > > > >> > > > > - Explicitly mention that NFS4 mode attribute is exactly > >> according to > >> > > > > RFC 8881 description, so MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP > >> bits > >> > > > > on existing server implementations could refer to POSIX > >> group_obj > >> > > > > (but server implementations may refer to also POSIX mask, but > >> it is > >> > > > > discourage do it). All this is just explicit backward > >> compatibility. > >> > > > > > >> > > > > - Describe that NFS4 client, which is implementing this > >> extension, and > >> > > > > wants to call CHMOD on ACL_MODEL_POSIX_DRAFT file with MASK > >> ACE, it > >> > > > > has to use SETATTR(posix_access_acl) instead of SETATTR(mode). > >> Also > >> > > > > if client wants to receive POSIX MODE, it has to use > >> > > > > GETATTR(posix_access_acl) instead of GETATTR(mode). This is for > >> > > making > >> > > > > compatibility with existing NFS4 server which follows RFC 8881. > >> > > > > NFS4 client implementing this extension can calculate correct > >> POSIX > >> > > > > mode from posix_access_acl attribute (checking if there is a > >> MASK and > >> > > > > based on this put content of MODE_xGRP bits). > >> > > > > > >> > > > > > > >> > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > > > > > > > New comments for each section are below. > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > Section 5. POSIX ACL Considerations > >> > > > > > > > > > >> > > > > > > > > > in a directory that has a POSIX default ACL, the > >> low-order > >> > > nine > >> > > > > bits > >> > > > > > > > > > of the mode MUST be specified by mode_umask in the > >> setable > >> > > > > attributes > >> > > > > > > > > > for the operation. > >> > > > > > > > > > >> > > > > > > > > I think that here is missing an important fact that mode > >> is > >> > > > > specified > >> > > > > > > in > >> > > > > > > > > "mu_mode member of mode_umask" attribute and that the > >> "mu_umask > >> > > > > member > >> > > > > > > > > of mode_umask" is being ignored in this case (when POSIX > >> > > default > >> > > > > ACL is > >> > > > > > > > > being used). > >> > > > > > > > > > >> > > > > > > > > Because from current description is not clear how > >> mode_umask is > >> > > > > being > >> > > > > > > > > used as this attribute contains two members ("mu_mode" and > >> > > > > "mu_umask"). > >> > > > > > > > > > >> > > > > > > > I added a "See RFC8275..." for this. > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > Section 6. POSIX ACL vs NFSv4 ACL Considerations > >> > > > > > > > > > >> > > > > > > > > > Using SETATTR to set the dacl attribute to an array of > >> > > non-zero > >> > > > > > > length > >> > > > > > > > > > ... will result in the object's acl model being set to > >> > > > > > > ACL_MODEL_NFS4. > >> > > > > > > > > > >> > > > > > > > > Why setting NFS v4.1 dacl attribute to zero length is > >> excluded > >> > > > > here? > >> > > > > > > > > I think it is perfectly fine to set dacl with > >> ACL4_PROTECTED > >> > > flag > >> > > > > and > >> > > > > > > > > with zero length (empty list of) ACEs. This is fully > >> valid NFS4 > >> > > > > model > >> > > > > > > > > ACL which overwrites automatic inheritance to ACL with no > >> > > access. > >> > > > > > > > > > >> > > > > > > > > In my opinion using SETATTR on dacl attribute should > >> always > >> > > change > >> > > > > acl > >> > > > > > > > > model to ACL_MODEL_NFS4. I'm expecting that as a user I'm > >> > > setting > >> > > > > NFS4 > >> > > > > > > > > dacl attribute which refers to NFS4 model, so I'm > >> > > unconditionally > >> > > > > > > > > setting model to NFS4. > >> > > > > > > > > > >> > > > > > > > I compromised by saying any setting of dacl does this and > >> any > >> > > setting > >> > > > > > > > of acl, if it has ALLOW/DENY ACEs in it does this. (I don't > >> know > >> > > if > >> > > > > a 0 > >> > > > > > > > length > >> > > > > > > > setting for acl means set the ACL model to NFSv4 or get rid > >> of > >> > > all > >> > > > > > > > ALARM/AUDIT ACEs or ???) > >> > > > > > > > >> > > > > > > If acl attribute for some object contains only one ACE with > >> > > > > > > "AUDIT SUCCESS|FAILURE EVERYONE@ FULL_ACCESS" then server > >> should > >> > > send > >> > > > > > > into audit log any attempt to access that file. > >> > > > > > > > >> > > > > > > If I as admin want to remove auditing on that file then I > >> need to > >> > > > > remove > >> > > > > > > this one ACE from acl attribute. So it means that I have to > >> set acl > >> > > > > > > attribute to empty. > >> > > > > > > > >> > > > > > > So setting zero length acl attribute has to get rid of all > >> ACEs, > >> > > ALLOW, > >> > > > > > > DENY and also AUDIT and ALARM. Otherwise admin would not be > >> able to > >> > > > > stop > >> > > > > > > auditing on file which has only AUDITing rules. > >> > > > > > > > >> > > > > > > > I hope that David Noveck can resolve what a 0 length ACL > >> actually > >> > > > > means > >> > > > > > > > in his draft. As you have noted, SMB considers one of these > >> > > "normal" > >> > > > > and, > >> > > > > > > > as such, I see the argument that it should be that way for > >> NFSv4 > >> > > > > ACLs as > >> > > > > > > > well. > >> > > > > > > > However, I see that the FreeBSD port of OpenZFS (which uses > >> > > > > > > ACL_MODEL_NFS4 > >> > > > > > > > as > >> > > > > > > > its true form) returns an error if a setting of a zero > >> length > >> > > ACL is > >> > > > > > > > attempted. > >> > > > > > > > >> > > > > > > I thought that it is clear, but seems that there are > >> confusions > >> > > about > >> > > > > > > zero length ACL. So proper clarification in new ACL draft > >> would be > >> > > > > > > really helpful. > >> > > > > > > > >> > > > > > > > I cannot tell if this was done by the FreeBSD guy that > >> worked on > >> > > > > ACLs or > >> > > > > > > was > >> > > > > > > > cribbed from OpenSolaris? > >> > > > > > > > >> > > > > > > I think it could be possible to check what the Oracle's > >> Solaris is > >> > > > > > > doing. > >> > > > > > > > >> > > > > > > > I think it would be nice to somehow "deprecate" acl in > >> favour of > >> > > > > > > dacl/sacl. > >> > > > > > > > >> > > > > > > I'm supporting the idea of deprecating "acl" attribute in > >> favour of > >> > > > > > > separated dacl and sacl attributes. > >> > > > > > > > >> > > > > > > But for backward compatibility with NFS v4.1 (and v4.2) it is > >> > > > > > > impossible. Breaking existing NFS v4.1 clients which supports > >> only > >> > > > > "acl" > >> > > > > > > attribute should be really avoided. So some future NFS v4.3 > >> is the > >> > > > > > > candidate for removal of this "acl" attribute. > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > > In addition, if the object's acl model had been > >> > > > > > > ACL_MODEL_POSIX_DRAFT, > >> > > > > > > > > > the existing default and access ACLs are to be deleted. > >> > > > > > > > > > >> > > > > > > > > I think that in this document it is a good idea to always > >> > > > > explicitly > >> > > > > > > > > mention ACL type. Because sometimes it can be really > >> > > confusing. For > >> > > > > > > > > example: "existing POSIX default and access ACLs" make it > >> > > clear. > >> > > > > > > > > > >> > > > > > > > Sorry, but if ACL_MODEL_POSIX_DRAFT does not obviously > >> refer to > >> > > POSIX > >> > > > > > > draft > >> > > > > > > > ACLs, > >> > > > > > > > I don't know what does. I left it as is. > >> > > > > > > > >> > > > > > > I was suggesting this from the point of view of somebody new > >> this > >> > > area. > >> > > > > > > For people familiar with POSIX ACL it is obvious. For > >> somebody who > >> > > is > >> > > > > > > new to ACL it can be hard to figure out what is obvious and > >> what > >> > > not. > >> > > > > > > > >> > > > > > > But if you think it is OK then let it as is. > >> > > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > > > > > > > Section 7. GETATTR/SETATTR Atomicity should handle VERIFY > >> and > >> > > > > NVERIFY > >> > > > > > > > > atomically in the same way as GETATTR. > >> > > > > > > > > > >> > > > > > > > > For example, NFS4 client may want to check if POSIX ACL > >> is set > >> > > to > >> > > > > some > >> > > > > > > > > specific structure, and VERIFY with both acl_trueform and > >> > > > > > > > > posix_access_acl attributes is the appropriate operation > >> for > >> > > it. > >> > > > > > > > > > >> > > > > > > > > Maybe VERIFY/NVERIFY should be covered also in other > >> sections > >> > > which > >> > > > > > > > > refers to GETATTR/READDIR? > >> > > > > > > > > > >> > > > > > > > Good catch. I think this is fixed now in the draft. > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > Section 9.3. Attribute 90: posix_default_acl > >> > > > > > > > > > >> > > > > > > > > > Since a POSIX default ACL only applies to directories, a > >> > > SETATTR > >> > > > > of > >> > > > > > > > > > the posix_default_acl for a non-directory object MUST > >> reply > >> > > > > > > > > > NFS4ERR_INVAL. > >> > > > > > > > > > >> > > > > > > > > I guess that this MUST applies also for OPEN/OPEN4_CREATE > >> and > >> > > > > > > > > CREATE/NON-NF4DIR operations. > >> > > > > > > > > > >> > > > > > > > Again, good catch. I think it is fixed now. > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > Section 9.4. Attribute 91: posix_access_acl > >> > > > > > > > > > >> > > > > > > > > > a successful setting of this attribute sets the value of > >> > > > > acl_trueform > >> > > > > > > > > > to ACL_MODEL_POSIX_DRAFT. In addition, if the object's > >> acl > >> > > model > >> > > > > had > >> > > > > > > > > > been ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be > >> deleted > >> > > so > >> > > > > that > >> > > > > > > > > > the value of the dacl attribute is a zero-length array. > >> > > > > > > > > > >> > > > > > > > > In other email I already wrote similar comment which > >> applies > >> > > here > >> > > > > too. > >> > > > > > > > > I think that this contradicts RFC 8881. Why? > >> > > > > > > > > > >> > > > > > > > > * Per section 1. Introduction: "If the server chooses to > >> > > support > >> > > > > > > > > posix_default_acl and posix_access_acl for a file > >> system, it > >> > > MUST > >> > > > > > > > > support the mode/mode_umask attributes for the file > >> system." > >> > > > > > > > > > >> > > > > > > > > * It is not explicitly mentioned but ACL_MODEL_NFS4 should > >> > > imply > >> > > > > that > >> > > > > > > > > NFS4 server has to support dacl (or acl) attribute. (It > >> > > would be > >> > > > > nice > >> > > > > > > > > to explicitly mention it.) > >> > > > > > > > > > >> > > > > > > > > * Per RFC 8881 section 6.4. Requirements: "The server that > >> > > supports > >> > > > > > > both > >> > > > > > > > > mode and ACL must take care to synchronize the > >> MODE4_*USR, > >> > > > > > > MODE4_*GRP, > >> > > > > > > > > and MODE4_*OTH bits with the ACEs that have respective > >> who > >> > > > > fields of > >> > > > > > > > > "OWNER@", "GROUP@", and "EVERYONE@". This way, the > >> client > >> > > can > >> > > > > see if > >> > > > > > > > > semantically equivalent access permissions exist > >> whether the > >> > > > > client > >> > > > > > > > > asks for the owner, owner_group, and mode attributes or > >> for > >> > > just > >> > > > > the > >> > > > > > > > > ACL." > >> > > > > > > > > > >> > > > > > > > > So we are in situation when mode, acl/dacl and > >> posix_access_acl > >> > > > > > > > > attributes are supported. > >> > > > > > > > > > >> > > > > > > > > And successful setting of posix_access_acl attribute > >> results in > >> > > > > > > > > zero-length array of dacl attribute. This removal of dacl > >> ACEs > >> > > > > results > >> > > > > > > > > in synchronization of dacl to mode attribute. As there is > >> no > >> > > > > "OWNER@", > >> > > > > > > > > "GROUP@", and "EVERYONE@" ACE entry in dacl anymore > >> (because > >> > > dacl > >> > > > > is > >> > > > > > > > > empty), this will result in synchronization of mode to > >> empty > >> > > access > >> > > > > > > 000. > >> > > > > > > > > > >> > > > > > > > > Per POSIX ACL, mode is being synchronized to POSIX ACL > >> entities > >> > > > > > > > > user_obj, group_obj/mask, other. > >> > > > > > > > > > >> > > > > > > > > If my understanding and steps above are correct then > >> successful > >> > > > > setting > >> > > > > > > > > of posix_access_acl attribute to any value results in > >> > > immediate no > >> > > > > > > > > access for user_obj, group_obj/mask and other POSIX > >> entities. > >> > > And I > >> > > > > > > > > guess that this is not intended behavior. > >> > > > > > > > > > >> > > > > > > > I added a short paragraph that states synchronization of > >> mode > >> > > with > >> > > > > > > > the true form ACL SHOULD be done. Using either RFC8881 or > >> > > Grunbacher > >> > > > > > > > as references. > >> > > > > > > > >> > > > > > > But the problem is still there. The extension document still > >> says > >> > > > > > > "if the object's acl model had been ACL_MODEL_NFS4, all ALLOW > >> and > >> > > DENY > >> > > > > > > ACEs will be deleted so that the value of the dacl attribute > >> is a > >> > > > > > > zero-length array." which as I described above, according to > >> RFC > >> > > 8881 > >> > > > > it > >> > > > > > > can be interpreted as removal of all access for owner, group > >> and > >> > > > > others. > >> > > > > > > > >> > > > > > > It is not clear if the synchronization of the mode with true > >> form > >> > > ACL > >> > > > > > > should be done before or after deleting of ALLOW/DENY rules. > >> > > > > > > > >> > > > > > > The problem is that SETATTR(posix_access_acl) is doing lot of > >> > > things, > >> > > > > > > including: > >> > > > > > > > >> > > > > > > * changing acl_trueform_scope to ACL_MODEL_POSIX_DRAFT > >> > > > > > > * changing posix_access_acl to value specified in SETATTR > >> > > > > > > * changing mode to value from posix_access_acl > >> > > > > > > * changing acl and dacl values by removing all ALLOW and DENY > >> rules > >> > > > > > > * changing acl and dacl values to value from mode (RFC 8881 > >> 6.4) > >> > > > > > > (Have I forgot something?) > >> > > > > > > > >> > > > > > Although it is hard to write in a format that works for this > >> draft, > >> > > > > > in summary, it is very simple: > >> > > > > > - Set a POSIX draft ACL on the file object and delete any dacl. > >> > > > > > Unfortunately, there is no well defined way to say the dacl has > >> been > >> > > > > > deleted. > >> > > > > > (I thought a zero length ACL worked for this, since OpenZFS > >> > > > > > does not allow setting of a zero length ACL, but you have > >> pointed out > >> > > > > > that that is not the case.) > >> > > > > > --> So, until there is (if there ever is) a better way to say > >> "dacl > >> > > has > >> > > > > > been deleted", it ends up as "make the dacl a zero length > >> ACL > >> > > and get > >> > > > > > rid > >> > > > > > of all allow/deny ACEs in acl. > >> > > > > > >> > > > > Just to note that zero length dacl is not accepted by NFS4 XDR > >> because > >> > > > > dacl attribute is a struct which contains flags and list of ACEs. > >> > > > > > >> > > > By aero length dacl, it means that the ACE cnt is zero, not that > >> > > > the entire dacl attribute is of zero length. I will clarify that > >> > > > in the next draft. > >> > > > >> > > Ok, this is a good idea to clarify it. Maybe it would be better to > >> avoid > >> > > "zero length" wording at all as it is confusing. I can imagine even > >> more > >> > > meanings of "zero length" in this RPC / XDR / NFS4 / ACL context. What > >> > > about explicitly saying that dacl's na41_aces array has zero size and > >> > > dacl's na41_flag is something... > >> > > > >> > > > > >> > > > > So for backward compatibility, NFS4 server cannot send zero-length > >> > > > > structure as a response for GETATTR(dacl) operation. > >> > > > > > >> > > > > Saying "delete dacl" or "remove dacl" is ambiguous. Developers of > >> > > > > different NFS4 servers would understand it differently. > >> > > > > > >> > > > > I think it is needed to properly describe what it means. > >> > > > > > >> > > > As I have said before, I do not currently know the correct > >> > > > syntax for "no NFSv4 ACL associated with this file object". > >> > > > >> > > I think that this is not possible to report. At least for me the ACL > >> > > evaluation algorithm is clear that for empty list of ACEs means DENY. > >> > > > >> > > Anyway, RFC 8881 section 6.2.1 "Attribute 12: acl" says: > >> > > > >> > > "Some server platforms may provide access-control functionality that > >> > > goes beyond the UNIX-style mode attribute, but that is not as rich as > >> > > the NFS ACL model. So that users can take advantage of this more > >> limited > >> > > functionality, the server may support the acl attributes by mapping > >> > > between its ACL model and the NFSv4.1 ACL model." > >> > > > >> > > This matches POSIX ACL model, so returning in GETATTR(dacl) mapped > >> > > POSIX-in-NFS4 ACL according to [Grunbacher] should be fine and better > >> > > than returning empty list of ACEs. > >> > > > >> > > Also needs to take care about combination of NFS4 server with POSIX > >> > > extension on per-file level and NFS4 client without this POSIX > >> > > extension. Practical example can be: FreeBSD server + Windows client. > >> > > Windows client would be unhappy if for some files (under POSIX model) > >> it > >> > > would not receive NFS4 ACLs (at least mapped). > >> > > > >> > > > However, if the GETATTR also acquires the acl_trueform attribute > >> > > > and sees it is not ACL_MODEL_NFS4, then the client knows that > >> > > > the replied dacl is meaningless. > >> > > > >> > > I think it would be better to express that NFS4 client which > >> implements > >> > > this POSIX extension should ignore value of both acl and dacl > >> attributes > >> > > and use only posix_access_acl attribute when acl_trueform is not > >> > > ACL_MODEL_NFS4 (still allow clients to use sacl attribute as POSIX ACL > >> > > does not provide auditing support). > >> > > > >> > > But I would not say that dacl is meaningless when acl_trueform is not > >> > > ACL_MODEL_NFS4. For clients which do not implement this POSIX > >> extension, > >> > > they cannot figure out what is state of acl_trueform. And cannot > >> figure > >> > > out that something other is used for access control. Again, quoted > >> > > RFC 8881 section 6.2.1 above can be really useful for them. > >> > > > >> > > So server should return something meaningful for these NFS4 clients > >> > > which do not implement this POSIX extension. It is needed for all > >> > > already released Linux NFS4 clients which will be there for a very > >> > > long time (via enterprise RHEL, SLED, ...) and on which is used > >> > > nfs4_getfacl tool. > >> > > > >> > > > Maybe that is a better way to express it. > >> > > > > >> > > > rick > >> > > > > >> > > > > >> > > > > > > >> > > > > > > And executing these steps in incorrect order can results in > >> > > something > >> > > > > > > unexpected or something not compatible with IEEE POSIX draft. > >> > > > > > > > >> > > > > > Maybe I should just say "delete the dacl" and let server > >> implementors > >> > > > > > take it from there? > >> > > > > > > >> > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > And now I'm thinking, what should happen with dacl attribute's > >> > > > > na41_flag > >> > > > > > > value? Specially with ACL4_AUTO_INHERIT and ACL4_PROTECTED > >> flags. > >> > > > > > > > >> > > > > > > I would say that ACL4_AUTO_INHERIT needs to be cleared (to > >> prevent > >> > > > > > > automatic inheritance to child objects) and ACL4_PROTECTED to > >> be > >> > > set > >> > > > > (to > >> > > > > > > prevent inheritance from parent objects). As POSIX ACL does > >> not > >> > > have > >> > > > > any > >> > > > > > > kind of automatic inheritance. > >> > > > > > > > >> > > > > > The intent of the above (and I have already noted that this is > >> > > difficult > >> > > > > > to write in a format acceptable for this draft) is "delete the > >> dacl". > >> > > > > > --> It goes away, no longer exists, has no effect on mode or > >> access > >> > > to > >> > > > > > the file. > >> > > > > > >> > > > > It would be nice to explicitly mention this intent. This is > >> something > >> > > > > which really is not clear. > >> > > > > > >> > > > > Anyway, the question reminds, what should NFS4 server return in > >> > > > > GETATTR(dacl) reply? Part of the dacl XDR structure are flags. > >> > > > > > >> > > > > And NFS4 client implementing automatic inheritance, when changing > >> some > >> > > > > top level dacl attribute, it has to traverse whole filesystem > >> hierarchy > >> > > > > and updates all child dacl attributes according to child's dacl > >> flags. > >> > > > > > >> > > > > So incorrect information returned by dacl flags can totally mess > >> up > >> > > > > either NFS4 client or server's ACLs in whole filesystem. > >> > > > > > >> > > > > Due to this automatic inheritance, I think it is import to define > >> > > > > exactly what has to happen. And as I wrote in previous message, I > >> think > >> > > > > that the correct way is to clear ACL4_AUTO_INHERIT and set > >> > > > > ACL4_PROTECTED, to say NFS4 ACL client that automatic inheritance > >> at > >> > > > > that point stops and POSIX ACL (without automatic inheritance) > >> > > > > continues. > >> > > > > > >> > > > > > >> > > > > Hm... Would not it be easier for understanding to say that "dacl" > >> > > > > attribute for object with acl_trueform ACL_MODEL_POSIX_DRAFT > >> should > >> > > > > return POSIX mapped NFS4 ACL [Eriksen]? (Of course only in case > >> server > >> > > > > implements "dacl" attribute). It will avoid any confusion what > >> that > >> > > zero > >> > > > > length means or what that remove dacl mans. > >> > > > > > >> > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > If SETATTR of a POSIX extended ACL does not have a > >> > > > > POSIXACE4_TAG_MASK > >> > > > > > > > > > ACE, the SETATTR of the ACL MUST reply NFS4ERR_INVAL. > >> > > > > > > > > > >> > > > > > > > > I think there should be also mentioned that SETATTR of > >> POSIX > >> > > ACL > >> > > > > (does > >> > > > > > > > > not have to be extended) which does not have > >> > > > > POSIXACE4_TAG_USER_OBJ, > >> > > > > > > > > POSIXACE4_TAG_GROUP_OBJ or POSIXACE4_TAG_OTHER ACE MUST > >> result > >> > > in > >> > > > > > > > > NFS4ERR_INVAL too. (Except zero-length.) > >> > > > > > > > > > >> > > > > > > > I felt the description that noted these three ACEs are > >> always in > >> > > a > >> > > > > POSIX > >> > > > > > > > draft > >> > > > > > > > ACL was enough but, yes, I suppose it should be added. > >> > > > > > > > I missed this one for -05, but will do so for -06. > >> > > > > > > > >> > > > > > > Documentation should explicitly say what should happen = which > >> > > error > >> > > > > > > code to return when invalid POSIX ACL is specified in SETATTR > >> (or > >> > > > > > > OPEN/CREATE) operation. > >> > > > > > > > >> > > > > > > I was somehow surprised that XDR definition allows invalid > >> POSIX > >> > > ACL > >> > > > > > > structure (the one without user_obj/group_obj/other parts). > >> > > Because if > >> > > > > > > it allows invalid structure then it is required to explicitly > >> > > specify > >> > > > > > > how to handle invalid cases. > >> > > > > > > > >> > > > > > I have already added a note that "one ACE for each of > >> > > > > > POSIXACE4_USER_OBJ, POSIXACE4_GROUP_OBJ and POSIXACE4_OTHER is > >> > > > > > required in posix_access_acl and posix_default_acl or > >> NFS4ERR_INVAL > >> > > > > > MUST be replied" in the next draft (I won't be updating the > >> draft > >> > > > > > on the datatracker for at least a week or two). > >> > > > > > >> > > > > Ok, this is good. > >> > > > > > >> > > > > I think it is not need to update draft every day. > >> > > > > > >> > > > > > rick > >> > > > > > > >> > > > > > > >> > > > > > > > > >> > > > > > > > rick > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > > > > > > > Regards, > >> > > > > > > > > Pali > >> > > > > > > > > > >> > > > > > > > >> > > > > > >> > > > > > _______________________________________________ > >> > > > > > nfsv4 mailing list -- nfsv4@ietf.org > >> > > > > > To unsubscribe send an email to nfsv4-leave@ietf.org > >> > > > > > >> > > > > > >> > > > >> > >> > _______________________________________________ > >> > nfsv4 mailing list -- nfsv4@ietf.org > >> > To unsubscribe send an email to nfsv4-leave@ietf.org > >> > >> _______________________________________________ > > nfsv4 mailing list -- nfsv4@ietf.org > > To unsubscribe send an email to nfsv4-leave@ietf.org > > > _______________________________________________ > nfsv4 mailing list -- nfsv4@ietf.org > To unsubscribe send an email to nfsv4-leave@ietf.org
- [nfsv4] Comments for draft-rmacklem-nfsv4-posix-a… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… David Noveck
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár