[nfsv4] Review of draft-rmacklem-nfsv4-posix-acls-02

David Noveck <davenoveck@gmail.com> Tue, 06 August 2024 15:26 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC877C180B51 for <nfsv4@ietfa.amsl.com>; Tue, 6 Aug 2024 08:26:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AL3-kjC04_AS for <nfsv4@ietfa.amsl.com>; Tue, 6 Aug 2024 08:26:17 -0700 (PDT)
Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB337C151998 for <nfsv4@ietf.org>; Tue, 6 Aug 2024 08:26:17 -0700 (PDT)
Received: by mail-oo1-xc2b.google.com with SMTP id 006d021491bc7-5d5e97b8a22so430958eaf.2 for <nfsv4@ietf.org>; Tue, 06 Aug 2024 08:26:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722957977; x=1723562777; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=JZ8oDCSxQ/VlKZHzodsfwLKkkp/+MqX6tPMfKUrCGcA=; b=YQSw93u/4JTsArXZJefd5jUdNIIUFDOP+W3kl/K15wFcZ+jswpI99B4+VYb5JMaGCJ xR//6QNeholHCjHUX9DhQq5A5WoTMUOPml+dUx7k1+J+niVMtCXG+0RqSy6KLYb/SgXC fTp4ReoGQo1kIUKHIZTw97PGhRtdd5WB6bdYCNCnKjl9GR1aOpXx3aecadug5gepG6EQ dkEiHWMLUVwZcaClR95t2oLCNQjCHhh9mVk9fkCJYV1wiYHmjBY8YjSprvkbHlkEgHaF 6R+mITty3sohJ0Pb+iP4d+0p+MhZrI2G//dePrtjKvudc9S0rAcF/0eMSwKTtWVKXaFB 4paw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722957977; x=1723562777; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=JZ8oDCSxQ/VlKZHzodsfwLKkkp/+MqX6tPMfKUrCGcA=; b=hjWmLcxpakF0L6ze0S1lxJzqK5rELuhW0fkMiVyRTtTIBs4vMNXk60BLHFCy0T8q1N WT885ZWm8d4ZQDR/5V4RmovNrgeVBb/sYQO26yf/miElenFmTkqm48+hpsFCQ31bloGz Cg+IsXoF0YvOGDqVhUYrn4BXk1iavd1/anzzR+ZRKOM/Z6py3dzfY2d2M+Gf0F6SXvhT 0b5FCcsXrXntxvBmRLiECt5gMedJPN5dVRnNXB0Uc/veqQlT7FGSMlCt1E8q/tj7P4mu Bx2lDy03u2udR08+M8aVZUvpqaRe2UBAfBLDjgecWc+OQa4Vwc2/lB7QLms5vD7IAKzM BGkA==
X-Gm-Message-State: AOJu0YzAW7+MBcFymNLSpv3DJIUaFR1OCkngBNu+1S8QdZBH96FAGDeY AJ0+ZrD8o0jJWw7jqoUzf3JYG0N6Bp2xhqtSvTGNciwYEAZsGHJErNTsZ84YxomkO/3ZI/4btCn j+Sw2ai5aVhsiOytzkiGw8iI1UPbQPaWe
X-Google-Smtp-Source: AGHT+IFbCWMH8roCkT5oDmftTa2XYGj5jdXjVpc4VEEDbqJYFMOAQekyfzkytdLf5v8T2gs5/fNRJN23lMhVqfP4bX4=
X-Received: by 2002:a05:6358:6483:b0:1ad:14ec:9ff7 with SMTP id e5c5f4694b2df-1af3ba7cc5bmr1957175855d.16.1722957976455; Tue, 06 Aug 2024 08:26:16 -0700 (PDT)
MIME-Version: 1.0
From: David Noveck <davenoveck@gmail.com>
Date: Tue, 06 Aug 2024 11:26:03 -0400
Message-ID: <CADaq8jdxWbC-5XUsRECL61kRkc5Ywmq2DogsaAxSdwyMAF15CA@mail.gmail.com>
To: Rick Macklem <rick.macklem@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000002652c2061f056a2d"
Message-ID-Hash: WEH356V3OJ534WSCNUNE4DJXXIHD5IBO
X-Message-ID-Hash: WEH356V3OJ534WSCNUNE4DJXXIHD5IBO
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Review of draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Y3b8YdhgP27nCVlo7hqlvAs3iUU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

*Overall Evaluation *

In good shape.  There are a few  non-editorial issues that need to be dealt
with but not many.

I am prepared to support working group adoption as soon as the author is
ready to deal with the inevitable requests for a completion date.

Based on what I have seen so far, I am planning to refocus work on
acls-05.  I had been hoping to enhance the NFSv4 ACL model so that the
POSIX ACL model could be a submodel.  As I read Andreas' document, this
kept getting more and more difficult and it now appears that, with the
document being reviewed, we have a reasonable path out of the existing ACL
mess 😳

*General Issues*

*Dealing with Sacls*

There are a number of places where sacls are treated as parts of acls.
They shouldn't be and I will discuss below ways of having posix acls
co-exist with use of the parts of  NFSv4 ACLs  that are not related to
authorization.

*Interaction with Existing ACL Attributes*

There are some missing cases in the list in *6. POSIX ACL vs NFSv4 ACL
Considerations.* The existing treatment which deals only with deleting ACLs
does not address issues involving creating new ACLs of either type.

*Ordering Issues*

My issues with the substance of the attribute ordering restrictions have
been addressed but I still have issues with the stated justification.  See 5.
POSIX ACL Considerations for details.


*Per-section Issues*

*Abstract *

Suggest rewriting the first sentence as follows:

This document describes a potential protocol extension involving the
addition of four new attributes to be used by server to provide support for
POSIX ACLs.

*1. Introduction*

I have problems with the first sentence which says that mapping was
attempted because of the semantic differences.   This implies that if there
were no semantic differences, mapping would  not have been attempted.  In
fact, it still would have been attempted but would have been sucessful.  I
would start the section with something like the following:

In response to the very different over-the-wire formats, attempts have
been made to map between these two sorts of ACLs.  However, because of
the

large number of semantic differences, implementation experience with
mapping between NFSv4 and POSIX ACLs has not been completely
successful.

 For example, if a NFSv4 ACL is applied to a server file via SETATTR
on a server that stores POSIX ACLs and then retrieved via

GETATTR/READDIR, the ACL will often not be the same, since the mapping
algorithm cannot do an exact mapping between them.


Suggest rewriting the last sentence of the last paragraph to read as
follows:

In addition, issues related to the over-the-wire format of POSIX ACLs
and the interactions among the various new attributes and with

existing attributes are dealt with in this document.


*5.  POSIX ACL Considerations*


In the first sentence, you are stating a true fact, but you need to
make some normative statement to follow up.


I assume that that would be that setting a POSIX ACL that does not
follow that is invalid.


In the second paragraph, know what you mean, but it is not clear that
a reader would.  Suggest the following:


In the who value within the posixace4 structure that appear in these
new attributes, the field is interpreted as follows:


   - For ACEs whose tag field is POSIXACE4_TAG_USER or
POSIXACE4_TAG_GROUP the who value is a UTF8-encoded Unicode string.

that has the same format as a user or group as represented within
other NFSv4 operations and designates the same entity.

In these cases, the distinction between users and groups derives from
the tag rather than a flag bit, as is done in NFSv4 ACLs.

This in in contrast to how the corresponding structures are described
in <xref target="Gr&#252;nbacher">, where numeric uids and gds are

specified.


   - For ACEs whose tag field has other values, the who field is
ignored by the receiver and there is no reason for the sender to set
it to any

particular value.

With regards to the third paragraph, I no longer object to the result.
I had objected but you have made it clear why this is the way it is
but that differs from what is in the document now.  Below I quote the
existing paragraph with my comments interspersed.

For POSIX ACLs, setting of the low order 9 bits of mode can change the
ACL and setting of the POSIX access ACL can change the low order 9
bits of mode.

This is true.

As such, the ordering of setting the attributes related to mode and
POSIX ACLs is important.

It is certainly significant.

Therefore, a client MUST not set the low order 9 bits of mode via the
mode or mode_set_masked attributes in the same SETATTR operation as
one that sets the posix_access_acl and/or posix_default_acl proposed
in this document.

I don't agree with the "therefore".

This is required because [RFC8881] does not specify an ordering for
setting attributes in a SETATTR operation.

That is* NOT *true. There is nothing in rfc8881 that prevents you from
specifying an ordering as rfcs8881 does for NFSv4 ACLs.

You are as free to specify an ordering as you are to specify that
these are incompatible.


I suggest rewriting this to say something like the following:


A client MUST not set any of the nine-low order bits of mode via the
mode or mode_set_masked attributes in the same SETATTR operation as
one that sets the posix_access_acl and/or posix_default_acl proposed
in this document.  Similarly, it MUST not set these together when
creating a new file. These restrictions apply because:


   - Setting these together is not required by the POSIX interface.
   - To do so, would require dealing with difficult ordering issues
left unaddressed by the existing definitionof SETATTR.

For the last paragraph, I have the following editorial suggestions:


   - Suggest replacing "low order 9" by "low-order nine"
   - In the second sentence I suggest replacing "SHOULD" by "should".
   - In the third sentence suggest replacing "may use" by "can use".
   - In this last sentence suggest replacing "will avoid" by "would avoid"


*6.  POSIX ACL vs NFSv4 ACL Considerations*


In the first sentence of the second paragraph, suggest replace "a" with  "an".


Suggest rewriting the third paragraph as follows:

For servers configured as described above, and not for any others,
the following apply:

For the third bulleted item, propose rewriting it as two paragraphs like
the following.

Using SETATTR to set a zero-length posix_default_acl or
posix_access_acl (for a file object with a true form ACL of
ACL_MODEL_POSIX_DRAFT)

will delete the true form ACL(s) from the file object and revert it to
ACL_MODEL_NONE.

Similarly, using  SETATTR to eliminate the authorization-related
portions of the ACL for a file object with a true form ACL of
ACL_MODEL_NFS4  will

delete the true form ACL(s) from the file object and revert it to
ACL_MODEL_NONE.  This can occur when setting the sacl or dacl to an
array of length

zero or by settting the acl attribute to an array of ACEs  in which
none are ALLOW or DENY ACEs.


Propose to add the following items to the existing list:

   -

   Using SETATTR to set a posix_default_acl or posix_access_acl of
non-zero length (for a file object with a true form ACL of

   ACL_MODEL_POSIX_DRAFT) will result in the object's acl model being set
   to ACL_MODEL_POSIX_DRAFT. In addition, if the object's acl model had
   been  ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be deleted so that
   the value dacl attribute is a zero-length array.
   -

   Using SETATTR to set the dacl attribute to an array of non-zero
length or to st the acl attribute so that it contains one or more
ALLOW or DENY ACEs

   will result in the object's acl model being set to ACL_MODEL_POSIX_NFS4.
   In addition, if the object's acl model had been  ACL_MODEL_POSIX_DRAFT,
   the existing default and access ACLs ae to be deleted.