[nfsv4] Review of draft-rmacklem-nfsv4-posix-acls-02
David Noveck <davenoveck@gmail.com> Tue, 06 August 2024 15:26 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC877C180B51 for <nfsv4@ietfa.amsl.com>; Tue, 6 Aug 2024 08:26:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AL3-kjC04_AS for <nfsv4@ietfa.amsl.com>; Tue, 6 Aug 2024 08:26:17 -0700 (PDT)
Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB337C151998 for <nfsv4@ietf.org>; Tue, 6 Aug 2024 08:26:17 -0700 (PDT)
Received: by mail-oo1-xc2b.google.com with SMTP id 006d021491bc7-5d5e97b8a22so430958eaf.2 for <nfsv4@ietf.org>; Tue, 06 Aug 2024 08:26:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722957977; x=1723562777; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=JZ8oDCSxQ/VlKZHzodsfwLKkkp/+MqX6tPMfKUrCGcA=; b=YQSw93u/4JTsArXZJefd5jUdNIIUFDOP+W3kl/K15wFcZ+jswpI99B4+VYb5JMaGCJ xR//6QNeholHCjHUX9DhQq5A5WoTMUOPml+dUx7k1+J+niVMtCXG+0RqSy6KLYb/SgXC fTp4ReoGQo1kIUKHIZTw97PGhRtdd5WB6bdYCNCnKjl9GR1aOpXx3aecadug5gepG6EQ dkEiHWMLUVwZcaClR95t2oLCNQjCHhh9mVk9fkCJYV1wiYHmjBY8YjSprvkbHlkEgHaF 6R+mITty3sohJ0Pb+iP4d+0p+MhZrI2G//dePrtjKvudc9S0rAcF/0eMSwKTtWVKXaFB 4paw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722957977; x=1723562777; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=JZ8oDCSxQ/VlKZHzodsfwLKkkp/+MqX6tPMfKUrCGcA=; b=hjWmLcxpakF0L6ze0S1lxJzqK5rELuhW0fkMiVyRTtTIBs4vMNXk60BLHFCy0T8q1N WT885ZWm8d4ZQDR/5V4RmovNrgeVBb/sYQO26yf/miElenFmTkqm48+hpsFCQ31bloGz Cg+IsXoF0YvOGDqVhUYrn4BXk1iavd1/anzzR+ZRKOM/Z6py3dzfY2d2M+Gf0F6SXvhT 0b5FCcsXrXntxvBmRLiECt5gMedJPN5dVRnNXB0Uc/veqQlT7FGSMlCt1E8q/tj7P4mu Bx2lDy03u2udR08+M8aVZUvpqaRe2UBAfBLDjgecWc+OQa4Vwc2/lB7QLms5vD7IAKzM BGkA==
X-Gm-Message-State: AOJu0YzAW7+MBcFymNLSpv3DJIUaFR1OCkngBNu+1S8QdZBH96FAGDeY AJ0+ZrD8o0jJWw7jqoUzf3JYG0N6Bp2xhqtSvTGNciwYEAZsGHJErNTsZ84YxomkO/3ZI/4btCn j+Sw2ai5aVhsiOytzkiGw8iI1UPbQPaWe
X-Google-Smtp-Source: AGHT+IFbCWMH8roCkT5oDmftTa2XYGj5jdXjVpc4VEEDbqJYFMOAQekyfzkytdLf5v8T2gs5/fNRJN23lMhVqfP4bX4=
X-Received: by 2002:a05:6358:6483:b0:1ad:14ec:9ff7 with SMTP id e5c5f4694b2df-1af3ba7cc5bmr1957175855d.16.1722957976455; Tue, 06 Aug 2024 08:26:16 -0700 (PDT)
MIME-Version: 1.0
From: David Noveck <davenoveck@gmail.com>
Date: Tue, 06 Aug 2024 11:26:03 -0400
Message-ID: <CADaq8jdxWbC-5XUsRECL61kRkc5Ywmq2DogsaAxSdwyMAF15CA@mail.gmail.com>
To: Rick Macklem <rick.macklem@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000002652c2061f056a2d"
Message-ID-Hash: WEH356V3OJ534WSCNUNE4DJXXIHD5IBO
X-Message-ID-Hash: WEH356V3OJ534WSCNUNE4DJXXIHD5IBO
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Review of draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Y3b8YdhgP27nCVlo7hqlvAs3iUU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
*Overall Evaluation * In good shape. There are a few non-editorial issues that need to be dealt with but not many. I am prepared to support working group adoption as soon as the author is ready to deal with the inevitable requests for a completion date. Based on what I have seen so far, I am planning to refocus work on acls-05. I had been hoping to enhance the NFSv4 ACL model so that the POSIX ACL model could be a submodel. As I read Andreas' document, this kept getting more and more difficult and it now appears that, with the document being reviewed, we have a reasonable path out of the existing ACL mess 😳 *General Issues* *Dealing with Sacls* There are a number of places where sacls are treated as parts of acls. They shouldn't be and I will discuss below ways of having posix acls co-exist with use of the parts of NFSv4 ACLs that are not related to authorization. *Interaction with Existing ACL Attributes* There are some missing cases in the list in *6. POSIX ACL vs NFSv4 ACL Considerations.* The existing treatment which deals only with deleting ACLs does not address issues involving creating new ACLs of either type. *Ordering Issues* My issues with the substance of the attribute ordering restrictions have been addressed but I still have issues with the stated justification. See 5. POSIX ACL Considerations for details. *Per-section Issues* *Abstract * Suggest rewriting the first sentence as follows: This document describes a potential protocol extension involving the addition of four new attributes to be used by server to provide support for POSIX ACLs. *1. Introduction* I have problems with the first sentence which says that mapping was attempted because of the semantic differences. This implies that if there were no semantic differences, mapping would not have been attempted. In fact, it still would have been attempted but would have been sucessful. I would start the section with something like the following: In response to the very different over-the-wire formats, attempts have been made to map between these two sorts of ACLs. However, because of the large number of semantic differences, implementation experience with mapping between NFSv4 and POSIX ACLs has not been completely successful. For example, if a NFSv4 ACL is applied to a server file via SETATTR on a server that stores POSIX ACLs and then retrieved via GETATTR/READDIR, the ACL will often not be the same, since the mapping algorithm cannot do an exact mapping between them. Suggest rewriting the last sentence of the last paragraph to read as follows: In addition, issues related to the over-the-wire format of POSIX ACLs and the interactions among the various new attributes and with existing attributes are dealt with in this document. *5. POSIX ACL Considerations* In the first sentence, you are stating a true fact, but you need to make some normative statement to follow up. I assume that that would be that setting a POSIX ACL that does not follow that is invalid. In the second paragraph, know what you mean, but it is not clear that a reader would. Suggest the following: In the who value within the posixace4 structure that appear in these new attributes, the field is interpreted as follows: - For ACEs whose tag field is POSIXACE4_TAG_USER or POSIXACE4_TAG_GROUP the who value is a UTF8-encoded Unicode string. that has the same format as a user or group as represented within other NFSv4 operations and designates the same entity. In these cases, the distinction between users and groups derives from the tag rather than a flag bit, as is done in NFSv4 ACLs. This in in contrast to how the corresponding structures are described in <xref target="Grünbacher">, where numeric uids and gds are specified. - For ACEs whose tag field has other values, the who field is ignored by the receiver and there is no reason for the sender to set it to any particular value. With regards to the third paragraph, I no longer object to the result. I had objected but you have made it clear why this is the way it is but that differs from what is in the document now. Below I quote the existing paragraph with my comments interspersed. For POSIX ACLs, setting of the low order 9 bits of mode can change the ACL and setting of the POSIX access ACL can change the low order 9 bits of mode. This is true. As such, the ordering of setting the attributes related to mode and POSIX ACLs is important. It is certainly significant. Therefore, a client MUST not set the low order 9 bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document. I don't agree with the "therefore". This is required because [RFC8881] does not specify an ordering for setting attributes in a SETATTR operation. That is* NOT *true. There is nothing in rfc8881 that prevents you from specifying an ordering as rfcs8881 does for NFSv4 ACLs. You are as free to specify an ordering as you are to specify that these are incompatible. I suggest rewriting this to say something like the following: A client MUST not set any of the nine-low order bits of mode via the mode or mode_set_masked attributes in the same SETATTR operation as one that sets the posix_access_acl and/or posix_default_acl proposed in this document. Similarly, it MUST not set these together when creating a new file. These restrictions apply because: - Setting these together is not required by the POSIX interface. - To do so, would require dealing with difficult ordering issues left unaddressed by the existing definitionof SETATTR. For the last paragraph, I have the following editorial suggestions: - Suggest replacing "low order 9" by "low-order nine" - In the second sentence I suggest replacing "SHOULD" by "should". - In the third sentence suggest replacing "may use" by "can use". - In this last sentence suggest replacing "will avoid" by "would avoid" *6. POSIX ACL vs NFSv4 ACL Considerations* In the first sentence of the second paragraph, suggest replace "a" with "an". Suggest rewriting the third paragraph as follows: For servers configured as described above, and not for any others, the following apply: For the third bulleted item, propose rewriting it as two paragraphs like the following. Using SETATTR to set a zero-length posix_default_acl or posix_access_acl (for a file object with a true form ACL of ACL_MODEL_POSIX_DRAFT) will delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE. Similarly, using SETATTR to eliminate the authorization-related portions of the ACL for a file object with a true form ACL of ACL_MODEL_NFS4 will delete the true form ACL(s) from the file object and revert it to ACL_MODEL_NONE. This can occur when setting the sacl or dacl to an array of length zero or by settting the acl attribute to an array of ACEs in which none are ALLOW or DENY ACEs. Propose to add the following items to the existing list: - Using SETATTR to set a posix_default_acl or posix_access_acl of non-zero length (for a file object with a true form ACL of ACL_MODEL_POSIX_DRAFT) will result in the object's acl model being set to ACL_MODEL_POSIX_DRAFT. In addition, if the object's acl model had been ACL_MODEL_NFS4, all ALLOW and DENY ACEs will be deleted so that the value dacl attribute is a zero-length array. - Using SETATTR to set the dacl attribute to an array of non-zero length or to st the acl attribute so that it contains one or more ALLOW or DENY ACEs will result in the object's acl model being set to ACL_MODEL_POSIX_NFS4. In addition, if the object's acl model had been ACL_MODEL_POSIX_DRAFT, the existing default and access ACLs ae to be deleted.
- [nfsv4] Review of draft-rmacklem-nfsv4-posix-acls… David Noveck
- [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-… Rick Macklem
- [nfsv4] Re: Review of draft-rmacklem-nfsv4-posix-… Rick Macklem