IETF Logo Mail Archive

RE: [nfsv4] Windows/NFSv4 ACL interoperability

"Yoder, Alan" <agy@netapp.com> Tue, 14 March 2006 00:06 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FIx3t-0000OG-W1; Mon, 13 Mar 2006 19:06:54 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FIx3s-0000Jc-7S for nfsv4@ietf.org; Mon, 13 Mar 2006 19:06:52 -0500
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FIx3s-00036v-5x for nfsv4@ietf.org; Mon, 13 Mar 2006 19:06:52 -0500
Received: from mx2.netapp.com ([216.240.18.37]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FIx19-0005Pg-BK for nfsv4@ietf.org; Mon, 13 Mar 2006 19:04:06 -0500
Received: from smtp1.corp.netapp.com ([10.57.156.124]) by mx2.netapp.com with ESMTP; 13 Mar 2006 16:04:02 -0800
X-IronPort-AV: i="4.02,188,1139212800"; d="scan'208"; a="366859862:sNHT20282340"
Received: from svlexc02.hq.netapp.com (svlexc02.corp.netapp.com [10.57.157.136]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id k2E042W9013301; Mon, 13 Mar 2006 16:04:02 -0800 (PST)
Received: from exsvlrb02.hq.netapp.com ([10.56.8.63]) by svlexc02.hq.netapp.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 13 Mar 2006 16:04:01 -0800
Received: from exsvl02.hq.netapp.com ([10.56.8.60]) by exsvlrb02.hq.netapp.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Mar 2006 16:04:01 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [nfsv4] Windows/NFSv4 ACL interoperability
Date: Mon, 13 Mar 2006 16:04:00 -0800
Message-ID: <992BA60650F1584BA63E339312CE420303DA9AFC@exsvl02.hq.netapp.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [nfsv4] Windows/NFSv4 ACL interoperability
Thread-Index: AcZGJgjfFdOH/6DyT0aJDfGBqkMsJgA08ytQ
From: "Yoder, Alan" <agy@netapp.com>
To: "J. Bruce Fields" <bfields@fieldses.org>, nfsv4@ietf.org, samba-technical@lists.samba.org, Gardere_Daniel@emc.com, Roche_Francois@emc.com
X-OriginalArrivalTime: 14 Mar 2006 00:04:01.0526 (UTC) FILETIME=[CC9D3160:01C646FA]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b1c41982e167b872076d0018e4e1dc3c
Cc:
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org

I don't have time for a detailed discussion today,
but will note the following.

During the NFVv4 ACL spec writeup, I questioned the
lack of ordering requirements for ALLOW and DENY.
Carl Beame demonstrated to my satisfaction that 
Windows NT servers did not at that time enforce
any such thing, and that the requirement is (was?)
entirely client-side in Windows.


I hope this is germane to the discussion; apologies
if not.

Alan

===============================================================
Alan G. Yoder                                    agy@netapp.com
Technical Staff                           
Network Appliance, Inc.                            408-822-6919
===============================================================  

> -----Original Message-----
> From: J. Bruce Fields [mailto:bfields@fieldses.org] 
> Sent: Sunday, March 12, 2006 2:41 PM
> To: nfsv4@ietf.org; samba-technical@lists.samba.org; 
> Gardere_Daniel@emc.com; Roche_Francois@emc.com
> Subject: [nfsv4] Windows/NFSv4 ACL interoperability
> 
> Several of us had a conversation about ACL interoperability at
> Connectathon the other week, and I just wanted to post some kind of
> summary.
> 
> Apologies for the cross-posting; this seemed the most efficient way to
> reach the people likely to be interested.  Let me know if there's
> interest, and I could set up a dedicated mailman list for ACL
> discussions.
> 
> So I've started gathering what I know here; corrections welcomed:
> 
> http://wiki.linux-nfs.org/index.php/ACLs#The_ACL_Interoperabil
> ity_Problem
> 
> An executive summary: the basic problem, shared to some 
> degree by NFSv4
> and Samba, is that we'd like to support applications that use 
> both POSIX
> and Windows ACLs, and we'd even like to be able to do it from servers
> (like Linux) that only support the less-fine-grained POSIX ACLs.  (At
> some point that may mean just pushing Windows/NFSv4 ACLs into those
> operating systems--I believe OSX, AIX, and Solaris are among 
> those that
> are already doing this.)
> 
> ((There's also a problem that the NFSv4 spec is a little 
> vague about the
> semantics of NFSv4 ACLs, and that the ACLs it describes 
> differ slightly
> from Windows ACLs--see
> http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-0
> 0.txt for
> a proposal to address this).
> 
> Some points made by people at the meeting:
> 	- The problem as stated above is impossible to solve completely.
> 	  For example, ACLs that represent typical Windows 
> expectations about
> 	  ALLOW/DENY ace ordering appear to be incompatible 
> with ACLs that
> 	  represent mode bit semantics accurately.  So we have 
> to be realistic
> 	  about what we can and can't do, and figure out ways to fail
> 	  gracefully.
> 	- Despite the ubiquity and flexibility of Windows ACLs, it may
> 	  be hard to abandon POSIX ACLs, because they can be somewhat
> 	  simpler to understand and manipulate, and because 
> some common tools
> 	  may be starting to support them (e.g., see news about 
> Nautilus ACL
> 	  support:
> 	  
> http://blogs.sun.com/roller/page/alvaro?entry=nautilus_acl_support)
> 
> Some resources mentioned at the meeting:
> 	- rfc3530 section 5.11 describes NFSv4 ACL's:
> 	  http://www.ietf.org/rfc/rfc3530.txt
> 	- Windows ACL documentation:
> 	  
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/fileio/fs/file_security_and_access_rights.asp
> 	- withdrawn draft "POSIX" ACL spec:
> 	  http://wt.xpilot.org/publications/posix.1e/download.html
> 	- Microsoft documentation on mode bit<->ACL mapping:
> 	  
> http://www.microsoft.com/technet/interopmigration/unix/sfu/sfu
> 3perm.mspx
> 	- Microsoft documentation on preferred ACE ordering:
> 	  
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/secauthz/security/order_of_aces_in_a_dacl.asp
> 	- Presentation by Jeremy Allison on POSIX<->Windows ACL mapping:
> 	  
> http://www.citi.umich.edu/projects/nfsv4/jallison-acl-mapping/
> jallison-acl-mapping.html
> 	- POSIX<->NFSv4 mapping, used by Linux and Solaris:
> 	  
> http://www.citi.umich.edu/projects/nfsv4/rfc/draft-ietf-nfsv4-
> acl-mapping-03.txt
> 	- Documentation of OSX ACLs:
> 	  
http://developer.apple.com/documentation/Security/Conceptual/Security_Ov
erview/Concepts/c> hapter_3_section_9.html
> 	- Proposed revisions to NFSv4 ACLs, discussion of 
> chmod, mode bit
> 	  mapping, etc.:
> 	  
> http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt
> 
> But of course I probably missed some stuff; if you notice anything,
> please let me know.
> 
> --b.
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www1.ietf.org/mailman/listinfo/nfsv4
> 

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email