[nfsv4] Re: back to AA

Chris Inacio <inacio@cert.org> Sat, 07 September 2024 01:41 UTC

Return-Path: <inacio@cert.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0112CC1519AB for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 18:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbc0ahM8bDXY for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 18:41:15 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0062.outbound.protection.office365.us [23.103.209.62]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBB85C14F61F for <nfsv4@ietf.org>; Fri, 6 Sep 2024 18:41:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=BkePkcPa/q9UNsGwxgNuBEuBFQcxbThy+ca1K/KWe+MplUT+YogTzXcMk5SZJvizngY/dgquhiktPgd1mXwoUNEdKc0zjXdf1/tPhhYklfW8pcmcB3gJvenjRcl2lbH/pTOdKbsKzgIN3NCVg4z8sigEDZxJOuX7nk5a9YlsH9HJkzLgr6TKBu7rRu66agLu6Uw73eq2uzqWDozgup6QA7BkZfzAEufauuycdKfWp9O0SL4wUM+sZkG+/y3FDI8jKxO3vMYEQYT6pXxBLbioh2mMrigzINy+gndR9vMUMZ+Ny8jPBROZTwMxtR4klHVn8ipDZFW4bXYxaEkliUXj0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8EJQCKyl+Hzc0sbsFZySKXwcMQJSeQBiWo/A4PPaT2M=; b=wAw20UIn1Ykm+e4tE7t2LOTRvwK2gO/6sD3XudjRBXXYvl+pgtAItHhNPLDRqiBO57sdS1vUS+pAr/umx1uTMPFRl+FH6CR5MxAPYovOunMT6I3g2JdUGMwPlPDrfyRAsmUzTzcSBIKk7C7oVvDBoJNi38OWguLZma/z1rEkx5iBpBeCqTR+vUmogDqVju/tyAYJKnjGc/FqyZoTBtGNql5CWPWZYy8iog9FJbHVaTnTNh9N841sryIlD1rOvnwrnd3mixjkSTcUo5Yw6h/rlsq31WkYzptPuBIYgPv9Hdy71fmynPqxPg78UDCIk1r10EFBDFv685UmNPOvh9HI5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8EJQCKyl+Hzc0sbsFZySKXwcMQJSeQBiWo/A4PPaT2M=; b=F/itdge2sK3ywgM8z+6zjKKkdS6z39iwNWlI8q8jbl011Lu3bSYMQZuahw1wQJOd8wSle4ZN3KrgiafX/6boLpjrvCx0kni+3G5DFR9LTl8UpUKHe10jx0Greonp1lioKgIWdNFH5wZtTW4nCmSBKHA0qojPEgeOJQCowMx+mUM=
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:172::5) by SA1P110MB1614.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:196::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.28; Sat, 7 Sep 2024 01:41:13 +0000
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::5528:443b:d3d9:a02b]) by SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::5528:443b:d3d9:a02b%3]) with mapi id 15.20.7918.028; Sat, 7 Sep 2024 01:41:13 +0000
From: Chris Inacio <inacio@cert.org>
To: Rick Macklem <rick.macklem@gmail.com>
Thread-Topic: [nfsv4] back to AA
Thread-Index: AQHbAMcFtR4QZeU7J0O+ScAMN7980Q==
Date: Sat, 07 Sep 2024 01:41:13 +0000
Message-ID: <8510AEBC-237C-4E2C-AE27-909A8FE50CA7@cert.org>
References: <F2FA0129-5780-4257-8E18-E04865D6BCC4@cert.org> <CAM5tNy7fhU5s+EufRS3aq2zYSdjrtD_ijj1RgHcTv0WzGcbT0Q@mail.gmail.com>
In-Reply-To: <CAM5tNy7fhU5s+EufRS3aq2zYSdjrtD_ijj1RgHcTv0WzGcbT0Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3776.700.51)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1P110MB0975:EE_|SA1P110MB1614:EE_
x-ms-office365-filtering-correlation-id: d97b5770-4a32-41fb-1401-08dccede2823
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: efT6DluFE1yivfXubNDTA7esrEssNJebJ7UT5zWtlaeBikFF98bwOD+2+CHmdVrsrDzVnOBh1sMxxwBG0jPiJ4CkDpPgdMDoL0vQnAwpm0xkB7Qb/+3Ni5xIHks+12XockeOT2a9mp8aI90LR2UA0NIvrnxj1Dv57m/9OhS/8wnMWajA+7j7Tgdr0p3HYmfYKNtVHWc1qazxWhnGHSPMQReyhW1sDToOT5jZuWQCOzR86vTcNXud944bCS8C9NejTjy6ViS2U9n0LkB180N3CkkU0vB+QVllVXU/5tpLKlDy0pyIChVpnW7C/YM1MsDcrE9/wTK2oiWemUl5qWb9Jmslgtapp/HiCY3KAtHzR0TovJUNUhiokEhdiFHp0OTJaQfiCMJW56AgIpd3Xtu3nCdkQEgPBASxQo+MEj4Gr+XDvCb6gU9tTJhTHDo0GdITIQKNWVsfSFqyB6OC9m/bvsbm0SWSUVvJjtnIDJm8/4bziCxqw2iLkMqg0tPi6nQfOpNkPNm4xq6VKQ2lTUhEiBiU/2NtEc2u3cgnywCano8khjVnMs1sa6Ojfj8KeA0ZuWDEW2u1OAgI3ax+BMYZyl9eQcWWE3ckcXiIynmJGWPhDb2zm7uvss1z9L3NT+zkh7lnzFgADo5NoLvf9J1KZmRJ8qOuxpKOptpKouj7FodSdQyxJoyBMx+NZtyzVcIdp/MbITNdhmTntR4ieUWIfj/SeglXJS/OnW9XObOI2CxUkPU8d8W05ue/TMBglDBF7mizxXPHKIAmJUb/I+3uB1r8/+3gEoz4UUp6krVeRBdTtFXRldKkranT+UZ3nvtNVGERZr/7c29nEXO+wglelgWLFhdTPR1O4ea4DivNu6yf+nlw9eZAFa95KmxUfK88YBuW+iNgpY43/U3Iyz3ci1GZ+U1TDxCNIgNDk2rtxz6QtPR1B4x3hbNAI/tO1m6ejUhzL2U4iHQxMqaGnadi96Bg42PFQADDxV59y7t8olr1dqZUV59tVM0CpiNLA+PT0rMSzjOT6/brQg8xfoZJlCMMjJ5BpY1a5RGvlcQ4spKiuV53sJrTbrVhNn310a+4todoC8t3XvWbjQNzSE7biFqMfeLsHl5KOM5uS/o+Vc2Q+NixhNJvLOQsvbTkq9kI0MWwOg5rYuv/bG5nxNDnW3JShlqp95JkTYQcG3yzp/BboaWlMSPXl6DHvGbM/HSOtivo/MfIHQNFusIawh6S9qhKzKYS0RTmNiA9Jw6ogGrSgmMsA9qNzceWd+n7zuX5Wlzi6CDWFmDeggbMjnOX16uFe14KewBOTNZHHc8kHDvlA50H97Vwzprzex2XFzg326O9nRoJ5sk2W/i9Mn+kQNRtdCPhFx8f08ffsjkalVo7d4SVrtjet43MC4uPJg6HvCeMGd/kU/zNM5GJG95fng==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: EzQQoF7106A00TN2qvNBZk3K1LDf++TiKakk7Zb/KJevNkXXIGWbhOQN6HWudQEBAMSLDIN2HsVGx+Oq7caKV6nWds1DK65Tt7JZbcUz9ucB5NX5KJ+EC+pbJO7f2+TGljLAOYlbcvN1ODeDcxa7dyZQJGGRGDq+NrM+tupLIwoUxneLHQvcEaAzrb88Tt+GAYcNC+SKsgnuYYSZvq0i6ccQlk0gUEs9LNByET8+67bcfPEYWn5aTx1EeUWlas+DlWCqTiNEmlOdSFKA5VUleN2pRcjob5uTIaJ9V1bqTi1AqvwC1zBJw161KiMxNvghLbjoUUkQYhCpEew5O7ir3JeuHWQmaLnWOJDKZnCC6+IgqgIn4SIDdAo2c2hMDAUgOASAnNAacO8iN9UyxRLYmJMGxn6Wxhm02llzEBoa5kNYt0R+UUyOSQWCzN0BJpl2nAxX6eTQNYfxr3050sbqqyZBd4zlqUZImPLJc7Q41a0lQxaJrBkCFmWlnFWyl/qvHpmwFvyWxae/JYRZWSTeY4eWheBKE3xttGQ+ly0SZgMRDXBkO1et9s6sn1T1sUtgijftn3tCgCCc2rBq9uKTJXelVpQXY98OD+i6Np5LJAQqy3qXPwcrsDwa+P5mf5i9fgRxIFnTTbkfHeOv36Ody0UHof7nfqpA5hHrbAWe8jQDuQMtOL1zFEWYX79HbWM4yPmQqL2VggmC6esr22Yekqj07rX5qSKzYm/fx1s+auKR4DWtasy3/Ggbo4kxJTYjkQHf046yyzdYjyBwTDdNhaCOm6Zxx9h/z5BRW2B9Zjn5KiYb5tKnnSzxitGMswJMXhs07RW88K9neP1mpny8FK4YyjPPxgwpr4nMU4nqToRfORNUcGfbSA1frkZl+mPtmRwETu23UZAhSHomBEawrt1maqCAke6F5cpIZwdH9+XTQPuVhroC5yJlRpEMUWT9J0cgp6EOmkZC94ZQwpcOFG2IfC5FhA3BzWthqg1nZl4RKIwr0Ga1yMguVF2dOSxmOcH3yP7moZRNQjUbRNIgRmS7fyxryvQTMwfW+29oEEM3YdnLRj0EibfOy6gTYh2h3qou3TH8ICxcAb2FEV59P24yGHNcDDrhN8L/xbvFnQrghu7ETOpUQMFStgnvQ16VTlhgDM6y7BCKQaGdY31U0gMWI9moQLgEX80NDv7iSOq5IbKtQ3vOcFaiuq2Duljy8ilp9XKYHCYuASaqMI2A5flYkgfM3Dp/JMrHGFqW7U39K0pht+2i5wgfGFKCRKwsLSoTbVS7Qji4HmmsZoECnFn6bK7K0f+1pPUyW19ATqYkD/Ck5cu9PzhZWs9C5gvzWQAQrVdKFN4MuZe2TxDdMEsmQ6XMrMPFHQkngYTwsYsH0KKmo2rDKpJ2Cs5EsMymWjbL3VtKlCWQdRisJ+VaHu4zShIEk1aPckia79aA/mDXv9MCpSJqjhPhUqcjJRFh8oZUW+qEHEHw+SBlat55nsaHGLG8zC6soMou/AnE/yVuAk7AHPrCEqiDe/1loHn7
Content-Type: text/plain; charset="utf-8"
Content-ID: <233C25749512994CBB47A0031EDE3989@NAMP110.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: d97b5770-4a32-41fb-1401-08dccede2823
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2024 01:41:13.1136 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1P110MB1614
Message-ID-Hash: 6INUJ2ZAADNW7K7MQG5XXY3V6EOY5ERK
X-Message-ID-Hash: 6INUJ2ZAADNW7K7MQG5XXY3V6EOY5ERK
X-MailFrom: inacio@cert.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: back to AA
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/dXHo-rYidOt_Hh8RKDEn1G2VOWA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

>> 
>> I would like to add an Authentication/Authorization topic.  To scope down what I would like to discuss here: I need to read RFC2203 first.  Just from browsing the table of contents for 2203, I’m not sure this helps me understand what are *the protocol needs* with how a file system backend stores/maps the network identity of the client.
> I don't know if this will help save you some time, but here is my
> recollection of how RPCSEC_GSS/Kerberized NFS works...
> - The client translates a user identity into a Kerberos principal (a
> string like "rmacklem@MY.REALME")
>   (This is usually a trivial mapping of username and default REALM.)
>  --> The client uses the user's TGT to acquire a session ticket from the KDC.
> - The GSSAPI layer wraps this session ticket up in a blob they call a token.
> - This "token" is sent to the server via a Null RPC by RPCSEC_GSS layer.
>  --> There is a back and forth between client and server, using Null RPCs
>       in the RPCSEC_GSS layer that, if successful, authenticates the Kerberos
>       prinicipal name on the server and creates a shorthand for the
> Kerberos principal.
>       (Translation from Kerberos principal is whatever the server
> chooses to do.
>         For POSIX like systems, it typically strips off the @REALM
> and then looks the
>         name up in the password/group databases to create POSIX
> credentials for the user,
>         which are associated with the shorthand mentioned above.)
> --> Then the client uses the shorthand (authenticated via encryption
> using the session key
>      from the Kerberos session ticket) to identify the "user" to the
> server. That's what RPCSEC_GSS
>      is doing for non-NULL RPCs.
> (Hopefully this is close. It has been a long time since I coded this stuff.)
> 

This is really helpful, thanks.  (Is this in nfsuserd in FreeBSD?  Pulling up the code - you apparently wrote it in 2009.  ;).  I’m happy because it’s basically a single file of 909 lines.)

Ganesha must do this differently, right?  Doesn’t it run in user space?  Does it have a separate DB for this mapping?  The example I can find is Ganesha running on top of Ceph – and it doesn’t seem to be particularly running in user space. (https://github.com/nfs-ganesha/nfs-ganesha/wiki/Kerberos-setup-for-NFS-Ganesha-in-Ceph) I am making a lot of guesses on Ganesha operation I’ve realized.

> In theory, other mechanisms than Kerberos can be created for GSSAPI/RPCSEC_GSS,
> but there has not been much done. (Long ago there was an RFC and some code for
> a public key system, but no one adopted it.)
> 
> It sounds like Tigran et al might be thinking of a new mechanism,
> although I haven't looked
> at what he has written up yet,
> 

Right now there is more the statement of what might go in such a draft than the text itself.  I would really like to understand how someone who manages a hybrid multi cloud instance for data storage deals with AA.  It must be complicated.  The SCIM WG (https://datatracker.ietf.org/wg/scim/) is developing cross-domain identity management.  I have no idea if it would help at all, but if that’s a the right tool for a problem we (eventually) face it’s available.  (Although from what little I know of it, I would rather use ONC RPC than RPCs built on top of HTTP, but maybe I’m just old.)

>> Please *do not* think I’m trying to standardize how that works (that is a server implementation choice) but what needs to be on the wire to enable servers do that _however they chose to do it._
> Reading through enough of the POSIX ACLs some of the large
> differences between NFSv3 and NFSv4 become clear.
> I'm not sure if this sounds silly, but on-the-wire it is basically a
> string (owner/owner_group defines it as "user@domain",
> where the domain was never well defined. (Right now, most just handle
> one "domain". I don't think there is even a well
> defined way of checking "same string". By this I mean, does the DNS
> case insensitive and/or puny encoded rules apply?)
> 

Good points to consider if there is an extension to think about how to update AA.

> (For authentication, it is still a string, but with something that assures the
> server that it is legit.
> 
> rick