[nfsv4] Re: Interim meeting agenda topics

Rick Macklem <rick.macklem@gmail.com> Fri, 06 September 2024 20:35 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A96E3C14F6B8 for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 13:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cxi5UJbTHTeN for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 13:35:46 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43889C14F6F0 for <nfsv4@ietf.org>; Fri, 6 Sep 2024 13:35:46 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-20696938f86so23898655ad.3 for <nfsv4@ietf.org>; Fri, 06 Sep 2024 13:35:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725654946; x=1726259746; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=rVdJ9z/SkcnT+i1XZhX1mvnX/FUqhHO6/1s5WHoZlM0=; b=Nm5cfkxm2iTSNQgNJ3LwgmVQjEoWId/vnTAMppYIwTxvmNZa8wN9BzAb+VTckXMbFY /Be/lG+j9gP/AlYDVvSXvp87Vom3f0t50CvaqvM3pG7ORdsohSzuWTZFYcK4m58sc+Xh o7LuTheXzJ3St6B2o1toNjY7sdi4ID5gbc56pzLd6rDuxA2dvv6f4vrXqUi73aa2tsss Qa7KLayVELFsg1xDy0yBscOLrbRG2AS/FVmJ+rcGCApduNWxQ9YmBrBRh+P0aYtAduQf f6X/VNrAkRdUJoNnf/fCQzx3j2VdwC9vWC1H1IXa3lIopehze2rVoPIUdfqj+INS617K 5nrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725654946; x=1726259746; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rVdJ9z/SkcnT+i1XZhX1mvnX/FUqhHO6/1s5WHoZlM0=; b=ijZwUv+DcC0OzzgrxaMc70QBrWKDzDNiI7l7cUIvE73GjaJGnDrMw0obeZue2CP3tz 68q/NqKA15UzvmyLqshQC/Z27JQHf5BiqwWNnjaPT3PC4ihsdP/4aPNIb5k+zoEnD7uD sFzpESmqw+mS+mmzemWZLAx6FkDyOCUzmjlziQ7yPmtc1YjH3ZDs1IZDp6QWZEomW8zz ePrPdWOjSIhLimLlQCA0zbBdORDfKysDfsOPloM9B7U1BkGAmFWmHk3F3FQMstUjjFv+ F6b8VhFH+AErA9lBukwmxPnZZJN3ZLuQ6JAZv9OIVDHIWWYIwzlVNOi9jZhXZt438+mN kVrQ==
X-Gm-Message-State: AOJu0YyNcE2TfuDGctHTHS07UyirO58jaajuODZqkZIMN+nVbQE9gDD8 9LVbLQG3Fp0ZW6/DJECRHTOMj+FM6fRkLjudX615cTJONxuOR064YRAWt6XOkBi6atDdKF7JAPN uyrF0gN4ah6TxYV+UBb9wXVwXUOAlYKk=
X-Google-Smtp-Source: AGHT+IGw/iI9Vr26wMX9FGKpyljN1bxOzeYmTYoTAnrYMA3C7+q4eQR9nfhkhXukbkJGSUUwJsACYSzdaQKIkQeqFdA=
X-Received: by 2002:a17:903:1ca:b0:205:80e7:dcc5 with SMTP id d9443c01a7336-206f0612c3fmr47525805ad.44.1725654945425; Fri, 06 Sep 2024 13:35:45 -0700 (PDT)
MIME-Version: 1.0
References: <F2FA0129-5780-4257-8E18-E04865D6BCC4@cert.org>
In-Reply-To: <F2FA0129-5780-4257-8E18-E04865D6BCC4@cert.org>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 06 Sep 2024 13:35:34 -0700
Message-ID: <CAM5tNy7fhU5s+EufRS3aq2zYSdjrtD_ijj1RgHcTv0WzGcbT0Q@mail.gmail.com>
To: Chris Inacio <inacio@cert.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: JQAGT6JOAX4SIE5ULBIUCYDLQWZN7JBK
X-Message-ID-Hash: JQAGT6JOAX4SIE5ULBIUCYDLQWZN7JBK
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Interim meeting agenda topics
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/dgFOMIn7SV8ndHv6w6-C5nlbHGI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Fri, Sep 6, 2024 at 1:05 PM Chris Inacio <inacio@cert.org> wrote:
>
> All,
>
> What would the agenda topics for the (yet to be scheduled) interim meeting be?
>
> What is left to be resolved / is controversial on the POSIX_ACL draft?
>
> I would like to add an Authentication/Authorization topic.  To scope down what I would like to discuss here: I need to read RFC2203 first.  Just from browsing the table of contents for 2203, I’m not sure this helps me understand what are *the protocol needs* with how a file system backend stores/maps the network identity of the client.
I don't know if this will help save you some time, but here is my
recollection of how RPCSEC_GSS/Kerberized NFS works...
- The client translates a user identity into a Kerberos principal (a
string like "rmacklem@MY.REALME")
   (This is usually a trivial mapping of username and default REALM.)
  --> The client uses the user's TGT to acquire a session ticket from the KDC.
- The GSSAPI layer wraps this session ticket up in a blob they call a token.
- This "token" is sent to the server via a Null RPC by RPCSEC_GSS layer.
  --> There is a back and forth between client and server, using Null RPCs
       in the RPCSEC_GSS layer that, if successful, authenticates the Kerberos
       prinicipal name on the server and creates a shorthand for the
Kerberos principal.
       (Translation from Kerberos principal is whatever the server
chooses to do.
         For POSIX like systems, it typically strips off the @REALM
and then looks the
         name up in the password/group databases to create POSIX
credentials for the user,
         which are associated with the shorthand mentioned above.)
--> Then the client uses the shorthand (authenticated via encryption
using the session key
      from the Kerberos session ticket) to identify the "user" to the
server. That's what RPCSEC_GSS
      is doing for non-NULL RPCs.
(Hopefully this is close. It has been a long time since I coded this stuff.)

In theory, other mechanisms than Kerberos can be created for GSSAPI/RPCSEC_GSS,
but there has not been much done. (Long ago there was an RFC and some code for
a public key system, but no one adopted it.)

It sounds like Tigran et al might be thinking of a new mechanism,
although I haven't looked
at what he has written up yet,

>  Please *do not* think I’m trying to standardize how that works (that is a server implementation choice) but what needs to be on the wire to enable servers do that _however they chose to do it._
 Reading through enough of the POSIX ACLs some of the large
differences between NFSv3 and NFSv4 become clear.
I'm not sure if this sounds silly, but on-the-wire it is basically a
string (owner/owner_group defines it as "user@domain",
where the domain was never well defined. (Right now, most just handle
one "domain". I don't think there is even a well
defined way of checking "same string". By this I mean, does the DNS
case insensitive and/or puny encoded rules apply?)

(For authentication, it is still a string, but with something that assures the
server that it is legit.

rick

>
> Dave what issues (not precisely drafts) are highest on your list of things to get resolved for us to make progress.
>
>
> Chris
>
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org