[nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-02

Rick Macklem <rick.macklem@gmail.com> Wed, 07 August 2024 15:23 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06DD3C169403 for <nfsv4@ietfa.amsl.com>; Wed, 7 Aug 2024 08:23:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bgb1qEsXmrOG for <nfsv4@ietfa.amsl.com>; Wed, 7 Aug 2024 08:23:02 -0700 (PDT)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A8D1C14F6FB for <nfsv4@ietf.org>; Wed, 7 Aug 2024 08:23:02 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id 41be03b00d2f7-7a1be7b5d70so939768a12.0 for <nfsv4@ietf.org>; Wed, 07 Aug 2024 08:23:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723044182; x=1723648982; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jU2xDnibGTjPZ2px25silZYML++NQVoZT+GrmJvcY0o=; b=EAI4zl29hvWFqln7HhzuNAspg4Of4WW33vJsFHKp3BmlQfPjliBmPkfphnVDOEaB0F cTCDWoukgzkijfMYotKyzWA1gbh5esaGFd6vxTPoabG5J+z3Xh30+A6zKypSHNVcNpha zdmM53u0C6AuIztqmo9ItP4CGFqyXUo+jZLzmSb40rmCYuc8Soc6UzjCFQ6wh2i/ba8e kvgFUTelFYdcjf3srC4uMIZLQN2xWhDiLkAfJ6syW/Byos0F59a9sW2wcIigwGuK4DBc jtlbZEeSxpNXpkTkYcP8tedfm5qiBs9xkFI+Pz/8v4aoZ0e07VewA4usMmyBT5Q5HIxL 8Ttg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723044182; x=1723648982; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jU2xDnibGTjPZ2px25silZYML++NQVoZT+GrmJvcY0o=; b=SgnmWL6HudUbqwOWz74HkGOiHsXQzT33BklBazuM8sdFxK+u+8BPRLYgn9/hxv7McC piX+HrlszpFiDT6d7ioCmDd07fqDTmL7bW6edvIBkYu1f1hQiRXOqQ6H6hwR80ru81fn vlX9ssBgRaqJmEVuQ8FZDB6QteVH37x1GPVW3mCXdIn31P0CIsg85yTMN/OnLAhJGkJU 0sTeAfIwUUsovGYxF1DpitFqdU7TYPcmelRxoZNPxQTYBw4+O3QHASLjedhw9kVcr4PI T2kCkBa28YQFOWrD7VA/9vkRJCdvca0YIxbVSonGGCW+NB5KsIuNo6np5UqKY9OcoHBo 8oDw==
X-Forwarded-Encrypted: i=1; AJvYcCVc9LWogPJDrH5eeqCalUQaKkbKa2HS9qfEmfuockC8ioPG8zZIRcxcxl3vaoAqYSfAuEYBHFba5DxVvijd3w==
X-Gm-Message-State: AOJu0Yxp1AHkoyOF0Q53Wt7bVwzln65bz+EnSRWnKng3oWIDqYBVu3Kt 8VydX637F1r4enwiX49EQe4WDEHenrUo62+gDr4M1J61mlfDvrMCTilb0BhVkR0ByGy15LwIhJ2 nhbdCxlH9TxU2BT9dLZTw9Qly8bw5
X-Google-Smtp-Source: AGHT+IFQuZt/2KnENCuIQZxFMxP53XoOHLrgOBokJI17TX6VlO1RFxh+/mO7AhueOfUB1Puw/SxbrOg09edet+RUoXQ=
X-Received: by 2002:a17:903:22cc:b0:1fe:d72d:13e1 with SMTP id d9443c01a7336-20085570daamr36807875ad.30.1723044181388; Wed, 07 Aug 2024 08:23:01 -0700 (PDT)
MIME-Version: 1.0
References: <20240806170525.trrqy27aqu7sayb5@pali> <CAM5tNy4pPcP7AErkqvu2URqX9nCT-8i3y_esVzpyyjaHC6Uuew@mail.gmail.com> <CADaq8jexUbGSNfrkSkrVn3axkDZu2HrMYeT1pF7TNGKXHaZ73w@mail.gmail.com>
In-Reply-To: <CADaq8jexUbGSNfrkSkrVn3axkDZu2HrMYeT1pF7TNGKXHaZ73w@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Wed, 07 Aug 2024 08:22:51 -0700
Message-ID: <CAM5tNy59h8FG389J1-VZs=XyOq21e5saqBWhz-wY2D9XWKJ0dA@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000005d35ea061f197c53"
Message-ID-Hash: TWNX6BMP2HUVPREU2RXT362DVDUT2NFF
X-Message-ID-Hash: TWNX6BMP2HUVPREU2RXT362DVDUT2NFF
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>, NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/eFmmLatnNTa3MoPf6Wy2IcDYoW0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Wed, Aug 7, 2024 at 5:07 AM David Noveck <davenoveck@gmail.com> wrote:

>
>
> On Tue, Aug 6, 2024, 6:21 PM Rick Macklem <rick.macklem@gmail.com> wrote:
>
>>
>>
>> On Tue, Aug 6, 2024 at 10:05 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
>> wrote:
>>
>>> Hello Rick,
>>>
>>> As we were discussed off-list, I'm sending to this list my comments for
>>> your draft-rmacklem-nfsv4-posix-acls-02 document. Quoted text is
>>> verbatim copy from your document.
>>>
>>> Your document describe POSIX ACL support only for NFS v4.2. The most
>>> commonly used NFS4 version is 4.1 and it would stay for a longer time,
>>> lot of enterprise NFS SW is being written as NFS3 + NFSv4.1 (no v4.2
>>> support). So to make extension widely usable, it needs to be also for
>>> NFS v4.1. Is there any reason why v4.1 is not included in your document?
>>>
>> As I understand it, new attributes cannot be added to 4.1.
>>
>
> According to RFC8178  they could only be added to correct a defect.  In
> the acls document, I propose the addition of Aclchoice for that reason
> although there has been some wg pushback.  I will make the best case I can
> for that in acls-05 and  see if we can reach consensus. I may be forced to
> move this to v4.2.
>
> Also, adding support for 4.2 is not a lot of work (some would say
>> it's trivial):
>>
> - For the client--> replace 1 with 2 in the minorversion field of the
>>   compounds. That's all there is to it, since everything in 4.2 are
>>   optional extensions to 4.1.
>>   --> These optional extensions can be added if/when the implementor
>>       needs them.
>> - For the server--> accept minorversion set to 2 and make sure all
>>   operation #s that are in 4.2 get a reply of NSF4ERR_NOTSUPP.
>>
>
> You also have to reject unsupported v4.2 attributes in SETATTR, VERIFY,
> NVERIFY ...
>
>   --> Again, an implementor can then add support for 4.2 optional
>>       operations, attributes.. whenever needed.
>>
>>
>>> > Therefore, a client MUST not set the low order 9 bits of mode via the
>>> > mode or mode_set_masked attributes in the same SETATTR operation as
>>> > one that sets the posix_access_acl and/or posix_default_acl proposed
>>> > in this document. This is required because [RFC8881] does not specify
>>> > an ordering for setting attributes in a SETATTR operation.
>>>
>>> RFC 8881 in section "6.4.1. Setting the Mode and/or ACL Attributes"
>>> describes the ordering of setting MODE, ACL attributes.
>>>
>>> In section "6.4.1.3. Setting Both ACL and Mode" is covered any ACL
>>> attribute with any MODE attribute:
>>> "When setting both the mode (includes use of either the mode attribute
>>> or the mode_set_masked attribute) and the acl or dacl attributes in the
>>> same operation, the attributes MUST be applied in this order: mode (or
>>> mode_set_masked), then ACL."
>>>
>>> I think it would be better if your extension says that the new
>>> POSIX_*_ACL attributes has to be handled as ACL attribute according to
>>> RFC 8881 6.4.1.3. section. It would simplify MODE and ACL interop in
>>> SETATTR operation.
>>>
>> Yea, I suppose it is more consistent.
>> I'll change it.
>>
>> To be honest, at least for the FreeBSD and Linux clients, the
>> acl attribute is never changed in the same SETATTR as mode/mode_set_masked
>> so I am a little concerned that servers may not get this right.
>> (I think the FreeBSD server does get the ordering right.)
>>
>>
>>> > Therefore, to maintain compatible semantics with the POSIX draft, for
>>> > NFSv4 operations that create new file objects (OPEN/OPEN4_CREATE,
>>> > CREATE) in a directory that has a POSIX default ACL, the low order 9
>>> > bits of the mode SHOULD be specified by either mode or mode_set_masked
>>> > in the setable attributes for the operation.
>>>
>>> RFC 8881 in section 6.2.5. specifies:
>>> "The mode_set_masked attribute is only valid in a SETATTR operation. If
>>> it is used in a CREATE or OPEN operation, the server MUST return
>>> NFS4ERR_INVAL."
>>>
>> Ok, I never noticed that
>>
>
>
> Good catch.  I didn't notice it either.
>
>
> I'll fix this. Thanks for pointing it out.
>>
>>
>>> So when creating a new object "mode_set_masked", cannot be used. For
>>> inheritance you need to use "mode_umask" attribute which is defined in
>>> RFC 8275. This attribute already handles this POSIX inheritance issue
>>> and I think it is required for proper POSIX ACL implementation.
>>>
>> Hmm. I suppose the document should say something about the use of
>> this attribute, if it is supported. (Since it is yet another
>> optional 4.2 extension, I'd rather not have these attributes
>> depend on support for it.)
>> I suppose it can go as far as recommending support of it?
>>
>
> I think you can also RECOMMEND it or REQUIRE it.  I don''t have strong
> feelings about this.
>
>
>>
>>> > For a SETATTR, setting a zero length acl (for a file object with a
>>> > true form ACL of ACL_MODEL_NFS4) ... will delete the true form ACL(s)
>>> > from the file object and revert it to ACL_MODEL_NONE.
>>>
>>> Why is this needed? Empty NFS4 ACL is same valid NFS4 ACL. If somebody
>>> want to restrict access to some file then setting empty list of ACEs
>>> which is zero-length acl. I think that ACL with no access should still
>>> be in NFS4 model.
>>>
>> For the case of ACL_SCOPE_FILE_OBJECT, I believe there needs to be
>> a way to "delete" the NFSv4 ACL. For example, here is a snippet from
>> IBM's doc. on GPFS:
>> You can also change the type of ACL by the mmdelacl command (causing the
>> permissions to revert to the mode, which is in effect a POSIX ACL).
>> As you might have guessed, "mmdelacl" deletes the ACL.
>>
>> As such, it seems that there must be a way to "delete" a NFSv4 ACL and
>> setting "acl" to a 0 length ACL seemed the convenient way to do it.
>>
>
> I always thought that was the case but it might not be said
> explicitly anywhere.
>
> --> For GPFS, "delete" seems to actually be defined as switch to a
>>     minimal POSIX ACL.
>>
>>
>>> Comparing with Windows. On Windows (and in SMB protocol) there are two
>>> different operations which can be done on object: Erasing DACL (by
>>> setting it to NULL) and setting empty DACL (by setting empty list of
>>> ACEs). Erasing is really erasing of the DACL in the storage (similar
>>> like erasing POSIX ACL and reverting to mode_only) which has same effect
>>> as ALLOW-EVERYONE-FULL-ACCESS. And setting empty list has effect of the
>>> DENY-EVERYONE-FULL-ACCESS (as ACLs are default-DENY, there is no rule
>>> which can grant some access).
>>>
>>> As NFS4 does not have a way to set ACL to NULL, it has only the section
>>> option and matches Windows behavior of empty-ACE-list as NFS4 is also
>>> default-DENY.
>>>
>> Thanks for pointing this out. I did not realize a zero length SMB/Windows
>> ACL had a defined meaning. I think this draft should avoid assigning a
>> meaning to a zero length ACL.
>> --> I think that a "deleted ACL" case could be defined for both models
>>     of ACL. (Something like an ACL with a single ACE that is defined
>>     as "deleted ACL".)
>>     I discuss this a bit more later.
>>
>> I cannot find anything in RFC8881 that defines what setting a zero
>> length ACL means (although you've already seen that I am not good at
>> reading such things;-).
>> It might be better if this draft avoids the "setting of a zero length ACL"
>> and let David's draft address the semantics of that?
>>
>
> I can do that for NFSv4 ACLs in acls-05.   You could then consder the
> effect of
> "deletion of the dacl" instead.
>
> The only problem would be if you want want your draft to be
> published before mine.
>
> I can see how the windows handling (deny-everything) is different, but I
> think I can deal with that differently since NFsv4 ACLs are
> coordinated with mode and so the effect would be that
> authorization decisions are controlled only by mode in this case.
>
>>
>> What do others think?
>>
>>
>>> > A server that is configured for a acl_trueform_scope other that
>>> > ACL_SCOPE_FILE_OBJECT MUST not support the posix_default_acl and
>>> > posix_access_acl unless the true form for the file system is
>>> > ACL_MODEL_POSIX_DRAFT.
>>>
>>> This is a restriction which basically means that no existing NFS4
>>> server with native NFS4 ACL support can support "posix_access_acl".
>>> In multiprotocol environment where is NFSv4.0 and NFSv4.1, the NFS4
>>> server would have to provide server scope native NFS4 model (to support
>>> NFSv4.1 as as your document is only for NFSv4.2) which implies that
>>> server must not support POSIX ACL. And same applies in the multiprotocol
>>> environment with NFS4 and SMB.
>>>
>> Not exactly. posix_access_acl refers to the proposed optional
>> attribute for NFSv4.2 (same goes for acl_trueform_scope).
>> What the server does w.r.t. "true form" is up to the server.
>>
>
> Actually it is up to the working group, although we have no means of
> enforcement.
>
>
> Same goes for the scope of it.
>> (For example, Linux server always use POSIX draft ACLs.)
>>
>> The difference is that NFSv4.0 and 4.1 clients cannot know
>> what the "true form" is and can only see NFSv4 ACLs (possibly
>> mapped to/from POSIX draft ACLs).
>>
>> What the above restriction is meant to do is allow a NFSv4.2
>> client to know that the "true form" is ACL_MODEL_POSIX_DRAFT
>> when the scope is ACL_SCOPE_FILE_SYSTEM or ACL_SCOPE_SERVER
>> by seeing that posix_access_acl and posix_default_acl are
>> supported_attrs for the file system.
>> --> Note that acl_trueform_scope is "per server", so a client
>>     only needs to GETATTR this attribute once for the server.
>>     Then, if that is ACL_SCOPE_FILE_SYSTEM or ACL_SCOPE_SERVER,
>>     it can tell that the "true form" is ACL_MODEL_POSIX_DRAFT
>>     as soon as it sees posix_access_acl and posix_default_acl
>>     in supported_attrs.
>>     --> It does not have to bother to check acl_trueform,
>>         which would often result in an extra RPC.
>>
>>
>>> I think that this is too strict and what would happen is either that
>>> this extension would not be implemented OR section option (which I think
>>> everybody would do) is ignoring this restriction.
>>>
>> As above, this does not define what the server does for NFSv4.0
>> and NFSv4.1, it just simplifies what a NFSv4.2 client needs to
>> check, if it knows about and the server supports the extension
>> proposed by this draft.
>>
>>>
>>> I guess that for compatibility with FreeBSD and Linux, servers would
>>> implement it even on NFS4 server scope model.
>>>
>> Not sure what you mean by this. Linux always uses a "true form"
>> of POSIX ACL and FreeBSD supports one of POSIX ACL or NFSv4 ACL
>> on a per-file system basic (at least for now).
>> - That is not changed by this extension. All this extension does
>>   is allow NFSv4.2 clients to use the server more effectively
>>   by choosing to get/set the "true form" and avoiding mapping,
>>   assuming the client and server both implement the extension.
>> Other file systems (IBM's GPFS seems to be the extant example
>> I am aware of) also supports a "true form" on a per-file basis.
>> (Again this is a server file system configuration choice and
>> is not affected by whether or not this extension is supported
>> by a NFSv4.2 server.)
>>
>>
>>>
>>> And I have there two additional points without quoting your document.
>>>
>>> 1)
>>>
>>> Your document does not describe what existing RFC 8881 acl and dacl
>>> attributes should return when user sets new "posix_default_acl" or
>>> "posix_access_acl" attribute. Also what should happen when another
>>> client tries to change acl or dacl attribute when POSIX ACL is already
>>> active.
>>>
>> The intent (if that is not clear, the words need to be improved)
>> is that the server file system shall have one "true form" for each
>> file object. If the attribute(s) for the other "true form" is used
>> on the object (which assumes the server has chosen to put attributes for
>> both in supported_attrs for the file syetem, the GETATTR/READIR/SETATTR
>> will use mapping to translate it to/from the "true form".
>> The intent is to discourage use of mapping. As such, the client using
>> these extensions can avoid that by determining what the "true form" is
>> for the object and using the appropriate attributes.
>>
>
> I think it is more correct to say that the intent is to eliminate the need
> for mapping.  We don't need to discourage it since the inability to map
> curately already provides sufficient discouragement.
>
>
>> My thinking is that servers like FreeBSD (where the "true form" is
>> per-file
>> system and mapping is not supported) would:
>> (A) - Support posix_access_acl and posix_default_acl, but not acl, for
>> file
>>   systems that use POSIX ACLs as their "true form".
>> (B) - Support acl, but not posix_access_acl and posix_default_acl, for
>> file
>>   systems that ise NFSv4 ACLs as their "true form".
>> For Linux servers, they might choose (A) above, or they might choose
>> to support all of acl, posix_access_acl and posix_default_acl, where acl
>> is supported via the mapping algorithms they already use.
>>
>
> If they did that, they would have o have some way of rejecting NFSv4 ACLs
> that could not be translated to a POSIX ACL.
>
>
>> It is the case of a per-file scope where things get difficult:
>> The server will probably want to support all of acl, posix_access_acl
>> and posix_default_acl, but since the "true form" is defined a one
>> model for each file, then how should the attribute(s) for the other
>> model be handled?
>> - I would like to avoid mapping, so I think being able to return
>>   "no ACL" would be preferred.
>> - I had thought a zero length ACL would work for this, but that no
>>   longer appears to be the case.
>>
>
> Why not?
>
I will defer any mechanism w.r.t. erasing a NFSv4 ACL to your work.
I will allow a server to return a zero length ACL when the acl does
not exist, but will note that a client needs to check to see if
acl_trueform != ACL_MODEL_NONE to determine that it exists.


> Maybe, defining an ACL with a single ACE that says "not valid" would
>> work?
>> This could be the reply for GETATTR/READDIR and could be used to
>> "erase" the ACL for SETATTR.
>> --> I think this is what the next draft will propose.
>>
>
> If we want to go this way. It should be done in acls-xx for NFSv4 ACLs.
>
Agreed. My draft will only note that, if an NFSv4 ACL has been deleted,
a zero length NFSv4 ACL is returned and acl_trueform == ACL_MODEL_NONE.

rick

>
>>
>>> If interop between mode, dacl and posix_default_acl, posix_access_acl
>>> attributes is not explicitly defined in specification then every server
>>> implementation will invent its own rules and it would just lead to the
>>> mess in multiprotocol environment where clients would not be sure what
>>> can happen. Like it is already with "mode" attribute in NFS v4.1 (see 2).
>>>
>> For posix_access_acl and posix_default_acl the intent is that the
>> POSIX draft specification defines the interaction between mode and
>> the POSIX ACL.
>>
>> For NFSv4 ACLs, you are correct. It is a mess.
>> And I wish David N. the best of luck w.r.t. cleaning it up.
>>
>
> Will do my best in acls-05.
>
> (OpenZFS already has a knob that specifies 4 different ways
>> of doing this. Another knob setting may be needed.)
>>
>> Thanks for the comments, rick
>>
>>>
>>> 2)
>>>
>>> Then there is a problem with "group" bits of "mode" attribute.
>>> In RFC 8881 section 6.2.4 is written:
>>>
>>> "Bits MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP apply to principals
>>> identified in the owner_group attribute but who are not identified in
>>> the owner attribute."
>>>
>>> And in section 6.3.2.1 is written:
>>>
>>> "Some server implementations also add bits permitted to named users and
>>> groups to the group bits (MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP).
>>> Implementations are discouraged from doing this."
>>> "The same user confusion seen when fetching the mode also results if
>>> setting the mode does not effectively control permissions for the owner,
>>> group, and other users; this motivates some of the requirements that
>>> follow."
>>>
>>> POSIX ACL with at least one named user or named group requires that
>>> mode group bits refers to POSIX ACL mask, and not to the POSIX ACL
>>> group_obj (which represents owner_group).
>>>
>>> Those RFC 8881 parts of NFS mode attribute are basically not compatible
>>> with POSIX ACL. Your extension does not mention this problem and does
>>> not handle it.
>>>
>>> Existing NFS4 servers which follows the RFC 8881 meaning of mode group
>>> bits, would not be able to implement this your extension for POSIX ACL,
>>> because existing servers cannot change behavior of mode attribute due
>>> backward compatibility. I think that this is a big problem.
>>> Servers in multiprotocol environment mostly follows the RFC 8881 advice
>>> to never return something like "POSIX mask" in group bits.
>>>
>>> How to solve this problem. One option could be including all mode bits
>>> into your new "posix_access_acl" attribute and let NFS4 clients to use
>>> only "posix_access_acl" on chown operation, and never use existing
>>> "mode" attribute at all (if the extension is supported by server).
>>>
>>> Another option could be to introduce a new "posix_mode" attribute which
>>> would be strictly POSIX and old "mode" attribute can stay as before for
>>> backward compatibility. Again clients would not use "mode" attribute
>>> anymore.
>>>
>>
> A similar possibility is discussed in an appendix to acls-04.   The idea
> is a read-only mode_info attribute
> that clients could use if they want to display a mode that can be
> displayed to reflect a summary of the ACL permissions.
>
>
>
>>>
>>> Regards,
>>> Pali
>>>
>> _______________________________________________
>> nfsv4 mailing list -- nfsv4@ietf.org
>> To unsubscribe send an email to nfsv4-leave@ietf.org
>>
>