IETF Logo Mail Archive

Re: [nfsv4] https://datatracker.ietf.org/doc/draft-myklebust-nfsv4-pnfs-backend/

Trond Myklebust <trond.myklebust@fys.uio.no> Thu, 18 November 2010 01:59 UTC

Return-Path: <trond.myklebust@fys.uio.no>
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0A8C3A63C9 for <nfsv4@core3.amsl.com>; Wed, 17 Nov 2010 17:59:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yBpvYmG+JUAH for <nfsv4@core3.amsl.com>; Wed, 17 Nov 2010 17:59:11 -0800 (PST)
Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by core3.amsl.com (Postfix) with ESMTP id 8FECB3A635F for <nfsv4@ietf.org>; Wed, 17 Nov 2010 17:59:10 -0800 (PST)
Received: from mail-mx5.uio.no ([129.240.10.46]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <trond.myklebust@fys.uio.no>) id 1PItn2-0006cD-2t; Thu, 18 Nov 2010 02:59:56 +0100
Received: from c-68-40-206-115.hsd1.mi.comcast.net ([68.40.206.115] helo=[192.168.1.29]) by mail-mx5.uio.no with esmtpsa (SSLv3:CAMELLIA256-SHA:256) user trondmy (Exim 4.69) (envelope-from <trond.myklebust@fys.uio.no>) id 1PItn1-000059-59; Thu, 18 Nov 2010 02:59:56 +0100
From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: Thomas Haynes <thomas@netapp.com>
In-Reply-To: <3614AF54-FA76-44ED-A070-EE5E37D9EB01@netapp.com>
References: <3614AF54-FA76-44ED-A070-EE5E37D9EB01@netapp.com>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 17 Nov 2010 20:59:50 -0500
Message-ID: <1290045590.3070.43.camel@heimdal.trondhjem.org>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.0 (2.32.0-2.fc14)
Content-Transfer-Encoding: 7bit
X-UiO-Ratelimit-Test: rcpts/h 2 msgs/h 1 sum rcpts/h 5 sum msgs/h 2 total rcpts 1160 max rcpts/h 20 ratelimit 0
X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO)
X-UiO-Scanned: 62FE5A54C81872D185E65F36A255A77E623ABE72
X-UiO-SPAM-Test: remote_host: 68.40.206.115 spam_score: -49 maxlevel 80 minaction 2 bait 0 mail/h: 1 total 455 max/h 7 blacklist 0 greylist 0 ratelimit 0
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] https://datatracker.ietf.org/doc/draft-myklebust-nfsv4-pnfs-backend/
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 01:59:11 -0000

On Wed, 2010-11-17 at 16:04 -0800, Thomas Haynes wrote:
> Trond,
> 
> Some questions I had after reading this:
> 
> 1) What keeps another client from spoofing a file handle to get at a cached file?
> 
> Note that there is no export control on cached files. The caching server
> has to assume that the MDS did the access checks. With AUTH_UNIX,
> this means that any client can get access with a spoofed file handle.
> 
> Another implementation issue here is that the caching server, if it does
> per op access checks, will now need to know to skip such checks on these
> files.

The client acting as the DS is supposed to check with the MDS that the
file handle is valid and that the client 2 is authorised to access it.
That's precisely what the PROXY_OPEN is for: to allow the MDS to check
that client 2 holds a layout.

> 2) What keeps a file handle clash from occurring?
> 
> I.e., the cached file has a file handle which maps to a valid file on the caching
> server.

It is up to the MDS to generate data server filehandles that do not
clash.

> 3) This also goes with the following from the draft:
> 
> >    When the data server receives a READ request from a client with a
> > 
> > 
> > 
> > 
> > Myklebust                Expires January 7, 2010                [Page 5]
> >  
> > Internet-Draft      pNFS back end protocol extensions          July 2009
> > 
> > 
> > 
> >    stateid or a data server filehandle that it does not recognise, it
> >    attempts to validate that request using the PROXY_OPEN call.  This
> >    operation will convert the data server filehandle as provided by the
> >    layout into a real filehandle, that the data server can use to access
> >    the file on the metadata server.  In order to make it easy for the
> >    data server to identify the file, the real filehandle SHOULD match
> >    the filehandle that was returned to the client when it received the
> >    read delegation.
> 
> 
> Which I take to imply that stateids must be unique on the MDS and
> these caching data servers. I.e., if a client presents a stateid that is
> already being used on the caching data server and it presents a valid
> filehandle from that caching data server, then the caching data server
> has to assume that the client is trying to access a non-cached file.

What do you mean by 'valid filehandle'? Data server filehandles are
_not_ the same as ordinary filehandles; they are filehandles that the
MDS has handed out as part of a layout and that need to be translated
via PROXY_OPEN. It is expected that they will be invalidated (and
presumably forgotten by the MDS and DS) when the layout is revoked.

> 4) I'm also reading this as saying that the data server filehandle SHOULD
> match the real filehandle presented in the layout. Indeed if it does not,
> then the data server will need to pass any filehandle it gets back to the
> MDS to see if it is a file handle it is caching.

It needs to do this once in order to translate the filehandle. Once that
is done, it can rely on the server to call it back when the layout is
revoked (and the filehandle is invalidated).

> 5) 
> 
> > 
> >    The PROXY_OPEN call also checks the access rights that were granted
> >    by the layout and the READ stateid for validity.  If the pNFS client
> >    in question does not hold a layout for this file, the PROXY_OPEN
> >    request from the data server will return NFS4ERR_PNFS_NO_LAYOUT.  In
> >    this case, the data server should not attempt to service the READ
> >    request, but should pass the error on to the pNFS client.
> > 
> 
> Is NFS4ERR_PNFS_NO_LAYOUT the only error that can be set here?

No. See the next paragraph.

> a) File does not exist (NFS4ERR_STALE)
> b) Client does not have permission to the underlying export (NFS4ERR_ACCESS)
> c) ...
> d) stateid is no longer valid, etc 
> 
> Ideally, the client should have gone through all of these steps in order to get
> the filehandle from the MDS, but nothing stops the client from holding onto the
> filehandle and the MDS deleting it, etc.

The DS holds a delegation for the file. The MDS can't delete it or
change access permissions; that would revoke the delegation, and hence
all layouts.

Cheers
  Trond

v2.23.0 | Report a Bug | By Email