[nfsv4] Re: back to AA
Rick Macklem <rick.macklem@gmail.com> Sat, 07 September 2024 02:42 UTC
Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76A0DC14F619 for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 19:42:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbalWZE4D5Nn for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 19:42:46 -0700 (PDT)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F2DBC14F605 for <nfsv4@ietf.org>; Fri, 6 Sep 2024 19:42:46 -0700 (PDT)
Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-7179802b8fcso1820567b3a.1 for <nfsv4@ietf.org>; Fri, 06 Sep 2024 19:42:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725676966; x=1726281766; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=lAXynh1sqCFESi4xWo7pknhUPtAVWWzUWbShd72a2/o=; b=LEl+6fRBessXuZSi6DhvQnJgRvSX+PRTowKngvmqevu02xHABlntlJMukQnNXMETB+ TszQkK13Of8bA02M2pqgzsirwz6f/DVTS+1yFo5H3mTFehDM8WL9TmJlPqye6kXK3+Y8 JRZ2AtRXtvw2WKBEq4lERMhINE2hQU1l9hA8K1BAi4SyzvSNfxQE/QxbqYRNn94khcOc GCID7EIZMIZkbsfgjYUUsiGgCj2rSD6x0SNYSIKQIOIpT3ZVQL8pHqp+0ad504WoTTW6 I4uclnCsEFzMPqZGQ0Hj9+sTinNl8KY6Guzq3AoisgOXbSsX79tlsTw8nD5uyLFiO0lD Dl3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725676966; x=1726281766; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lAXynh1sqCFESi4xWo7pknhUPtAVWWzUWbShd72a2/o=; b=QXaWscVM5T9RzquMNF2EyAANmo4NjPFEw2eul3I/CTiyEpiKjDZeE9jfYY/VjsOatS 8Kgpn2UXdJgfAALh3qca5jhIy40sqG0Xzs8IfyT8/VmW/6whE3/abCM3fFYgG4uyvoZo wR/NbGTzt9ho+/+9guICFTUE7qemFbcxO+apXjFRjig76ISx929TkmvyUHKagNtdYKWw nJXyV1UoapYZ8GifTUd+JD1P+PrXMGCtYY5fLWISMvK+dm/kFovAzqNCtXT+x6zFnSbU 4VFMpz6EIwY4gsYvLl3rtIiq2cQW/x8xCRyZYbAaQ/IzaP72o/KkQW5zyIdmCGcqsfj1 x9pQ==
X-Gm-Message-State: AOJu0YyR8tKfcnTANVS+u/QL+PfI1JlJ7QkYlQDYBEgn/P7kv5BCoHog 4SeZrVqGgdXn4Q8dDmMd+V5bgVUzm5jZjtdxCQjfzL2ewyr6IA+er9E2QH7tkJQ0dYUruL9N8qw MtbHKFNEUaGA5KyjtAwVQgudLWA==
X-Google-Smtp-Source: AGHT+IHq/XXPji3lJ2MWzCw+W9mbnyVcoxUSw43Z9YtyaRU7XtkkBlEB7HhDBSxoiPCZRF2RjGwczuCVaKeJxKllWM0=
X-Received: by 2002:a05:6a21:58d:b0:1cc:ddd7:b091 with SMTP id adf61e73a8af0-1cf1d0efe7fmr4465891637.20.1725676965794; Fri, 06 Sep 2024 19:42:45 -0700 (PDT)
MIME-Version: 1.0
References: <F2FA0129-5780-4257-8E18-E04865D6BCC4@cert.org> <CAM5tNy7fhU5s+EufRS3aq2zYSdjrtD_ijj1RgHcTv0WzGcbT0Q@mail.gmail.com> <8510AEBC-237C-4E2C-AE27-909A8FE50CA7@cert.org>
In-Reply-To: <8510AEBC-237C-4E2C-AE27-909A8FE50CA7@cert.org>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 06 Sep 2024 19:42:35 -0700
Message-ID: <CAM5tNy7B_oftnERRfxNyzczAkZX_6b-H=9fzHbs+pLsVydjXVQ@mail.gmail.com>
To: Chris Inacio <inacio@cert.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: NJ7RJDPSC6JS5H2S5TQXIYUFIEEI5VZP
X-Message-ID-Hash: NJ7RJDPSC6JS5H2S5TQXIYUFIEEI5VZP
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: back to AA
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/feF4lDivruWrZfcrd-NyfYU9Nw8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
On Fri, Sep 6, 2024 at 6:41 PM Chris Inacio <inacio@cert.org> wrote: > > >> > >> I would like to add an Authentication/Authorization topic. To scope down what I would like to discuss here: I need to read RFC2203 first. Just from browsing the table of contents for 2203, I’m not sure this helps me understand what are *the protocol needs* with how a file system backend stores/maps the network identity of the client. > > I don't know if this will help save you some time, but here is my > > recollection of how RPCSEC_GSS/Kerberized NFS works... > > - The client translates a user identity into a Kerberos principal (a > > string like "rmacklem@MY.REALME") > > (This is usually a trivial mapping of username and default REALM.) > > --> The client uses the user's TGT to acquire a session ticket from the KDC. > > - The GSSAPI layer wraps this session ticket up in a blob they call a token. > > - This "token" is sent to the server via a Null RPC by RPCSEC_GSS layer. > > --> There is a back and forth between client and server, using Null RPCs > > in the RPCSEC_GSS layer that, if successful, authenticates the Kerberos > > prinicipal name on the server and creates a shorthand for the > > Kerberos principal. > > (Translation from Kerberos principal is whatever the server > > chooses to do. > > For POSIX like systems, it typically strips off the @REALM > > and then looks the > > name up in the password/group databases to create POSIX > > credentials for the user, > > which are associated with the shorthand mentioned above.) > > --> Then the client uses the shorthand (authenticated via encryption > > using the session key > > from the Kerberos session ticket) to identify the "user" to the > > server. That's what RPCSEC_GSS > > is doing for non-NULL RPCs. > > (Hopefully this is close. It has been a long time since I coded this stuff.) > > > > This is really helpful, thanks. (Is this in nfsuserd in FreeBSD? Pulling up the code - you apparently wrote it in 2009. ;). I’m happy because it’s basically a single file of 909 lines.) It is the part that does the owner/owner_group names when "uid #s in the string" is not enabled (which is always the case for Kerberized mounts). Basically the FreeBSD equivalent to idmapd on Linux distros. The other piece is the gssd, which does the GSSAPI calls for RPCSEC_GSS. (I wasn't the author of this one, although I did write a more primitive one long ago.) And then the big piece is the Kerberos libraries (which include the GSSAPI calls, if you are using open source, such as MIT or Heimdal). Adding a mechanism to the GSSAPI code in MIT's Kerberos distro is what I thought Tigran was planning? --> Somehow there needs to be a relationship between "user name", "authentication principal" and "the name in owner/owner_group". Right now, I think most implementations (maybe all?) make these three the same string. > > Ganesha must do this differently, right? Doesn’t it run in user space? Does it have a separate DB for this mapping? The example I can find is Ganesha running on top of Ceph – and it doesn’t seem to be particularly running in user space. (https://github.com/nfs-ganesha/nfs-ganesha/wiki/Kerberos-setup-for-NFS-Ganesha-in-Ceph) I am making a lot of guesses on Ganesha operation I’ve realized. > > > In theory, other mechanisms than Kerberos can be created for GSSAPI/RPCSEC_GSS, > > but there has not been much done. (Long ago there was an RFC and some code for > > a public key system, but no one adopted it.) > > > > It sounds like Tigran et al might be thinking of a new mechanism, > > although I haven't looked > > at what he has written up yet, > > > > Right now there is more the statement of what might go in such a draft than the text itself. I would really like to understand how someone who manages a hybrid multi cloud instance for data storage deals with AA. It must be complicated. The SCIM WG (https://datatracker.ietf.org/wg/scim/) is developing cross-domain identity management. I have no idea if it would help at all, but if that’s a the right tool for a problem we (eventually) face it’s available. (Although from what little I know of it, I would rather use ONC RPC than RPCs built on top of HTTP, but maybe I’m just old.) > > >> Please *do not* think I’m trying to standardize how that works (that is a server implementation choice) but what needs to be on the wire to enable servers do that _however they chose to do it._ > > Reading through enough of the POSIX ACLs some of the large > > differences between NFSv3 and NFSv4 become clear. > > I'm not sure if this sounds silly, but on-the-wire it is basically a > > string (owner/owner_group defines it as "user@domain", > > where the domain was never well defined. (Right now, most just handle > > one "domain". I don't think there is even a well > > defined way of checking "same string". By this I mean, does the DNS > > case insensitive and/or puny encoded rules apply?) > > > > Good points to consider if there is an extension to think about how to update AA. > > > (For authentication, it is still a string, but with something that assures the > > server that it is legit. > > > > rick >
- [nfsv4] Interim meeting agenda topics Chris Inacio
- [nfsv4] Re: Interim meeting agenda topics Rick Macklem
- [nfsv4] Re: back to AA Chris Inacio
- [nfsv4] Re: back to AA Rick Macklem
- [nfsv4] Re: back to AA David Noveck
- [nfsv4] Re: back to AA David Noveck
- [nfsv4] Interim meeting agenda topics David Noveck
- [nfsv4] Re: Interim meeting agenda topics Pali Rohár
- [nfsv4] Re: Interim meeting agenda topics Rick Macklem
- [nfsv4] Re: Interim meeting agenda topics David Noveck
- [nfsv4] Re: Interim meeting agenda topics Pali Rohár
- [nfsv4] Re: Interim meeting agenda topics David Noveck
- [nfsv4] Re: Interim meeting agenda topics David Noveck
- [nfsv4] Re: Interim meeting agenda topics Pali Rohár
- [nfsv4] Re: Interim meeting agenda topics Rick Macklem
- [nfsv4] Re: Interim meeting agenda topics Pali Rohár