[nfsv4] Re: Our different approaches to draft POSIX ACL support in NFSv4

Trond Myklebust <trondmy@hammerspace.com> Tue, 23 July 2024 20:40 UTC

Return-Path: <trondmy@hammerspace.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8CD8C180B60 for <nfsv4@ietfa.amsl.com>; Tue, 23 Jul 2024 13:40:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hammerspace.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OH0tdXPoA39T for <nfsv4@ietfa.amsl.com>; Tue, 23 Jul 2024 13:39:58 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2126.outbound.protection.outlook.com [40.107.93.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51BC1C1519A3 for <nfsv4@ietf.org>; Tue, 23 Jul 2024 13:39:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=j2cSvUD4bHradQACkb54eBXk8X03cDLKCQE4e//sj1ZDWclU+cY794Eyl5qS7z1B10fqXCcwNx8AWQbIrMeO+Zwi5NX/ILUK44aPHO1uLuGVrWWbX7uIKw0pLHA7Uxlv3VlQeB1XckF2hz7mcj1HRQPydu/fyYqlmIJ/O56hQwuQIjez0BTBwOdNLTFHeshAiR2RS2SUfkeEFnLlw+rXQh7adm0h7cyQs01R2InmKrInIY8GyNm7R8Fs5qXkfDZwleqiKFu1IvrnhLt7TieuxYXT63buA5s9uk7qkee3RJzLqkhtl3xS65Euam/5Y9IM73Oh8i8EcEPdQhFX14abjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Du2XcP7TLJJo5SZcF9/OXOO0w6xUb2gWLLloTtuistA=; b=VYIx6kkegNnG8t0lH2DU0M2iApZmziW9qH/FZX802n4xULXpQbki7nHmJj914u8dgEFy9ElobkEtsVbAEY7Zfl1IwyuXyLw6HJADzPExlC/AciciNJA7qt5+kv0VdjEyes0X4DRU5RTCfH+RhfN6/p2PKlWqYMtWEB1VW4D/uLf+sQ1PdmKrt8SwVoU7DvL7fbkLdgcrFd05pgbCnzuTFv3Dota6MhzKiiMkJMa0ulD2QFZ1CvZZ9oXl5pd7JFIxT4JuaSde2Llq+Z3tQQtqNwx8oJVFHhQfMnBHh9/79lhGuX2Ad5zAW6xHw3yVYzyCqySuQgDplZs7VzsXczQmtw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hammerspace.com; dmarc=pass action=none header.from=hammerspace.com; dkim=pass header.d=hammerspace.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hammerspace.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Du2XcP7TLJJo5SZcF9/OXOO0w6xUb2gWLLloTtuistA=; b=DA9hfBn9KFJmexGjYJQVOw9NFohw7zHrJbvQilanSEHOt7aXtfOIOARivwBKlItAJPb7dXAT5MoCMZsGPj1QsDBdwJjF5GUF5acS5N9j6NaJZQUV3bYmp4vM5m8LfdCtMV6P5stgf2umCD8pkKvouwyhzxmKoGyg19c5ZQoYdRI=
Received: from CH0PR13MB5084.namprd13.prod.outlook.com (2603:10b6:610:111::7) by LV8PR13MB6658.namprd13.prod.outlook.com (2603:10b6:408:227::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.23; Tue, 23 Jul 2024 20:39:55 +0000
Received: from CH0PR13MB5084.namprd13.prod.outlook.com ([fe80::67bb:bacd:2321:1ecb]) by CH0PR13MB5084.namprd13.prod.outlook.com ([fe80::67bb:bacd:2321:1ecb%6]) with mapi id 15.20.7784.017; Tue, 23 Jul 2024 20:39:55 +0000
From: Trond Myklebust <trondmy@hammerspace.com>
To: "chuck.lever@oracle.com" <chuck.lever@oracle.com>
Thread-Topic: [nfsv4] Our different approaches to draft POSIX ACL support in NFSv4
Thread-Index: AQHa3St+JWinfnK62Eqe8mjO5TbHNLIErIkAgAAaEgA=
Date: Tue, 23 Jul 2024 20:39:55 +0000
Message-ID: <cf8a48e517210512755455dd78352ae5b64f7949.camel@hammerspace.com>
References: <CADaq8jdvZ5pcFNN5zjuVHLTO30v9=2kYKzFdRxxbkTmHYZdTdA@mail.gmail.com> <CAM5tNy7Fw954gCzYHCTjRg7th_njSHhxznni48Zz4xsSXT631A@mail.gmail.com> <53DAEF45-2A4D-4066-97C2-7B09018DE99B@oracle.com> <CAM5tNy6a4ZG90i2ugXzuPqQ1zrsK9m8jLRKmv9VpnFG6m_Pqew@mail.gmail.com> <DD250FBD-A434-4294-818A-5728757CE032@oracle.com> <d1c538065728c17df66a6f9e79e55d90849fc866.camel@gmail.com> <D352FEB9-A487-4B3E-9BC8-DB2C1896F941@oracle.com> <8efc39289ecef97624622cfc431f890736b579a0.camel@hammerspace.com> <33FA1D6E-73B3-43A1-B65C-D806156E39A5@oracle.com>
In-Reply-To: <33FA1D6E-73B3-43A1-B65C-D806156E39A5@oracle.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=hammerspace.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR13MB5084:EE_|LV8PR13MB6658:EE_
x-ms-office365-filtering-correlation-id: c353cc45-68b9-47dc-6530-08dcab579c86
x-ms-exchange-atpmessageproperties: SA
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: qvSCU7ZFvNQFfQcU64CfmfqdBTGbIswnTByg6IKBXnCQOamhWHmpHWLNvlkgBRtikYXyp3I34Pvz++jIOkAPxRj57l4jHbJgjbixabTG99ltXaxh+Ay2VZe1XYszgCxBmQCUjb6EL6QkGpoMvjni0EQAEdmRmCCGRByiPcOEIK8nIdmbfqbH1WSkg5bmYgPLegJ1y2QIc04saYHl3m/gd0myoJNiGDa+APqJsGjpRets2xzlZ9FY5JkJ1KWhrT+Dy3evUhfyJM6m9f6fASrsMuivVwKgjSpN7ZxlTOg+5weCwrd2wyTYD4PmkgGLtqix3dCAIcrOV/J5EayhQbNod4ff+PU3qMGkazXX5zQnStkallphtcDU7KCL9nEJmCKc/qUaJivcYA+4VnEbvJdZScq1xeBrfOMfR/3QgfUnOPLj2A+zX/FU1+NoDig9YUkFsUSyalmdcv2WRgz5L08zNUXyWGLcg5aslaOE9j/v/qYYmIIuDDpffCXNv7Qwck3Kl3RjVBiVCJueO9tOIF1xmmuRUyQxKxk6uRzoq59aNTA3Dqyol1/7ADZcCYioCNT97HC41D47esvGQIvDcIzSyECX2N6FBPXcjTZhVEMX3t3FQGmjX1vIEMscpDRy7RCxD/qmTkZ4EEzTT/71RSjHgTGCnybpvu7X1daHZXNGvyEzNcJ2vpMG3mnglQginkqpD0/W1Bgreq8796A3nNOUsmHd8MjSdhOaVLwtVuLB8nJLH7jNMc7srj8z0inpeq8yVNeIUXdeaS0cxDkiPH6q4etynFK1yAU41mCzuTtrvdhToc6+HzOn5GvyKoaeHD0933fDZksE9nJYdV8h5dBFScAeZ08FaXSMTFAr08bEnuT0hZzRkHZyyykw8kA4aexRFKY+FDfWshI5fMrYZko9ST7Qq8GyYw/6zl5XSnsl6QxdTxiSGuk98Rwt4kvQ48vpNQhYHAuCJMJLryXtYcH4l1S6xT/L/FGpO0hLxjVtP2OQTeMRiTnH+paR6qRMAs2JehSC/cOZHuBl5CJODSAiokebDpj6Sa8e+EHMMzX9nul7k+B/VUQyOc7gCEXuKRQy/aPwyXijAdxSNVuIwjH2mcy/cLHQjksOr6AQYxEILv9M6xAdXoccNrX3MZSWMFO9N/cznkzmxUKFCF+2Cl86YWzKBK8t5qqj3wKqJiulijo9SeAJEi4f+kL/m9tqiGqSeoXjt+EDtLQRZOAtRXEDK0jGXSI1Csujt02UXTmeFIsrQhXjxs8n+opLKmHuF9DJuqIDH9T8IF9pi0wW84BI51rFcUH487K8fxtZTMQHQ49ea487+iRz7njOiyv8pYpdcN7R2rPO1YSrTwSo3J6mfr4MBcEJzEdCBqznp5jLCh8=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR13MB5084.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: M2osJw9GSwhd7nalfMo3Ja2yiUXSe0gZhxdMG8UOAVLCwr64d+eK764gUkLv3ALGXxVQ98lk8XRSCsXSd8DApy/Y2BuA4Qq7/UtDrkoF5N7YzMA/29Bqx4LqeiP0N6HlUmzmIaYQgXHAyHf0L7BvLVTgZ6jpqBbJ8oEeS3H3AbZylKMnAqhUjVdvIJ0uytTQVhuSF0UuTeq9F5lgulc4fhNacfpRwd6PY++Eent2OYwfe0VjarhXRcSYbEaADiq7q/CnqahPBv5p12VY+9/m0pSiBoOpDOMLo303JV4wya66Cig2NN4eihfou0emSnIHYFklCQt53YTuq9VAQGglRo5UAq08ede9Rzz+9nGm3P0lb4VvaWJmFB7+RSazveaZsx79u1/VkrBxiVKZHIqp5sXsfirGKdBmZdrkZJYW7l33IWBwwdfUo/JUXMGKHg3lAqNdQErDwhzxhDg70aRA2jMK/YQVjNV7Ob+r4Nl9+CXaaR9nd0Afq+rfzYKUNrmWcGycy3aHSzDDTdzk4IobFRyFCtg+7/S9RLHElN088gZ1jitHzJNLid+BN5WIzgL22CT95G9wBiDo93aqA6OEAEn1xE2uHrdTS9yylqX8UrrqW+B+J/cSkkbcQg65g9oNjeQmKVGp0eMlDrSYOCk5AqlxMuXYnDqSG+UAZzK9/h2ePKtaf97lfazrfj2Lfot8zxuHmmKCnL9G6FAgBh0SKIF4F6jfRPZD8jmMYWhVO0Tb9PjFwCFkNLsxCzO0ZWXkY2LLkDG/ylN9J2lJCv6lRmb18h2nvjKzoBlG6yyrW4acaC8lp9r9dD0sujZojPxLHd5UMGWpC3+f64YB2b+mUeZMUhQODkpprKaAP1U3hA/H1wNbySvrtkxPu/5QC5aX4nz1CDoxBQhqREdHho2kAXqsBZxc4uUHJTD0B0Wwk8e7WVuZfHyhYGFehD4MyXVg1t1bAIZGBsIRdWOM625L4DIS7/7JBBHcqOZBA6VmCVTtVgH1LJF0Ao+1FKu/WbIvlOt0cif3nnTq05rnu5pNjSiGuM2xdWNGL5K9oZCNuOdvmMKW3wwOlYeySeUavsO3OQHXyJjQPubRNpEIUj4QUqY9l3EER4PkS5/eWICrVTTfh1H60A6aMjSR32MVVElR0rqE6hk1JWgOQNwz1H+XqLqZjGXzW/PWJ+wcF7Ez4xSiZO595M1X+NsVqwTtwWDl1S5ad40GIjXiTWk8iWUHauB+CFL71AlrWfDIc+Awy2mH1GRW/6w17s3q21CS3WGJQ8YId24fwsU1B50Lga5xTPPIvMwZgtBtItjblGJFWtWwZnnPj1vwdjHJoaovb1l3sNdemghwJ3rXssDnKTfW2fAr3Jv/WKJCVmpPdLXhgMEQYXqY+lF21XobL0OxAY7yJJfdcbUmWoqEq8JIOSGbqS1yyXnM+YghozfzRnyokc0y5sTnXVoEj5kdcWfShG7AweIAVbYErg0mwWx8vT2yO6dSfMojyD5NVKZSU1AbtQnM0a064F7xhiVwjEHxTukYjt+oqnFH5lb173/3jxK0bh3ia8zIlEIt4bfqGYxqWi/StgCIyZ/un+9RC437WpnF5opncXq1HCKxWwljmmLerg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <2C50CD30829BDA4CBBD67415EF3698CF@namprd13.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: hammerspace.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR13MB5084.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c353cc45-68b9-47dc-6530-08dcab579c86
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2024 20:39:55.6050 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d4fed5c-3a70-46fe-9430-ece41741f59e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HUoRxUPXYnERb+e5dI3vajSrqx7oW2XLoLtPK+vsPyV74MOq6a5paLjdlafshzHygFFe2iXZ0kd7NzeSiaRCgw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR13MB6658
Message-ID-Hash: ALQOX2EBJQGW73RSL4CFEAL525BVGWSG
X-Message-ID-Hash: ALQOX2EBJQGW73RSL4CFEAL525BVGWSG
X-MailFrom: trondmy@hammerspace.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "bfields@fieldses.org" <bfields@fieldses.org>, "nfsv4@ietf.org" <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Our different approaches to draft POSIX ACL support in NFSv4
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/mo61dukjenZFj1EtX6jFIOCTY9U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Tue, 2024-07-23 at 19:06 +0000, Chuck Lever III wrote:
> 
> 
> > On Jul 23, 2024, at 2:09 PM, Trond Myklebust
> > <trondmy@hammerspace.com> wrote:
> > 
> > On Tue, 2024-07-23 at 15:27 +0000, Chuck Lever III wrote:
> > > 
> > > 
> > > > On Jul 23, 2024, at 10:27 AM, Trond Myklebust
> > > > <trondmy@gmail.com>
> > > > wrote:
> > > > 
> > > > On Tue, 2024-07-23 at 13:54 +0000, Chuck Lever III wrote:
> > > > > 
> > > > > > On Jul 22, 2024, at 7:13 PM, Rick Macklem
> > > > > > <rick.macklem@gmail.com>
> > > > > > wrote:
> > > > > > 
> > > > > > I just looked at opensolaris/usr/src/head/rpcsvc/nfs_acl.x
> > > > > > which I think is the closest thing there is to a spec. for
> > > > > > NFSACL.
> > > > > > (FreeBSD does not implement this protocol and all I know
> > > > > > about
> > > > > > it
> > > > > > is what this little .x file indicates.)
> > > > > 
> > > > > That's excellent, thanks for finding it.
> > > > > 
> > > > > My concern about this is that the cited .x file falls under
> > > > > CDDL, and thus cannot be used directly by a GPL-encumbered
> > > > > OS like Linux, nor can it be contributed to the IETF in its
> > > > > current form.
> > > > > 
> > > > > This is clearly prior art.
> > > > > 
> > > > > My question then is whether we should endeavor to produce
> > > > > an Informational document that describes NFSACL without
> > > > > encumbrance -- ie, get Sun-Oracle to contribute that work
> > > > > so that it might be used openly.
> > > > > 
> > > > 
> > > > Why do we care?
> > > 
> > > As I explained, we do want to have a protocol specification
> > > for NFSv4 that will not be disruptive to folks who were using
> > > NFSv3 and are now accessing the same ACLs via NFSv4.2+
> > 
> > No we don't.
> > 
> > We need a new protocol specification that works correctly with the
> > draft POSIX acls in use with existing Linux and other filesystem,
> > and
> > that supports all the features of the IEEE 1003.1e draft 17
> > document
> > that were implemented within Linux and the *BSD.
> > Once we have that, I will happily plug that implementation into the
> > inode 'get_acl()' and 'set_acl()' callbacks, and people will be
> > able to
> > use the bog standard getfacl and setfacl utilities to control the
> > POSIX
> > ACLs as if they were running on a native filesystem.
> > 
> > If people then still want to use the nfs4_getfacl and nfs4_setfacl
> > tools to use the existing ACL attribute against a server that
> > implements the draft-ietf-nfsv4-acl-mapping-05 (or whatever it is
> > that
> > the Linux server actually implements) then they can continue to do
> > so
> > without any further help from this committee. There will be no need
> > to
> > encourage the development of further broken implementations, if
> > there
> > is a real NFSv4.2 API that can replace it.
> 
> That's all very nice, but....
> 
> I'm not talking about mapped NFSv4 ACLs or
> developing legacy implementations, so let's put
> aside those straw men, please. You seem to be
> getting excited about something I didn't write
> nor did I intend.
> 
> The proposed fattr4 POSIX ACL support needs to be
> compatible with NFSACL as well. The view of POSIX
> ACLs from an NFSv3 mount needs to be compatible
> with whatever can be seen via the proposed NFSv4
> POSIX ACLs.
> 
> At the very least, those compatibility requirements
> need to be stated in acls-04. I wasn't necessarily
> looking for an on-the-wire form of compatibility,
> that's just what Rick brought up in the discussion.
> And I had no idea that NFSACL had a version 4.
> 
> But semantic compatibility is needed, and that is
> complicated by not having a published first-order
> description of the legacy semantics.
> 
> Further, acls-04 needs to address the fact that what
> it is to propose looks semantically and on-the-wire
> a lot like NFSACL, and that protocol has been in the
> wild for 25+ years, has no published specification,
> and is very likely encumbered. This IP issue has to
> be spelled out and addressed somehow.
> 
> A simple, concrete proposal would be for Oracle to
> contribute NFSACL to the IETF via an Informational
> document similar to RFC 1813.
> 

The draft POSIX ACL spec is not based on some spec for NFSACL. The
draft POSIX ACL spec is IEEE 1003.1e draft 17.

The contents of the NFSACL xdr file are at best a description of an API
that we will not be wanting to follow, because it describes an RPC side
band protocol, and is based on NFSv3 semantics. It does not describe
draft POSIX acls.

If you want a reference that is independent of the IEEE draft, then why
not instead go for Andreas' Freenix paper from 2003?
https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html
That actually describes in detail the spec that needs to be followed.

-- 
Trond Myklebust 
CTO, Hammerspace Inc 
1900 S Norfolk St, Suite 350 - #45 
San Mateo, CA 94403 
​
www.hammerspace.com