[nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-02

David Noveck <davenoveck@gmail.com> Fri, 09 August 2024 20:53 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8498EC14CEFF for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 13:53:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sWCO3Ho6dCNx for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 13:53:25 -0700 (PDT)
Received: from mail-oo1-xc2f.google.com (mail-oo1-xc2f.google.com [IPv6:2607:f8b0:4864:20::c2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5379FC14F6A0 for <nfsv4@ietf.org>; Fri, 9 Aug 2024 13:53:25 -0700 (PDT)
Received: by mail-oo1-xc2f.google.com with SMTP id 006d021491bc7-5cdf7edddc5so1455548eaf.0 for <nfsv4@ietf.org>; Fri, 09 Aug 2024 13:53:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723236804; x=1723841604; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dmSCf86JZ4Fcfhk8/RHdlA290hIVoqxocDPgdiUH9iM=; b=a6+uxBlvFtFBciU9u79do1MT+QQ1P8h2BUSl9Zrad7Rni+07fp/B0Vfu7sbodbz2ni 1dy8G8KPSVhC7H324MhkJo9U6x5ek1F3uFj15lpwTEiMfcQunjHkGvN2HzrdBFcMK8Nk FZKoGqVk/GoebiVIp+Tcisp4WCHQdubAtz8soKnnf40mPApWc13xsZA8FPTL7d2Iykue hkQiCgSwX1qi1TVReWIMhNJUtw2GkHgrzBwNggrGzFboYp8jYAYiEMkpOrzfFw8BHuIz fCqWj8592fM8ae9/TNeM9I6r8CP1tIgz7/5oEHOHuAyp/FoHiWhpjyttXQMINl0ykv0K Sitw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723236804; x=1723841604; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dmSCf86JZ4Fcfhk8/RHdlA290hIVoqxocDPgdiUH9iM=; b=vZe+ta49kSZo8cANQue1YhTJ0YjSe1ZGq3clPjnKHuM6qAx1sDGWiHnA3LRISTJei0 Ac72dM7EooW29qtSzxsbstQEVpfzsp8NfSQCUhfyXGqUqM246pyNGDZwX3Yo+BpeDGuy Zw+WiHX9adobwpBZNumTgIfHD/AO8wxWH+Kg05193IuLBti86YZgjk/1sUWHmMvrIipd cdPsaV3hwCm6vWtWnbl8n1QIiKmMsvBejj4Dz3sSSCmKRKJHhofsIOABXgNxTTJ4542t 6jJLF5yRQv9GrWpHjYP5l46IOW3OvIQfxKdOVZf4iTP94X+Pbu+LZY51hX5ov1dOBguI vdrw==
X-Forwarded-Encrypted: i=1; AJvYcCVG2ZV8uFr+4hvN/fA0RR/AqmhJjwmm3BsbCqNhNa//lsvrU5lNa/F2kgWvLgQpiUobvjDd3g==@ietf.org
X-Gm-Message-State: AOJu0YyUtwFIAZQQSUS0KeuMjh7YggzraqokVjUd0NNz8yy4e0+zRfQu hLayRng5Pof/fvyX3FmE2qqoo/Ux0Mp5L7lfp3SJPrlLS7eZGBQ5TxdIRopGz4N/z0rCh7buU5J NRHw241cMNtGDOePC0ltO/1oCxJA=
X-Google-Smtp-Source: AGHT+IEz7q4voC5wxOnOL6SqNtpcTgRJciPo17IE+LvxD1abrvQ6rd7nbWlxJJ7ADSAhOve5KuRyEWGeD+dwLM9TxdA=
X-Received: by 2002:a05:6358:339a:b0:1ac:f839:e001 with SMTP id e5c5f4694b2df-1b177172cb1mr311586655d.22.1723236804214; Fri, 09 Aug 2024 13:53:24 -0700 (PDT)
MIME-Version: 1.0
References: <20240806170525.trrqy27aqu7sayb5@pali> <CAM5tNy4pPcP7AErkqvu2URqX9nCT-8i3y_esVzpyyjaHC6Uuew@mail.gmail.com> <20240807162216.cg7sbzgqyqn4hxnp@pali>
In-Reply-To: <20240807162216.cg7sbzgqyqn4hxnp@pali>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 09 Aug 2024 16:53:13 -0400
Message-ID: <CADaq8jdvgGWmO0gNvCfv_vYZRQDfsq3o+ab-YR3GYUhNtg3TLg@mail.gmail.com>
To: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
Content-Type: multipart/alternative; boundary="0000000000009447b6061f465525"
Message-ID-Hash: FSENHDKD2FJ4YOJHR2BARCUDUQTTDZTH
X-Message-ID-Hash: FSENHDKD2FJ4YOJHR2BARCUDUQTTDZTH
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/muFJquOyvRPy4_UANo-FHlYZyTw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Wed, Aug 7, 2024, 12:22 PM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
wrote:

> Hello Rick, I'm sending comments for the second part of your email.
>
> On Tuesday 06 August 2024 15:20:50 Rick Macklem wrote:
> > On Tue, Aug 6, 2024 at 10:05 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im
> >
> > wrote:
> > > > A server that is configured for a acl_trueform_scope other that
> > > > ACL_SCOPE_FILE_OBJECT MUST not support the posix_default_acl and
> > > > posix_access_acl unless the true form for the file system is
> > > > ACL_MODEL_POSIX_DRAFT.
> > >
> > > This is a restriction which basically means that no existing NFS4
> > > server with native NFS4 ACL support can support "posix_access_acl".
> > > In multiprotocol environment where is NFSv4.0 and NFSv4.1, the NFS4
> > > server would have to provide server scope native NFS4 model (to support
> > > NFSv4.1 as as your document is only for NFSv4.2) which implies that
> > > server must not support POSIX ACL. And same applies in the
> multiprotocol
> > > environment with NFS4 and SMB.
> > >
> > Not exactly. posix_access_acl refers to the proposed optional
> > attribute for NFSv4.2 (same goes for acl_trueform_scope).
> > What the server does w.r.t. "true form" is up to the server.
> > Same goes for the scope of it.
> > (For example, Linux server always use POSIX draft ACLs.)
> >
> > The difference is that NFSv4.0 and 4.1 clients cannot know
> > what the "true form" is and can only see NFSv4 ACLs (possibly
> > mapped to/from POSIX draft ACLs).
> >
> > What the above restriction is meant to do is allow a NFSv4.2
> > client to know that the "true form" is ACL_MODEL_POSIX_DRAFT
> > when the scope is ACL_SCOPE_FILE_SYSTEM or ACL_SCOPE_SERVER
> > by seeing that posix_access_acl and posix_default_acl are
> > supported_attrs for the file system.
> > --> Note that acl_trueform_scope is "per server", so a client
> >     only needs to GETATTR this attribute once for the server.
> >     Then, if that is ACL_SCOPE_FILE_SYSTEM or ACL_SCOPE_SERVER,
> >     it can tell that the "true form" is ACL_MODEL_POSIX_DRAFT
> >     as soon as it sees posix_access_acl and posix_default_acl
> >     in supported_attrs.
> >     --> It does not have to bother to check acl_trueform,
> >         which would often result in an extra RPC.
>
> Ok, I will try to describe this issue in different way on example.
>
> NFS4 client can decide that will not implement support for ACL and DACL
> attributes because, NFS4 client is POSIX only and mapping from NFS4 to
> POSIX cause issues for that client.
>
> NFS4 client will implement this extension, so it would understand only
> POSIX_ACCESS_ACL and POSIX_DEFAULT_ACL attributes.
>
> There are existing NFS4 server which implements multiprotocol
> environment. Such server would always use NFS4 true form ACLs and
> nothing different


That is not always true .  It can uses either form on a per-file basis.

>for example because POSIX ACL cannot store SMB ACLs).

> So such server would return for acl_trueform_scope ACL_SCOPE_SERVER (or
> ACL_SCOPE_FILE_SYSTEM in case server supports more filesystems and want
> such feature).
>
> Now according to your description, such server "MUST not support the
> posix_default_acl and posix_access_acl" (because its true form is NFS4).
>
> So it means for NFS4 clients which would implement only POSIX_ACCESS_ACL
> and POSIX_DEFAULT_ACL attributes, those NFS4 servers are not able to
> serve any ACL.
>
> And if customers of such NFS4 server start asking for "ACL compatibility
> with that NFS4 client" then such NFS4 server would ignore the part "MUST
> not support the posix_default_acl and posix_access_acl" and will start
> providing these attributes via some translation or mapping (it would be
> even worse mess).


Or they could switch to a per-file scope.  I think should (note lower case).


> This is why I think it is too restrictive. It is disallowing NFS4
> servers to provide compatibility for POSIX NFS4 clients.
>

It would be too restrictive, if it were the case.


> >
> > > I think that this is too strict and what would happen is either that
> > > this extension would not be implemented OR section option (which I
> think
> > > everybody would do) is ignoring this restriction.
> > >
> > As above, this does not define what the server does for NFSv4.0
> > and NFSv4.1, it just simplifies what a NFSv4.2 client needs to
> > check, if it knows about and the server supports the extension
> > proposed by this draft.
> >
> > >
> > > I guess that for compatibility with FreeBSD and Linux, servers would
> > > implement it even on NFS4 server scope model.
> > >
> > Not sure what you mean by this.
>
> I explained above the whole example. I did not mentioned in it explicit
> client and servers as it nos tight to FreeBSD or Linux. Hopefully it
> would be clear now what I mean.
>

 Not to me.


> > Linux always uses a "true form"
> > of POSIX ACL and FreeBSD supports one of POSIX ACL or NFSv4 ACL
> > on a per-file system basic (at least for now).
> > - That is not changed by this extension. All this extension does
> >   is allow NFSv4.2 clients to use the server more effectively
> >   by choosing to get/set the "true form" and avoiding mapping,
> >   assuming the client and server both implement the extension.
> > Other file systems (IBM's GPFS seems to be the extant example
> > I am aware of) also supports a "true form" on a per-file basis.
> > (Again this is a server file system configuration choice and
> > is not affected by whether or not this extension is supported
> > by a NFSv4.2 server.)
> >
> >
> > >
> > > And I have there two additional points without quoting your document.
> > >
> > > 1)
> > >
> > > Your document does not describe what existing RFC 8881 acl and dacl
> > > attributes should return when user sets new "posix_default_acl" or
> > > "posix_access_acl" attribute. Also what should happen when another
> > > client tries to change acl or dacl attribute when POSIX ACL is already
> > > active.
> > >
> > The intent (if that is not clear, the words need to be improved)
> > is that the server file system shall have one "true form" for each
> > file object. If the attribute(s) for the other "true form" is used
> > on the object (which assumes the server has chosen to put attributes for
> > both in supported_attrs for the file syetem, the GETATTR/READIR/SETATTR
> > will use mapping to translate it to/from the "true form".
>
> Ok, I think this is important to know and was not clear for me.
> So it means that if server's true form is POSIX and NFS4 client call
> GETATTR(DACL) command then server is required to map its POSIX ACL into
> NFS4 ACL. I think that this should be explicitly mentioned to prevent
> any confusion.
>

As I understand things it needs to report that there is no NFSv4 DACL
(length zero or whatever else we decide).


> > The intent is to discourage use of mapping. As such, the client using
> > these extensions can avoid that by determining what the "true form" is
> > for the object and using the appropriate attributes.
>
> Now I understand. So NFS4 client without this extension would use just
> ACL and DACL attributes. And NFS4 client with this extension can use
> POSIX_ACCESS_ACL if wants and can benefit from it.
>
> > My thinking is that servers like FreeBSD (where the "true form" is
> per-file
> > system and mapping is not supported) would:
> > (A) - Support posix_access_acl and posix_default_acl, but not acl, for
> file
> >   systems that use POSIX ACLs as their "true form".
>
> Why not ACL/DACL attribute at least via mapping? This will degrade NFS4
> clients which use NFS4 true form ACL or similar (e.g. Windows or SMB).
>
> RFC 8881 suggest implementations to implement ACL and DACL attributes
> for access control. So servers which will not implement ACL and DACL
> attribute would for access control would not be compatible with RFC 8881
> clients which expects access control.
>

  Not true.  The ACL and DACL attributes are OPTIONAL.  If they are not
supported, access control is provided POSIX-style using the attributes
mode, owner, owner_group which are now REQUIRED.  If this is not clear in
RFC8881, I  hope it is in draft-dnoveck-nfsv4-security.


> > (B) - Support acl, but not posix_access_acl and posix_default_acl, for
> file
> >   systems that ise NFSv4 ACLs as their "true form".
>
> That makes sense. Export POSIX_ACCESS_ACL/POSIX_DEFAULT_ACL only in case
> POSIX is server's true form.
>
> > For Linux servers, they might choose (A) above, or they might choose
> > to support all of acl, posix_access_acl and posix_default_acl, where acl
> > is supported via the mapping algorithms they already use.
> >
> > It is the case of a per-file scope where things get difficult:
> > The server will probably want to support all of acl, posix_access_acl
> > and posix_default_acl, but since the "true form" is defined a one
> > model for each file, then how should the attribute(s) for the other
> > model be handled?
> > - I would like to avoid mapping, so I think being able to return
> >   "no ACL" would be preferred.
>
> I think that this is against RFC 8881 where it is expected that server
> construct ACL attribute which will describe the current access
> permission.
>

I don't think so.


> Returning "no ACL" for NFS4 clients which do not understand this
> extension would be very confusing. User will ask for ACL, user will see
> that it is empty and would think that nobody has access to that file.
>

According to RFC8881, user are not supposed to interpret Acls but use
ACCESS/OPEN for this purpose.

And then would be surprised that somebody can access that file just
> because some optional extension attribute returns some more information
> about access, which the client does not implement. This can lead also to
> security or audit issues.
>
> > - I had thought a zero length ACL would work for this, but that no
> >   longer appears to be the case.
>
> Yes, it would not work.
>

I don't agree.


> > Maybe, defining an ACL with a single ACE that says "not valid" would
> > work?
>
> I think not. ACL and DACL attribute should always say current access
> permissions for the object. And if server is using some other (e.g.
> POSIX or any other strange scheme) then server should provide the best
> effort translation for such clients.
>
> > This could be the reply for GETATTR/READDIR and could be used to
> > "erase" the ACL for SETATTR.
> > --> I think this is what the next draft will propose.
> >
> >
> > > If interop between mode, dacl and posix_default_acl, posix_access_acl
> > > attributes is not explicitly defined in specification then every server
> > > implementation will invent its own rules and it would just lead to the
> > > mess in multiprotocol environment where clients would not be sure what
> > > can happen. Like it is already with "mode" attribute in NFS v4.1 (see
> 2).
> > >
> > For posix_access_acl and posix_default_acl the intent is that the
> > POSIX draft specification defines the interaction between mode and
> > the POSIX ACL.
>
> Ok. But the problem is that POSIX mode != NFS4 mode. Below in 2)
> I described one difference. And because POSIX ACL does not define
> interaction between NFS4 mode and POSIX ACL then I think it is required
> to define it in extension specification to make it clear.
>
> > For NFSv4 ACLs, you are correct. It is a mess.
> > And I wish David N. the best of luck w.r.t. cleaning it up.
>
> Interesting, is David working on cleaning it up? If you are interesting
> I can provide feedback what needs to be fixed (something I have already
> written in my first email to the list).
>

Yes, in draft-dnoveck-nfsv4-security and draft-dnoveck-nfsv4-acls.   Note
that the current draft of the latter, -04 needs to be updates to be
compatible with Rick's work.  Looking for getting -05 out in next few weeks.


> > (OpenZFS already has a knob that specifies 4 different ways
> > of doing this. Another knob setting may be needed.)
> >
> > Thanks for the comments, rick
> >
> > >
> > > 2)
> > >
> > > Then there is a problem with "group" bits of "mode" attribute.
> > > In RFC 8881 section 6.2.4 is written:
> > >
> > > "Bits MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP apply to principals
> > > identified in the owner_group attribute but who are not identified in
> > > the owner attribute."
> > >
> > > And in section 6.3.2.1 is written:
> > >
> > > "Some server implementations also add bits permitted to named users and
> > > groups to the group bits (MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP).
> > > Implementations are discouraged from doing this."
> > > "The same user confusion seen when fetching the mode also results if
> > > setting the mode does not effectively control permissions for the
> owner,
> > > group, and other users; this motivates some of the requirements that
> > > follow."
> > >
> > > POSIX ACL with at least one named user or named group requires that
> > > mode group bits refers to POSIX ACL mask, and not to the POSIX ACL
> > > group_obj (which represents owner_group).
> > >
> > > Those RFC 8881 parts of NFS mode attribute are basically not compatible
> > > with POSIX ACL. Your extension does not mention this problem and does
> > > not handle it.
> > >
> > > Existing NFS4 servers which follows the RFC 8881 meaning of mode group
> > > bits, would not be able to implement this your extension for POSIX ACL,
> > > because existing servers cannot change behavior of mode attribute due
> > > backward compatibility. I think that this is a big problem.
> > > Servers in multiprotocol environment mostly follows the RFC 8881 advice
> > > to never return something like "POSIX mask" in group bits.
> > >
> > > How to solve this problem. One option could be including all mode bits
> > > into your new "posix_access_acl" attribute and let NFS4 clients to use
> > > only "posix_access_acl" on chown operation, and never use existing
> > > "mode" attribute at all (if the extension is supported by server).
> > >
> > > Another option could be to introduce a new "posix_mode" attribute which
> > > would be strictly POSIX and old "mode" attribute can stay as before for
> > > backward compatibility. Again clients would not use "mode" attribute
> > > anymore.
> > >
> > >
> > > Regards,
> > > Pali
> > >
>
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org
>