[nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-02
David Noveck <davenoveck@gmail.com> Fri, 09 August 2024 20:53 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8498EC14CEFF for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 13:53:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sWCO3Ho6dCNx for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 13:53:25 -0700 (PDT)
Received: from mail-oo1-xc2f.google.com (mail-oo1-xc2f.google.com [IPv6:2607:f8b0:4864:20::c2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5379FC14F6A0 for <nfsv4@ietf.org>; Fri, 9 Aug 2024 13:53:25 -0700 (PDT)
Received: by mail-oo1-xc2f.google.com with SMTP id 006d021491bc7-5cdf7edddc5so1455548eaf.0 for <nfsv4@ietf.org>; Fri, 09 Aug 2024 13:53:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723236804; x=1723841604; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dmSCf86JZ4Fcfhk8/RHdlA290hIVoqxocDPgdiUH9iM=; b=a6+uxBlvFtFBciU9u79do1MT+QQ1P8h2BUSl9Zrad7Rni+07fp/B0Vfu7sbodbz2ni 1dy8G8KPSVhC7H324MhkJo9U6x5ek1F3uFj15lpwTEiMfcQunjHkGvN2HzrdBFcMK8Nk FZKoGqVk/GoebiVIp+Tcisp4WCHQdubAtz8soKnnf40mPApWc13xsZA8FPTL7d2Iykue hkQiCgSwX1qi1TVReWIMhNJUtw2GkHgrzBwNggrGzFboYp8jYAYiEMkpOrzfFw8BHuIz fCqWj8592fM8ae9/TNeM9I6r8CP1tIgz7/5oEHOHuAyp/FoHiWhpjyttXQMINl0ykv0K Sitw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723236804; x=1723841604; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dmSCf86JZ4Fcfhk8/RHdlA290hIVoqxocDPgdiUH9iM=; b=vZe+ta49kSZo8cANQue1YhTJ0YjSe1ZGq3clPjnKHuM6qAx1sDGWiHnA3LRISTJei0 Ac72dM7EooW29qtSzxsbstQEVpfzsp8NfSQCUhfyXGqUqM246pyNGDZwX3Yo+BpeDGuy Zw+WiHX9adobwpBZNumTgIfHD/AO8wxWH+Kg05193IuLBti86YZgjk/1sUWHmMvrIipd cdPsaV3hwCm6vWtWnbl8n1QIiKmMsvBejj4Dz3sSSCmKRKJHhofsIOABXgNxTTJ4542t 6jJLF5yRQv9GrWpHjYP5l46IOW3OvIQfxKdOVZf4iTP94X+Pbu+LZY51hX5ov1dOBguI vdrw==
X-Forwarded-Encrypted: i=1; AJvYcCVG2ZV8uFr+4hvN/fA0RR/AqmhJjwmm3BsbCqNhNa//lsvrU5lNa/F2kgWvLgQpiUobvjDd3g==@ietf.org
X-Gm-Message-State: AOJu0YyUtwFIAZQQSUS0KeuMjh7YggzraqokVjUd0NNz8yy4e0+zRfQu hLayRng5Pof/fvyX3FmE2qqoo/Ux0Mp5L7lfp3SJPrlLS7eZGBQ5TxdIRopGz4N/z0rCh7buU5J NRHw241cMNtGDOePC0ltO/1oCxJA=
X-Google-Smtp-Source: AGHT+IEz7q4voC5wxOnOL6SqNtpcTgRJciPo17IE+LvxD1abrvQ6rd7nbWlxJJ7ADSAhOve5KuRyEWGeD+dwLM9TxdA=
X-Received: by 2002:a05:6358:339a:b0:1ac:f839:e001 with SMTP id e5c5f4694b2df-1b177172cb1mr311586655d.22.1723236804214; Fri, 09 Aug 2024 13:53:24 -0700 (PDT)
MIME-Version: 1.0
References: <20240806170525.trrqy27aqu7sayb5@pali> <CAM5tNy4pPcP7AErkqvu2URqX9nCT-8i3y_esVzpyyjaHC6Uuew@mail.gmail.com> <20240807162216.cg7sbzgqyqn4hxnp@pali>
In-Reply-To: <20240807162216.cg7sbzgqyqn4hxnp@pali>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 09 Aug 2024 16:53:13 -0400
Message-ID: <CADaq8jdvgGWmO0gNvCfv_vYZRQDfsq3o+ab-YR3GYUhNtg3TLg@mail.gmail.com>
To: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
Content-Type: multipart/alternative; boundary="0000000000009447b6061f465525"
Message-ID-Hash: FSENHDKD2FJ4YOJHR2BARCUDUQTTDZTH
X-Message-ID-Hash: FSENHDKD2FJ4YOJHR2BARCUDUQTTDZTH
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/muFJquOyvRPy4_UANo-FHlYZyTw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
On Wed, Aug 7, 2024, 12:22 PM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> wrote: > Hello Rick, I'm sending comments for the second part of your email. > > On Tuesday 06 August 2024 15:20:50 Rick Macklem wrote: > > On Tue, Aug 6, 2024 at 10:05 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im > > > > wrote: > > > > A server that is configured for a acl_trueform_scope other that > > > > ACL_SCOPE_FILE_OBJECT MUST not support the posix_default_acl and > > > > posix_access_acl unless the true form for the file system is > > > > ACL_MODEL_POSIX_DRAFT. > > > > > > This is a restriction which basically means that no existing NFS4 > > > server with native NFS4 ACL support can support "posix_access_acl". > > > In multiprotocol environment where is NFSv4.0 and NFSv4.1, the NFS4 > > > server would have to provide server scope native NFS4 model (to support > > > NFSv4.1 as as your document is only for NFSv4.2) which implies that > > > server must not support POSIX ACL. And same applies in the > multiprotocol > > > environment with NFS4 and SMB. > > > > > Not exactly. posix_access_acl refers to the proposed optional > > attribute for NFSv4.2 (same goes for acl_trueform_scope). > > What the server does w.r.t. "true form" is up to the server. > > Same goes for the scope of it. > > (For example, Linux server always use POSIX draft ACLs.) > > > > The difference is that NFSv4.0 and 4.1 clients cannot know > > what the "true form" is and can only see NFSv4 ACLs (possibly > > mapped to/from POSIX draft ACLs). > > > > What the above restriction is meant to do is allow a NFSv4.2 > > client to know that the "true form" is ACL_MODEL_POSIX_DRAFT > > when the scope is ACL_SCOPE_FILE_SYSTEM or ACL_SCOPE_SERVER > > by seeing that posix_access_acl and posix_default_acl are > > supported_attrs for the file system. > > --> Note that acl_trueform_scope is "per server", so a client > > only needs to GETATTR this attribute once for the server. > > Then, if that is ACL_SCOPE_FILE_SYSTEM or ACL_SCOPE_SERVER, > > it can tell that the "true form" is ACL_MODEL_POSIX_DRAFT > > as soon as it sees posix_access_acl and posix_default_acl > > in supported_attrs. > > --> It does not have to bother to check acl_trueform, > > which would often result in an extra RPC. > > Ok, I will try to describe this issue in different way on example. > > NFS4 client can decide that will not implement support for ACL and DACL > attributes because, NFS4 client is POSIX only and mapping from NFS4 to > POSIX cause issues for that client. > > NFS4 client will implement this extension, so it would understand only > POSIX_ACCESS_ACL and POSIX_DEFAULT_ACL attributes. > > There are existing NFS4 server which implements multiprotocol > environment. Such server would always use NFS4 true form ACLs and > nothing different That is not always true . It can uses either form on a per-file basis. >for example because POSIX ACL cannot store SMB ACLs). > So such server would return for acl_trueform_scope ACL_SCOPE_SERVER (or > ACL_SCOPE_FILE_SYSTEM in case server supports more filesystems and want > such feature). > > Now according to your description, such server "MUST not support the > posix_default_acl and posix_access_acl" (because its true form is NFS4). > > So it means for NFS4 clients which would implement only POSIX_ACCESS_ACL > and POSIX_DEFAULT_ACL attributes, those NFS4 servers are not able to > serve any ACL. > > And if customers of such NFS4 server start asking for "ACL compatibility > with that NFS4 client" then such NFS4 server would ignore the part "MUST > not support the posix_default_acl and posix_access_acl" and will start > providing these attributes via some translation or mapping (it would be > even worse mess). Or they could switch to a per-file scope. I think should (note lower case). > This is why I think it is too restrictive. It is disallowing NFS4 > servers to provide compatibility for POSIX NFS4 clients. > It would be too restrictive, if it were the case. > > > > > I think that this is too strict and what would happen is either that > > > this extension would not be implemented OR section option (which I > think > > > everybody would do) is ignoring this restriction. > > > > > As above, this does not define what the server does for NFSv4.0 > > and NFSv4.1, it just simplifies what a NFSv4.2 client needs to > > check, if it knows about and the server supports the extension > > proposed by this draft. > > > > > > > > I guess that for compatibility with FreeBSD and Linux, servers would > > > implement it even on NFS4 server scope model. > > > > > Not sure what you mean by this. > > I explained above the whole example. I did not mentioned in it explicit > client and servers as it nos tight to FreeBSD or Linux. Hopefully it > would be clear now what I mean. > Not to me. > > Linux always uses a "true form" > > of POSIX ACL and FreeBSD supports one of POSIX ACL or NFSv4 ACL > > on a per-file system basic (at least for now). > > - That is not changed by this extension. All this extension does > > is allow NFSv4.2 clients to use the server more effectively > > by choosing to get/set the "true form" and avoiding mapping, > > assuming the client and server both implement the extension. > > Other file systems (IBM's GPFS seems to be the extant example > > I am aware of) also supports a "true form" on a per-file basis. > > (Again this is a server file system configuration choice and > > is not affected by whether or not this extension is supported > > by a NFSv4.2 server.) > > > > > > > > > > And I have there two additional points without quoting your document. > > > > > > 1) > > > > > > Your document does not describe what existing RFC 8881 acl and dacl > > > attributes should return when user sets new "posix_default_acl" or > > > "posix_access_acl" attribute. Also what should happen when another > > > client tries to change acl or dacl attribute when POSIX ACL is already > > > active. > > > > > The intent (if that is not clear, the words need to be improved) > > is that the server file system shall have one "true form" for each > > file object. If the attribute(s) for the other "true form" is used > > on the object (which assumes the server has chosen to put attributes for > > both in supported_attrs for the file syetem, the GETATTR/READIR/SETATTR > > will use mapping to translate it to/from the "true form". > > Ok, I think this is important to know and was not clear for me. > So it means that if server's true form is POSIX and NFS4 client call > GETATTR(DACL) command then server is required to map its POSIX ACL into > NFS4 ACL. I think that this should be explicitly mentioned to prevent > any confusion. > As I understand things it needs to report that there is no NFSv4 DACL (length zero or whatever else we decide). > > The intent is to discourage use of mapping. As such, the client using > > these extensions can avoid that by determining what the "true form" is > > for the object and using the appropriate attributes. > > Now I understand. So NFS4 client without this extension would use just > ACL and DACL attributes. And NFS4 client with this extension can use > POSIX_ACCESS_ACL if wants and can benefit from it. > > > My thinking is that servers like FreeBSD (where the "true form" is > per-file > > system and mapping is not supported) would: > > (A) - Support posix_access_acl and posix_default_acl, but not acl, for > file > > systems that use POSIX ACLs as their "true form". > > Why not ACL/DACL attribute at least via mapping? This will degrade NFS4 > clients which use NFS4 true form ACL or similar (e.g. Windows or SMB). > > RFC 8881 suggest implementations to implement ACL and DACL attributes > for access control. So servers which will not implement ACL and DACL > attribute would for access control would not be compatible with RFC 8881 > clients which expects access control. > Not true. The ACL and DACL attributes are OPTIONAL. If they are not supported, access control is provided POSIX-style using the attributes mode, owner, owner_group which are now REQUIRED. If this is not clear in RFC8881, I hope it is in draft-dnoveck-nfsv4-security. > > (B) - Support acl, but not posix_access_acl and posix_default_acl, for > file > > systems that ise NFSv4 ACLs as their "true form". > > That makes sense. Export POSIX_ACCESS_ACL/POSIX_DEFAULT_ACL only in case > POSIX is server's true form. > > > For Linux servers, they might choose (A) above, or they might choose > > to support all of acl, posix_access_acl and posix_default_acl, where acl > > is supported via the mapping algorithms they already use. > > > > It is the case of a per-file scope where things get difficult: > > The server will probably want to support all of acl, posix_access_acl > > and posix_default_acl, but since the "true form" is defined a one > > model for each file, then how should the attribute(s) for the other > > model be handled? > > - I would like to avoid mapping, so I think being able to return > > "no ACL" would be preferred. > > I think that this is against RFC 8881 where it is expected that server > construct ACL attribute which will describe the current access > permission. > I don't think so. > Returning "no ACL" for NFS4 clients which do not understand this > extension would be very confusing. User will ask for ACL, user will see > that it is empty and would think that nobody has access to that file. > According to RFC8881, user are not supposed to interpret Acls but use ACCESS/OPEN for this purpose. And then would be surprised that somebody can access that file just > because some optional extension attribute returns some more information > about access, which the client does not implement. This can lead also to > security or audit issues. > > > - I had thought a zero length ACL would work for this, but that no > > longer appears to be the case. > > Yes, it would not work. > I don't agree. > > Maybe, defining an ACL with a single ACE that says "not valid" would > > work? > > I think not. ACL and DACL attribute should always say current access > permissions for the object. And if server is using some other (e.g. > POSIX or any other strange scheme) then server should provide the best > effort translation for such clients. > > > This could be the reply for GETATTR/READDIR and could be used to > > "erase" the ACL for SETATTR. > > --> I think this is what the next draft will propose. > > > > > > > If interop between mode, dacl and posix_default_acl, posix_access_acl > > > attributes is not explicitly defined in specification then every server > > > implementation will invent its own rules and it would just lead to the > > > mess in multiprotocol environment where clients would not be sure what > > > can happen. Like it is already with "mode" attribute in NFS v4.1 (see > 2). > > > > > For posix_access_acl and posix_default_acl the intent is that the > > POSIX draft specification defines the interaction between mode and > > the POSIX ACL. > > Ok. But the problem is that POSIX mode != NFS4 mode. Below in 2) > I described one difference. And because POSIX ACL does not define > interaction between NFS4 mode and POSIX ACL then I think it is required > to define it in extension specification to make it clear. > > > For NFSv4 ACLs, you are correct. It is a mess. > > And I wish David N. the best of luck w.r.t. cleaning it up. > > Interesting, is David working on cleaning it up? If you are interesting > I can provide feedback what needs to be fixed (something I have already > written in my first email to the list). > Yes, in draft-dnoveck-nfsv4-security and draft-dnoveck-nfsv4-acls. Note that the current draft of the latter, -04 needs to be updates to be compatible with Rick's work. Looking for getting -05 out in next few weeks. > > (OpenZFS already has a knob that specifies 4 different ways > > of doing this. Another knob setting may be needed.) > > > > Thanks for the comments, rick > > > > > > > > 2) > > > > > > Then there is a problem with "group" bits of "mode" attribute. > > > In RFC 8881 section 6.2.4 is written: > > > > > > "Bits MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP apply to principals > > > identified in the owner_group attribute but who are not identified in > > > the owner attribute." > > > > > > And in section 6.3.2.1 is written: > > > > > > "Some server implementations also add bits permitted to named users and > > > groups to the group bits (MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP). > > > Implementations are discouraged from doing this." > > > "The same user confusion seen when fetching the mode also results if > > > setting the mode does not effectively control permissions for the > owner, > > > group, and other users; this motivates some of the requirements that > > > follow." > > > > > > POSIX ACL with at least one named user or named group requires that > > > mode group bits refers to POSIX ACL mask, and not to the POSIX ACL > > > group_obj (which represents owner_group). > > > > > > Those RFC 8881 parts of NFS mode attribute are basically not compatible > > > with POSIX ACL. Your extension does not mention this problem and does > > > not handle it. > > > > > > Existing NFS4 servers which follows the RFC 8881 meaning of mode group > > > bits, would not be able to implement this your extension for POSIX ACL, > > > because existing servers cannot change behavior of mode attribute due > > > backward compatibility. I think that this is a big problem. > > > Servers in multiprotocol environment mostly follows the RFC 8881 advice > > > to never return something like "POSIX mask" in group bits. > > > > > > How to solve this problem. One option could be including all mode bits > > > into your new "posix_access_acl" attribute and let NFS4 clients to use > > > only "posix_access_acl" on chown operation, and never use existing > > > "mode" attribute at all (if the extension is supported by server). > > > > > > Another option could be to introduce a new "posix_mode" attribute which > > > would be strictly POSIX and old "mode" attribute can stay as before for > > > backward compatibility. Again clients would not use "mode" attribute > > > anymore. > > > > > > > > > Regards, > > > Pali > > > > > _______________________________________________ > nfsv4 mailing list -- nfsv4@ietf.org > To unsubscribe send an email to nfsv4-leave@ietf.org >
- [nfsv4] Comments for draft-rmacklem-nfsv4-posix-a… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… David Noveck
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… David Noveck
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] POSIX ACLs as backdoor to bypass NFSv4 AC… Mark Liam Brown
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem