Re: [nfsv4] comments w.r.t. flex layout draft 12
Benjamin Kaduk <kaduk@mit.edu> Mon, 24 July 2017 20:44 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83231131F1D for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 13:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8IB2ain1KCf for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 13:44:02 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99CCD131F1C for <nfsv4@ietf.org>; Mon, 24 Jul 2017 13:44:02 -0700 (PDT)
X-AuditID: 12074425-723ff70000006d85-01-59765c10c2ad
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 24.CD.28037.01C56795; Mon, 24 Jul 2017 16:44:01 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v6OKhwLl020384; Mon, 24 Jul 2017 16:43:59 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v6OKhtXw024971 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 24 Jul 2017 16:43:57 -0400
Date: Mon, 24 Jul 2017 15:43:55 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>, Thomas Haynes <loghyr@primarydata.com>
Message-ID: <20170724204354.GH17639@kduck.kaduk.org>
References: <YTXPR01MB0189332A64D2E7485CFC8F2CDDA40@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <YTXPR01MB0189332A64D2E7485CFC8F2CDDA40@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrCIsWRmVeSWpSXmKPExsUixG6nrisYUxZpsOatlMXyPVvZLWa/f8Rq 8XDZNSYHZo8lS34yecyfK+fxe/NepgDmKC6blNSczLLUIn27BK6MNz/eMBYcE6n4fWEbcwPj eYEuRk4OCQETibm/f7B3MXJxCAksZpLYtucVG4SzkVHiwodnrBDOVSaJ1d9vsoO0sAioSjyd fp4VxGYTUJFo6L7MDGKLCKhLbF7dD2YzC/hK3Hh8DcwWFrCUOPHuA5jNC7Suf+oENhBbSCBG 4urz+YwQcUGJkzOfsED0aknc+PeSqYuRA8iWllj+jwMkzCkQK3F/8TawElEBZYl5+1axTWAU mIWkexaS7lkI3QsYmVcxyqbkVunmJmbmFKcm6xYnJ+blpRbpWujlZpbopaaUbmIEB66L6g7G OX+9DjEKcDAq8fCu+FgaKcSaWFZcmXuIUZKDSUmUV4ipLFKILyk/pTIjsTgjvqg0J7X4EKME B7OSCC/zW6By3pTEyqrUonyYlDQHi5I4r7hGY4SQQHpiSWp2ampBahFMVoaDQ0mC908U0FDB otT01Iq0zJwShDQTByfIcB6g4RbRQDW8xQWJucWZ6RD5U4yKUuK8T0CaBUASGaV5cL2gxCKR vb/mFaM40CvCvL4g7TzApATX/QpoMBPQ4DkzQK4uLklESEk1MCZ82MC6Xrj8e8Z8je8/Zxeo Zmq9kXT/cG/KsrsHoy8Wx0jurLTh7XSdkrhPIZN7vrXj6vbzU7lfrQhbE5bte9zQMZFf1T5k 1RbmQ96lx2fyLVXr0mVSD5/5Pkenxzz3wezWVEeThga/+QWvTgpvKJ73r1lEmivhbsW5s6pL 1Joze8qNeAUnK7EUZyQaajEXFScCAFty1ewHAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/tYrzLGLvP5Kr3OLQcfiLFkJBkes>
Subject: Re: [nfsv4] comments w.r.t. flex layout draft 12
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 20:44:05 -0000
On Fri, Jul 21, 2017 at 09:41:40PM +0000, Rick Macklem wrote: > Hi, > > Overall, it looks good to me. > > First off, there is one generic issue I thought I'd bring up... > - w.r.t. Kerberos...shouldn't it be talking about Rpcsec_gss instead of Kerberos, > just in case someone uses another security mechanism someday? Arguably it should, yes. But the GSSAPI way to do the sort of thing needed here involves GSS_Export_sec_context/GSS_Import_sec_context, which is formally only specified for interprocess transfer on a single machine. (After all, GSS-API objects are permitted to be opaque handles referring to data stored outside of the current process.) Some implementations do just dump a serialized data structure that could in theory be sent over the network and used elsewhere, but there is no standardized way to do so. Kerberos tickets, on the other hand, are standardized and quite interoperable. But the specification might do well from using more general terms and only listing Kerberos tickets as an example. > - Also, I'll admit I didn't understand the last two sentences of Sec. 15.1.1. > - Why is the metadata server generating TGTs. Is this referring to the case of > the metadata doing I/O on the storage server? Or is this specific to some part of > RPCSEC_GSS_V3 (which I'll admit I've never looked at;-). If the latter, just ignore > my ignorance;-) My (admittedly hasty) reading was that the metadata server is generating "credentials" that the client then uses in subsequent communication with the data server. Those newly minted credentials ought to be limited to just the file access that was indicated to the MDS, whether by having a dedicated/throwaway client principal name akin to the synthetic uid/gid schemes, authorization data in the ticket, or some out-of-band scheme. In order to fit nicely into the existing deployments using Kerberos, the minted credentials need to be Kerberos credentials. That said, I see no reason why they need to be a TGT -- a service ticket for the data server principal would work just fine and would save the client a round-trip to the KDC. Doing so would also provide a bit more implementation flexibility, if the MDS is given access to the long-term key of the data servers (as it could then just print tickets locally and not need to interact with the KDC). Another option for this sort of thing would be the S4U2Proxy extension, that lets the MDS request that the KDC print the desired tickets and the KDC can do authorization checking and apply restrictions to the generated tickets/etc. -Ben
- [nfsv4] comments w.r.t. flex layout draft 12 Rick Macklem
- Re: [nfsv4] comments w.r.t. flex layout draft 12 Benjamin Kaduk
- Re: [nfsv4] comments w.r.t. flex layout draft 12 Thomas Haynes
- Re: [nfsv4] comments w.r.t. flex layout draft 12 Thomas Haynes
- Re: [nfsv4] comments w.r.t. flex layout draft 12 Olga Kornievskaia