[nfsv4] Re: Our different approaches to draft POSIX ACL support in NFSv4

Trond Myklebust <trondmy@hammerspace.com> Tue, 23 July 2024 18:09 UTC

Return-Path: <trondmy@hammerspace.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4804C18DBBF for <nfsv4@ietfa.amsl.com>; Tue, 23 Jul 2024 11:09:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hammerspace.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mElLiW_5OMuS for <nfsv4@ietfa.amsl.com>; Tue, 23 Jul 2024 11:09:49 -0700 (PDT)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2105.outbound.protection.outlook.com [40.107.100.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D995EC180B4E for <nfsv4@ietf.org>; Tue, 23 Jul 2024 11:09:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=CN0vKTXCkFZ+8JS6b5W/6jbisQDAkmLUC/J70JHhiehDhROJreAKhdq6fmXJDOFSk/THEHzi7iPd9fgM9CVi9VepPaYaWOzL5ia1DRG0Qk2Sr0aeuwBTQS6xKAnkdBm7ieWAEgqVffDHd4SNFLQ2QDCd52UZRg3LK6eq8glTMZ3Ii/bNQzmZiCqRh0e+5VpEejAr/6d0pfKZmyYEeOTPpzeQy1MMK9q2Ge6NFzaM8cl+Lz+OSkM594DaWSUSh+p0f5jkBU6/d/4vLIH322Z1WiacYJBtRi/8bqQ4hI5l/rWlcBJG2lDsNY1Xa9TnkTGiTYEAxwhC446YuvnYJgJhYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TG6APei7/a6kk/B+yBTFyrgwxIrCX9yB9JX2UH6zXTk=; b=AlsXiarhG75vKqvAw1sAdFoCWBZyuuzqkrKWZMxzSAcMCESkpt/Hm3cdvUAelqw+W+T+fnEc2Lwt6U8kq2pijrdrmdnWTcdGN9q9yD3jTMAdSQk/IPC3eyq5In1ULcuzk6gqmVxM5OgFISHNazvtBMK1jvJY0sS1U5t3mjQOjla0pGCAOiU/+c5pV+OtrjaAD+6Fncluhm+SgZ4JRZ4uwOYBEeAQKmrdq1GdO6i510FcABYo71z/QeRANogdxJP3clfwnaPx5tyjatQDCSQ3Sz0/w2MEMw1XKkKMriYzn8RYSF+hNHrvGQYUcUQZwEHjRCNmE3SSjweYax9BpIJ46w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hammerspace.com; dmarc=pass action=none header.from=hammerspace.com; dkim=pass header.d=hammerspace.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hammerspace.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TG6APei7/a6kk/B+yBTFyrgwxIrCX9yB9JX2UH6zXTk=; b=UTTUdukTqqmKfBxe/IUyP26mk1I28dAw34LFldPHWPvHortwP6paSEXDvPoxWKoZvZXQsa5sVcnvhfz7m5ucfk7ymyN72UPrWelfKAt67Ubc8ubgeZRq210LaCj9LhrgJfNqa9TTHM5wMBck2qVyAyhsk6sn35WRXlDi9kHYeZs=
Received: from CH0PR13MB5084.namprd13.prod.outlook.com (2603:10b6:610:111::7) by CH2PR13MB3703.namprd13.prod.outlook.com (2603:10b6:610:98::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.32; Tue, 23 Jul 2024 18:09:44 +0000
Received: from CH0PR13MB5084.namprd13.prod.outlook.com ([fe80::67bb:bacd:2321:1ecb]) by CH0PR13MB5084.namprd13.prod.outlook.com ([fe80::67bb:bacd:2321:1ecb%6]) with mapi id 15.20.7784.017; Tue, 23 Jul 2024 18:09:44 +0000
From: Trond Myklebust <trondmy@hammerspace.com>
To: "chuck.lever@oracle.com" <chuck.lever@oracle.com>
Thread-Topic: [nfsv4] Our different approaches to draft POSIX ACL support in NFSv4
Thread-Index: AQHa3St+JWinfnK62Eqe8mjO5TbHNA==
Date: Tue, 23 Jul 2024 18:09:44 +0000
Message-ID: <8efc39289ecef97624622cfc431f890736b579a0.camel@hammerspace.com>
References: <CADaq8jdvZ5pcFNN5zjuVHLTO30v9=2kYKzFdRxxbkTmHYZdTdA@mail.gmail.com> <CAM5tNy7Fw954gCzYHCTjRg7th_njSHhxznni48Zz4xsSXT631A@mail.gmail.com> <53DAEF45-2A4D-4066-97C2-7B09018DE99B@oracle.com> <CAM5tNy6a4ZG90i2ugXzuPqQ1zrsK9m8jLRKmv9VpnFG6m_Pqew@mail.gmail.com> <DD250FBD-A434-4294-818A-5728757CE032@oracle.com> <d1c538065728c17df66a6f9e79e55d90849fc866.camel@gmail.com> <D352FEB9-A487-4B3E-9BC8-DB2C1896F941@oracle.com>
In-Reply-To: <D352FEB9-A487-4B3E-9BC8-DB2C1896F941@oracle.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=hammerspace.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR13MB5084:EE_|CH2PR13MB3703:EE_
x-ms-office365-filtering-correlation-id: 813eacaf-e80b-4f00-8607-08dcab42a142
x-ms-exchange-atpmessageproperties: SA
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: 7eWc5F8GQBQKY2NWIXNEOizsx5LcuPopAgZvnqlVj5MCfN7JpVZqO0qJHgfeqOlOvsjrjO5T0xDn5r3tFuJMUSs4ieEMD0ERKMGxT8qvqk0VQmQ9p7xfbtCjDR0y59RO5mQV7L9z07ovNJjnvlRuSCRUurLwO5Pr94CDRc1zBjazWxNTUJmiIYapmLabtuxCnzcnNYncbLmCOMejj1+/E9QanUK0vs6iGHpNImlYQ1DgNqlM6lLflANyipn5ezc0mEF6Fju2EDBSycS3JHN0sfx05W8XwOLnNuE9o76289QsXo5cNZ1fkhvm8JLKk1K1dMDcRbz/hUpQEt6+2CGY+9mgyyf+8k5Fg+5xZxi2bBGR7sZEebqcPiBPNrzJ9Z7SKwOLHt4WYRGna15axDf5yKtYuqNyg7PQdHWfDmeYLWwDbxPBybvEUeb1EKjW2O8xFrTEHmIPFArQN77Oojr5ot9rjTSpGWNJ+woqgkCYCmj1D5rTawKyo35KB0o7jCUa5c9Q7iStil7ILN/hw44hcMYMWO9E0pvPs6pvezvVjzyD0Xs2e+IZJU1pVLrcInjJ/iOXsyGcHNb8cbNhDR/zxRPpEB+FhN1jS08aGtDTqrwcYJ1akE8IZMBnUMTUjOEHIN6CfZu5UV/LfcH/1fZaBQtEYvTo+Y3hrCebHI9N28x14HXO+B9iJYD9AHpSDHVWliaXl+kQj0ZhcpmJr+o8ql3gc9rRwMG+z/iQZRzSx+FTGW2e7+JalcjecjGfwv6BsSZlQgWqIp3iYZQPb9okubuu24/VRdY/FVoMdbBb11vgnNNihSoGtqQadVlGfnvMpzkBQgQf5dQGkSpl5csnBYCXVHdeLCSKtULi/zANjoVFjxVpIf6lI60diJW8BUExQ42h2yQ1qWAuwPOrCpplZ5dzIkdd5TXjcocEUijQ00bKAUCeN+qqa9W7GAlFKezTOZ7a0kEtqkokKvOjYJ9odrSntRsS+jNCPyIo29Do0bjqQ2qhorV6Qce0rh2uWNMAiBrlTrE+nP6530FFnoCQ/T5OKcAa7WEexMG78GmRYy0dWLlezf4QxGhkiT43+JHL0y775pOM4m8p6WP3s1+AG4mnUH59A0bpiXN8ypgwwD22AIEjeDU3lx/bnFpKf2mIq3aY+oqK9hk4UP01HC+yB2N9qq3QGOhGnz7rb1lMmohGxGPiN3eaF28pRaWOnbui89Vxip+Y6dZwf474rDvCxsVqrjvKk/fzivndPKcT0TWaTdyibqOFUOLiLpA4Yiisg2IRq7+iFBWAoZ6EBH2+tqz+avD6XURuC2DKXDWGu71n3+1YIXWRJ1lBzbipd/IPQokgOrUpTi6V+HANG6M0hSH7SjfgcKYW+kfkim+uvOc=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR13MB5084.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: k7r/72W9szfRhfRBJj5Z3r9lpZXMzJqUIB1G9FV1/Yg5v9Ooc8smE66u0HTI+15TXmNypFW0U743wyqKpoe6VsouRuYvaL9dqd87y2t6E+/uH1P4PFi2ONMjkpIv6/yUJ8QlNA3lUBX7+UXLeKOx9o7Vzw2Z+iGxOvhT6sH6k2nWuuyzwsdalE5bc2zrtVI+1AN6vwb2d+jV19UXl5dl9VH9AadEqWpB7p7XjC/kLeR/aj2iR+oi69BBe6UB+ZJbf5r+AscE9CuvY+bycEMIniZJFaNHX0iSPiWfLJHoP9jQ3ojMBWpTFiFdNA2PFIu1PLJlMOvRfbUrugcWavHci39Hrt+omZzO67MCwCoAtkaRH1n9tf6fRYBh90kPfIQvFTgTHKaXiDJXE8krmrpd88m9NKcLW2z9vqkkTgDEHmJylC1QsaES4+Dw+rHthiKMOZeKsoxJPlfW9a5FhaAvC/cKAatZS8e75OWrxb1DLG82nu4YDa661aCfwb219WuU16mZ9eCFrX55wV9VryK5wS53X/cHf+R6utV9O5ILMmZjZHpfWoT+0poF5eyE4OcQc3njFYX5800P5dsX/ivh/Nzdw2BBiXIV/QAdgAHN9pacikssAZ0SfP9d0sfq11Ns/5mzNmvAWAPxII5GIbukKs/c+kp9DbRJOHmFVbescTAUqV9v1fsHdzLDK6+evkXCEMhMJbeuA4UAeTkDTfs6Zcswtx39A1ebNXn8X7m9nMKdaAaOUpjyi+LQ0DwpIgdOhMXtcPMZGtTAvZDG5nbtSBXqsW/yGIrLbBEqsP67TnhBHRFncDEY9Fe8tvg7XrcyYZ7AnyuelFbQDE4O12tLS9hmsq7ItepsFWMKV3ja7BowpVPL4rfPThYKM9VVjP1qEFQ939o8VVyemRDXFPX0qOVA1oNT+UuXGsQA2E65uOd7/DdwDULXXcriECNwumuPaJEJcm15NQxvD80/3kpmT2WlJXuZOu5uh3iA3DsuXt6pU2MvW1TO3b2Pb8jzD1pn9HLgho5yGH/m4ffrtgq+MCcOHWbroNY2sIHecvyzIJNRwngVVU9T9YGGqB+lsnUKpDe45u3stTg+p4wfKumc/Et8wW9z2l8DYIJ8dCqArRYU7bbuKJVh2Drr9o3orpxvQ4NJibNMP+xgoQvxVwmJA2yZtYiaLEG1MzCAC7YP68zoOV7J4+FHhkwdX4aQ8k3lg//EJYArZ19aXxMwGAMN8wlqCn6vvqMBO9HVsMyEdkH/QC5cKtSiQ+a65krGONkyEiR6v5gxw+nXO2ZrYibEHL1RhRM76z00S708evcLBCBf+OoSxbar/kJW1lzj/xLpCfrYYpu4M37ZJminOKXMDt0BnbSecUOWAZCXUF8gWEpErMYV85O0Oc9Fy/M1AN+baNJQbQnMLAo7K/2k4/PzZBERHUo3Zbne1vOl1kM4k1CJ21xDPjiXvnkXY4yexLHHl+DQokllNCckaV2A/WKd4XRJ2UX8ik+lMEjfNkzLeTShlct8ILPHDrMzrH/p+dLUT9XLvzun6JDYQVfeB78TACDmtqUgfHXoKok2tkGAdPWJuLUhNJCpOEIBlHSAA/I9zx4BVKecYrOOLfyvVmXcMA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <304F88358B37B54A913DACE87FA356E8@namprd13.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: hammerspace.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR13MB5084.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 813eacaf-e80b-4f00-8607-08dcab42a142
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2024 18:09:44.1407 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d4fed5c-3a70-46fe-9430-ece41741f59e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6vpjvzCopkjOjyAUL3z3Lgzx6Pizy9YJJwlTFZn/54jSrGiO/fnU9ez7KjCqdTBBr+GqJp3m1qR4xymo0hR5Yg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR13MB3703
Message-ID-Hash: OV4RGPHUCE2MIRGI54KZUAFK2223ZZMA
X-Message-ID-Hash: OV4RGPHUCE2MIRGI54KZUAFK2223ZZMA
X-MailFrom: trondmy@hammerspace.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "bfields@fieldses.org" <bfields@fieldses.org>, "nfsv4@ietf.org" <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Our different approaches to draft POSIX ACL support in NFSv4
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/u8i_-esXl1tqoEqmMpg_VK3J39c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Tue, 2024-07-23 at 15:27 +0000, Chuck Lever III wrote:
> 
> 
> > On Jul 23, 2024, at 10:27 AM, Trond Myklebust <trondmy@gmail.com>
> > wrote:
> > 
> > On Tue, 2024-07-23 at 13:54 +0000, Chuck Lever III wrote:
> > > 
> > > > On Jul 22, 2024, at 7:13 PM, Rick Macklem
> > > > <rick.macklem@gmail.com>
> > > > wrote:
> > > > 
> > > > I just looked at opensolaris/usr/src/head/rpcsvc/nfs_acl.x
> > > > which I think is the closest thing there is to a spec. for
> > > > NFSACL.
> > > > (FreeBSD does not implement this protocol and all I know about
> > > > it
> > > > is what this little .x file indicates.)
> > > 
> > > That's excellent, thanks for finding it.
> > > 
> > > My concern about this is that the cited .x file falls under
> > > CDDL, and thus cannot be used directly by a GPL-encumbered
> > > OS like Linux, nor can it be contributed to the IETF in its
> > > current form.
> > > 
> > > This is clearly prior art.
> > > 
> > > My question then is whether we should endeavor to produce
> > > an Informational document that describes NFSACL without
> > > encumbrance -- ie, get Sun-Oracle to contribute that work
> > > so that it might be used openly.
> > > 
> > 
> > Why do we care?
> 
> As I explained, we do want to have a protocol specification
> for NFSv4 that will not be disruptive to folks who were using
> NFSv3 and are now accessing the same ACLs via NFSv4.2+

No we don't.

We need a new protocol specification that works correctly with the
draft POSIX acls in use with existing Linux and other filesystem, and
that supports all the features of the IEEE 1003.1e draft 17 document
that were implemented within Linux and the *BSD.
Once we have that, I will happily plug that implementation into the
inode 'get_acl()' and 'set_acl()' callbacks, and people will be able to
use the bog standard getfacl and setfacl utilities to control the POSIX
ACLs as if they were running on a native filesystem.

If people then still want to use the nfs4_getfacl and nfs4_setfacl
tools to use the existing ACL attribute against a server that
implements the draft-ietf-nfsv4-acl-mapping-05 (or whatever it is that
the Linux server actually implements) then they can continue to do so
without any further help from this committee. There will be no need to
encourage the development of further broken implementations, if there
is a real NFSv4.2 API that can replace it.

> 
> And, this is prior art. If the authors and WG are comfortable
> citing a CDDL-encumbered .x file in acls-04, then there's no
> need to author an historical Informative document.
> 
> > The goal of this group should be to make a version that is
> > appropriate
> > for NFSv4. That would need to be a new protocol extension for NFSv4
> > that is separate from the existing ACL attribute.
> > 
> > Even the XDR format of the ACEs will need to be different due to
> > the
> > adoption of name@domain format user and group descriptions that
> > replace
> > the uid/gid format.
> > So there is little overlap with the existing nfsacl.x file (which
> > existed as a file with no valid licence description in the glibc
> > rpc
> > implementation for many years prior to the existence of the CDDL).
> 
> Implementers will need to understand the differences and
> ensure that there is compatibility when presenting ACLs to
> users, for example. It sounds like there are indeed some
> compatibility issues worth mentioning.
> 
> I'm simply asking if additional standards action is needed
> to ensure that the older work is available and citable in
> new documents.

Bruce and Marius' draft should suffice to document the legacy non-
standard. It is still available from the data tracker:
https://datatracker.ietf.org/doc/draft-ietf-nfsv4-acl-mapping/

-- 
Trond Myklebust 
CTO, Hammerspace Inc 
1900 S Norfolk St, Suite 350 - #45 
San Mateo, CA 94403 
​
www.hammerspace.com