[nfsv4] Windows/NFSv4 ACL interoperability
"J. Bruce Fields" <bfields@fieldses.org> Sun, 12 March 2006 22:40 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FIZEv-0003UB-IA; Sun, 12 Mar 2006 17:40:41 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FIZEt-0003TF-AV for nfsv4@ietf.org; Sun, 12 Mar 2006 17:40:40 -0500
Received: from mail.fieldses.org ([66.93.2.214] helo=pickle.fieldses.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FIZEq-0004rg-R4 for nfsv4@ietf.org; Sun, 12 Mar 2006 17:40:39 -0500
Received: from bfields by pickle.fieldses.org with local (Exim 4.60) (envelope-from <bfields@fieldses.org>) id 1FIZEp-0007iz-7A; Sun, 12 Mar 2006 17:40:35 -0500
Date: Sun, 12 Mar 2006 17:40:35 -0500
To: nfsv4@ietf.org, samba-technical@lists.samba.org, Gardere_Daniel@emc.com, Roche_Francois@emc.com
Message-ID: <20060312224035.GA18362@fieldses.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.11+cvs20060126
From: "J. Bruce Fields" <bfields@fieldses.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Cc:
Subject: [nfsv4] Windows/NFSv4 ACL interoperability
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org
Several of us had a conversation about ACL interoperability at Connectathon the other week, and I just wanted to post some kind of summary. Apologies for the cross-posting; this seemed the most efficient way to reach the people likely to be interested. Let me know if there's interest, and I could set up a dedicated mailman list for ACL discussions. So I've started gathering what I know here; corrections welcomed: http://wiki.linux-nfs.org/index.php/ACLs#The_ACL_Interoperability_Problem An executive summary: the basic problem, shared to some degree by NFSv4 and Samba, is that we'd like to support applications that use both POSIX and Windows ACLs, and we'd even like to be able to do it from servers (like Linux) that only support the less-fine-grained POSIX ACLs. (At some point that may mean just pushing Windows/NFSv4 ACLs into those operating systems--I believe OSX, AIX, and Solaris are among those that are already doing this.) ((There's also a problem that the NFSv4 spec is a little vague about the semantics of NFSv4 ACLs, and that the ACLs it describes differ slightly from Windows ACLs--see http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt for a proposal to address this). Some points made by people at the meeting: - The problem as stated above is impossible to solve completely. For example, ACLs that represent typical Windows expectations about ALLOW/DENY ace ordering appear to be incompatible with ACLs that represent mode bit semantics accurately. So we have to be realistic about what we can and can't do, and figure out ways to fail gracefully. - Despite the ubiquity and flexibility of Windows ACLs, it may be hard to abandon POSIX ACLs, because they can be somewhat simpler to understand and manipulate, and because some common tools may be starting to support them (e.g., see news about Nautilus ACL support: http://blogs.sun.com/roller/page/alvaro?entry=nautilus_acl_support) Some resources mentioned at the meeting: - rfc3530 section 5.11 describes NFSv4 ACL's: http://www.ietf.org/rfc/rfc3530.txt - Windows ACL documentation: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/file_security_and_access_rights.asp - withdrawn draft "POSIX" ACL spec: http://wt.xpilot.org/publications/posix.1e/download.html - Microsoft documentation on mode bit<->ACL mapping: http://www.microsoft.com/technet/interopmigration/unix/sfu/sfu3perm.mspx - Microsoft documentation on preferred ACE ordering: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/order_of_aces_in_a_dacl.asp - Presentation by Jeremy Allison on POSIX<->Windows ACL mapping: http://www.citi.umich.edu/projects/nfsv4/jallison-acl-mapping/jallison-acl-mapping.html - POSIX<->NFSv4 mapping, used by Linux and Solaris: http://www.citi.umich.edu/projects/nfsv4/rfc/draft-ietf-nfsv4-acl-mapping-03.txt - Documentation of OSX ACLs: http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html - Proposed revisions to NFSv4 ACLs, discussion of chmod, mode bit mapping, etc.: http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt But of course I probably missed some stuff; if you notice anything, please let me know. --b. _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Windows/NFSv4 ACL interoperability J. Bruce Fields
- RE: [nfsv4] Windows/NFSv4 ACL interoperability Yoder, Alan
- Re: [nfsv4] Windows/NFSv4 ACL interoperability J. Bruce Fields
- Re: [nfsv4] Windows/NFSv4 ACL interoperability conrad
- RE: [nfsv4] Windows/NFSv4 ACL interoperability Peter Varga
- RE: [nfsv4] Windows/NFSv4 ACL interoperability Peter Varga
- [nfsv4] Re: Windows/NFSv4 ACL interoperability tridge
- [nfsv4] Re: Windows/NFSv4 ACL interoperability tridge
- Re: [nfsv4] Windows/NFSv4 ACL interoperability tridge
- [nfsv4] Re: Windows/NFSv4 ACL interoperability Christoph Klein
- [nfsv4] Re: Windows/NFSv4 ACL interoperability Christoph Klein
- RE: [nfsv4] Windows/NFSv4 ACL interoperability Roche_Francois
- [nfsv4] RE: Windows/NFSv4 ACL interoperability Roche_Francois
- [nfsv4] RE: Windows/NFSv4 ACL interoperability Roche_Francois
- Re: [nfsv4] Windows/NFSv4 ACL interoperability Volker Lendecke
- [nfsv4] Re: Windows/NFSv4 ACL interoperability Michael B Allen
- RE: [nfsv4] Windows/NFSv4 ACL interoperability Yoder, Alan
- RE: [nfsv4] Windows/NFSv4 ACL interoperability Peter Varga
- [nfsv4] Re: Windows/NFSv4 ACL interoperability tridge
- Re: [nfsv4] Windows/NFSv4 ACL interoperability Spencer Shepler
- Re: [nfsv4] Windows/NFSv4 ACL interoperability Nicolas Williams
- RE: [nfsv4] Windows/NFSv4 ACL interoperability Yoder, Alan