Re: [nfsv4] I-D ACTION:draft-ietf-nfsv4-acl-mapping-04.txt
"J. Bruce Fields" <bfields@fieldses.org> Tue, 16 May 2006 21:57 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fg7YF-0007ab-Dx; Tue, 16 May 2006 17:57:59 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fg7YE-0007aV-8w for nfsv4@ietf.org; Tue, 16 May 2006 17:57:58 -0400
Received: from mail.fieldses.org ([66.93.2.214] helo=pickle.fieldses.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fg7YC-0001eh-Uc for nfsv4@ietf.org; Tue, 16 May 2006 17:57:58 -0400
Received: from bfields by pickle.fieldses.org with local (Exim 4.62) (envelope-from <bfields@fieldses.org>) id 1Fg7YC-0008RC-Cp for nfsv4@ietf.org; Tue, 16 May 2006 17:57:56 -0400
Date: Tue, 16 May 2006 17:57:56 -0400
To: nfsv4@ietf.org
Subject: Re: [nfsv4] I-D ACTION:draft-ietf-nfsv4-acl-mapping-04.txt
Message-ID: <20060516215756.GH22696@fieldses.org>
References: <E1Fg5YP-0007lO-QI@stiedprstage1.ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1Fg5YP-0007lO-QI@stiedprstage1.ietf.org>
User-Agent: Mutt/1.5.11+cvs20060403
From: "J. Bruce Fields" <bfields@fieldses.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org
On Tue, May 16, 2006 at 03:50:01PM -0400, Internet-Drafts@ietf.org wrote: > http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-acl-mapping-04.txt The working group has complained that previous drafts describe the POSIX->NFSv4 mapping very carefully, but say little about the reverse direction. Older drafts suggest rejecting any ACL that isn't in the image of our POSIX->NFSv4 mapping. This causes obvious problems for a server exporting POSIX ACLs: in practice it is impossible for an unaided user to generate ACLs that satisfy such a server. But it also causes problems for a single server supporting heterogeneous clients and applications (some using POSIX ACLs, some using NFSv4 ACLs directly): imagine a user on a Windows client trying to set an ACL that will be acceptable to someone else using POSIX ACLs. So this draft describes an algorithm that accepts any NFSv4 ACL, while erring on the side of mapping to a stricter ACL when an exact mapping isn't possible. The algorithm can also be adapted to err on the side of permissiveness, for use by a client presenting an NFSv4 ACL as a POSIX ACL. I think people will like that. A couple points need discussion, though: - I'd like to have the option of ignoring some bitmask bits entirely. On the server this breaks the "err on the side of restricting permissions" rule--for example, we might accept an ACL that denies READ_ATTRIBUTES with no intention of enforcing it. But it's painful to make every user learn rules about which bitmask bits must be set to keep the POSIX world happy. - I'd like to allow a simplified POSIX->NFSv4 mapping; currently we represent 644 with something like (assuming default deny, and ignoring mode bit mapping): ALLOW OWNER@ rw- DENY OWNER@ --x ALLOW GROUP@ r-- DENY GROUP@ -wx ALLOW EVERYONE@ r-- It would more user-friendly, more windows-friendly, and just as correct, to use: ALLOW OWNER@ rw- ALLOW GROUP@ r-- ALLOW EVERYONE@ r-- The problem is that while anyone using the new NFSv4->POSIX mapping will be able to accept either of these, older implementations may not cope so well. --b. _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] I-D ACTION:draft-ietf-nfsv4-acl-mapping-0… Internet-Drafts
- Re: [nfsv4] I-D ACTION:draft-ietf-nfsv4-acl-mappi… J. Bruce Fields
- [nfsv4] Minor Eccentrity of POSIX ACLs Benny Halevy
- [nfsv4] Re: Minor Eccentrity of POSIX ACLs J. Bruce Fields
- [nfsv4] Re: Minor Eccentrity of POSIX ACLs Benny Halevy