Re: [nfsv4] Fwd: New Version Notification for draft-haynes-nfsv4-flex-filesv2-00.txt

Olga Kornievskaia <> Wed, 09 August 2017 18:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6401313232D for <>; Wed, 9 Aug 2017 11:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5Vx_4xNSH3zA for <>; Wed, 9 Aug 2017 11:36:47 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D9229131CD7 for <>; Wed, 9 Aug 2017 11:36:46 -0700 (PDT)
Received: by with SMTP id s6so41630227qtc.1 for <>; Wed, 09 Aug 2017 11:36:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JieqArMphK7vBaj1Ia9XzlByd79KdcfI9YvCXHPiSeo=; b=NKiU/L2pzkplff1tW6ikmn54qA9yIUquuidMA6pvixwa+ZqOnyZSSjtrZNWcRJ10m5 k2Q3/l4NO64f9pHwKFvLYSz/KmvOTTERGLY4JJ8q6oHM6bCbI9zRYVmbmUoCJ8aiUzcD 8XCJbAkLcv5BpqCAc9dottIWU3cLBDRBHi2tEuhfQ8u1gVWcktpgjgjjLV8zPZE1ua1t /Ad/KTvOf+Lzqj5PCqaYDuTsWX72V+2nsZZ8PQK7RfQ6bNZpLC9ZCgD8shmXOajLsaOG 4BDMthvWthKn1NiH/BXLj1GPvHZWnx9Ntm/ebpaXqyPc1ehOImeBHNZtxcGtG0AygofO OZUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JieqArMphK7vBaj1Ia9XzlByd79KdcfI9YvCXHPiSeo=; b=DsaxMLqTxk9KDZFFqVgcPe6k1hFloNXTHDsjuFG9iiI0HitcPEpMEsinK5Z+pYzV34 a3g0RcoLdy0E/w/4VkDo9Aei+y0d1SCbLmu7G+SR7Gq9BGIdzB9uVXRItI+LQIg53SBe DdN6qi4pPEVd2WTwe69LukM2v5ErLDwciVbPT0QJGIizSQz2DxioVJeJj4yg7MzyWApQ JsXrmd9MpnK54Gu9xMHu0hOKPJyAY9JNkPy3RCSdw9JDTxagsB3dD5tYnFhx+S0r3xBt B0kcVOZK6J/YS2Hrru2yQwTxb3W1XCDOxYkwXEm7DAutNzaxRxMNqbs3xXKQHbSEVCb4 lvMA==
X-Gm-Message-State: AHYfb5iET4A9jjD6kJs7w2mSOPffUcLmmGPy0DluhHpoGCZuP57YzPCS eKhTfiJFMsmhXWj/UxkYUCn3973HcA==
X-Received: by with SMTP id o48mr12207367qtb.120.1502303805921; Wed, 09 Aug 2017 11:36:45 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 9 Aug 2017 11:36:44 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
From: Olga Kornievskaia <>
Date: Wed, 09 Aug 2017 14:36:44 -0400
Message-ID: <>
To: Trond Myklebust <>
Cc: Benjamin Kaduk <>, "" <>, Thomas Haynes <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-haynes-nfsv4-flex-filesv2-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Aug 2017 18:36:49 -0000

On Tue, Aug 8, 2017 at 7:55 PM, Trond Myklebust <> wrote:
> On 8 August 2017 at 19:27, Benjamin Kaduk <> wrote:
>> On Tue, Aug 08, 2017 at 06:01:48PM -0400, Olga Kornievskaia wrote:
>> >
>> >
>> > > On Aug 8, 2017, at 5:44 PM, Trond Myklebust <> wrote:
>> > >> >
>> > >>
>> > >> Since MDS = KDC then it would know which encryption scheme to use.
>> > >
>> > > The client will usually authenticate to the MDS using the corporate
>> > > KDC. The KDC on the MDS itself is not required to be the same.
>> >
>> >
>> > But mds has access/copy of the principal database so it knows encryption
>> > types for the client server keys
>> There is a possible design where the MDS has access to the KDC's database,
>> yes.
>> There are a couple other possible designs, though, and I don't think we've
>> ruled them out yet (whether due to technical constraints that cause them
>> to not actually work, policy decisions, or other).
>> (1) MDS is colocated with KDC or otherwise has access to the KDC database.
>> It's easy to get policy consistency between the KDC and MDS, find out
>> about
>> supported enctypes, etc.  Issuing tickets is also easy and can be done
>> with
>> direct database access and reuse a lot of code; the normal policy checks
>> are applied, authorization data can be included as usual, etc.  Actual
>> principal
>> entries can be created/destroyed on demand for handing out as synthetic
>> credentials.  Access control can be done via synthetic client principal
>> name or authorization data in the tickets.
>> But, it adds more code running on the highly-privileged KDC machine, and a
>> bug
>> in the MDS risks compromising the entire Kerberos realm -- a monstrous
>> rekeying/re-enrolling task.
>> (2) MDS is permitted by the KDC to use S4U2Proxy
>> This has some nice properties, like letting the KDC keep an audit trail
>> from the initial client authentication to the issued synthetic ticket and
>> separating the MDS from the KDC.  But, it is harder to create/destroy
>> client principal entries on demand, and most likely access control would
>> need to be done via authorization data in the resulting ticket.  (The KDC
>> might need to know to preserve and/or validate that authorization data
>> as part of the S4U2Proxy flow, but generally it should allow unknown
>> authorization data in the request to be preserved in the resulting
>> ticket.)
>> The data server might need modification to use the Kerberos authorization
>> data for access control decisions.
>> (3) MDS knows data server's private key
>> This essentially makes the MDS trusted to emulate/hijack the data server's
>> NFS role, by making the key formerly shared between just the data server
>> and the KDC also shared by the MDS.  That key is used for authentication
>> and integrity (source) validation, so the MDS could impersonate the KDC
>> to the data server or vice versa.
>> This is very flexible about ticket "issuance", again allowing arbitrary
>> synthetic client principal names to be used and authorization data to be
>> inserted.  But, it causes the KDC to lose visibility into what is
>> happening
>> in the Kerberos protocol and may have weaker auditability properties.
>> It also requires sharing the private key of the data server with another
>> party, which is in general something that should be avoided when using
>> Kerberos -- this sort of problem is one of the things that S4U2Proxy was
>> designed to address.
>> All three of these are only considering how to get a Kerberos ticket that
>> the MDS and/or client can ues to authenticate to the data server using
>> GSS-API; the details of how credentials and/or keys are conveyed from the
>> MDS to the client are a different problem, one that seems independent
>> of which of the above three options is taken.
> There is a fourth option.
> Give the MDS its own KDC and own domain that is completely separate and
> untrusted by the corporate domain. The DSes would be required to recognise
> principals from that domain, and not from the corporate domain.
> The reason why that might be compelling is to ensure that principals that
> are generated to support synthetic uids and gids may not be used to
> authenticate to anything else in the corporate domain.
> It also ensures that someone with a principal from the corporate domain has
> no special privileges to access data on the DSes unless granted a layout by
> the MDS.
> IOW: the idea is to keep the authentication domain for the pNFS data path
> entirely private to the storage system, while using the corporate domain to
> authenticate to the MDS.

I keep coming back to the question of what's different about assuming
that MDS and storage server belong to the same Kerberos realm (whether
or not it's corporate or private) and the tightly-coupled model where
everybody belongs to the same realms and normal ACL-based control is
used? Why is using normal principals and ACLs is ok in the
tightly-coupled model but it's not for loosely-coupled?

I don't know what's worse(better): private realm for storage (I think
is an over kill) or having MDS live on the same machine as the KDC.

The options I see for how to send the ticket back,  if it's a private
realm, then krb5p must be used and encrypt the secret that's also in
the service ticket. If it's a corporate realm, then krb5i could be
used and secret encrypted with the user's key. Maybe you can create a
return structure such that allows for either of the approaches. If
this flag is set, then client should decrypt with one and with another
otherwise. Then the implementors/administrators can decide whether
they want private realms or shared MDS/KDC appoarch.

Ben I don't see how S4UProxy fits. Isn't it typically
Alice->proxy->KDC and proxy as Alice->service. If this is the idea
where MDS will talk to the NFS server as Alice and then connection
trickery happen where Alice picks up the "same" connection without
ever doing proper AP_REQ to the storage server?