Re: [nfsv4] Path forward for flex-files
Olga Kornievskaia <aglo@citi.umich.edu> Mon, 07 August 2017 16:03 UTC
Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A361D13268C for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 09:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAs4pxnf5lO2 for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 09:03:13 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FF3C132690 for <nfsv4@ietf.org>; Mon, 7 Aug 2017 09:03:13 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id x191so5014158qka.5 for <nfsv4@ietf.org>; Mon, 07 Aug 2017 09:03:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=SiOLa0tj+rCkAuZ0QR566anGemL9Nq5Dq4DxKObtSOk=; b=JAxhK3vUfkupybKU/I94VsjC4EiXci1NnAQMtXbHpjusux0SFp6j0WBlw8dgkQMlVG SqKinvxJE4GZ2A+7e1ekMhhzs/I9YaIfSEj7Mmpax1GBdNg9UQmjbWY9s1tEIAJNw2N0 ftdnLQh6RW6GWW1d5qglHkUes0cbsNZhA/GF89Hozk3ZI3V6rvYscHSEP/1TLtmVC522 zZ4wwKb6Rwk9Vb+zn/ztmnhCjm8Qx0DWBpHTv6y9Qd4kp8gXLPZYbVX0jWRPexdvNkkI fOSTgBvDPVswXlsDpmuXhBkle0uUWaTYJ7CvJxZhlLADafkIXGzqT6UohHAcQbKgv4zm IK4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=SiOLa0tj+rCkAuZ0QR566anGemL9Nq5Dq4DxKObtSOk=; b=KND/VfmxFNCDabAQ05fhhcj9rx6Zl6ErGUiiFRI1gJpGyhHoHx4ANMyuRx7zxW5FYS sx7QCMBugjZB7xs85FzlAc47wWSmtzNXkEDxOtei+E+kSH+8jEFXshBfNi7UKoHwKutY V8lHcfw7wzyj/6TcgOYsgvY2UJiCn4EJ1xsaEzQqbHbdb2UVMHE8qXCadagsbR3bMeYJ uMhDfn6zGJjPVIEgfzE25M7SxHl4Rqn5JnyeY2HH2zpfA4NJttgxb3A5fOnmEoV0QIfD MmNCNS3eiNeV+Y50mNBjGTztg43rIQPmTr5yCOa5+YK2FIa/+mLjRmcW65+qDL77BfOC CyLQ==
X-Gm-Message-State: AHYfb5h+QAPri2gEWp/s0senzAhLNTlRZ9z0D45gV4SIyIzjvgy4ibf3 /celMj3853U/nsRYLXjdZksPbm33lAdT
X-Received: by 10.55.138.67 with SMTP id m64mr1366042qkd.6.1502121792135; Mon, 07 Aug 2017 09:03:12 -0700 (PDT)
MIME-Version: 1.0
Sender: olga.kornievskaia@gmail.com
Received: by 10.12.186.148 with HTTP; Mon, 7 Aug 2017 09:03:11 -0700 (PDT)
In-Reply-To: <YTXPR01MB0189BCC08195A19BB0745A85DDB40@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
References: <YTXPR01MB0189BCC08195A19BB0745A85DDB40@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
From: Olga Kornievskaia <aglo@citi.umich.edu>
Date: Mon, 07 Aug 2017 12:03:11 -0400
X-Google-Sender-Auth: TuN8pCHrnAfW91Ia1_F2I4zt_rQ
Message-ID: <CAN-5tyECYtjkqWCy1a_Ri=ada_FxVi+8VOw9dU3_gKQSifJ5cg@mail.gmail.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>, David Noveck <davenoveck@gmail.com>, Thomas Haynes <loghyr@primarydata.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/zLS786cwHeY8wu2CwMVJDnT4qvg>
Subject: Re: [nfsv4] Path forward for flex-files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 16:03:16 -0000
On Sun, Aug 6, 2017 at 5:14 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote: > My Kerberos/RPCSEC_GSS is pretty rusty, but I think the following is a rough > description of something that might work for the "loose coupling" case. > (And now I finally know why the old draft referred to TGTs.;-) > > First, I'll note that fattr4_owner and fattr4_owner_group isn't defined anywhere dot-x defs: https://www.rfc-editor.org/rfc/rfc7531.txt typedef utf8str_mixed fattr4_owner; typedef utf8str_mixed fattr4_owner_group; > and, if you just define is a opaque<>, with either "user@domain" or "<numeric-id>" > in it for the AUTH_SYS case, I doubt you will have to rev. the XDR. (Which makes the > path forward easier for us lazy implementors;-) > > Anyhow, here goes... > Here's one way I think a "loose coupled" Flexible File Layout pNFS service > could use Kerberos/RPCSEC_GSS. > A few assumptions: > 1 - The DS systems are vanilla NFSv3/4 servers that have Kerberos/RPCSEC_GSS > support in them. > 2 - This is Kerberos specific, which seems ok, since all extant servers > will only support Kerberos mechanism. > 3 - The MDS can somehow: > - Create/delete entries from the password database (assuming DS servers > implemented using POSIX-like users/uids/gids). > (I know nothing about LDAP, but I'd guess this is doable?) > - Create/delete User principals in the KDC with passwords that the > MDS will know/set when these principals are created. > > The MDS would create a synthetic user/uid/gid, adding it to the password > database. It would create an associated User principal of the same name > in the KDC. > - It would then acquire a "forwardable, renewable" TGT for this principal. > It could use this TGT to acquire an RPCSEC_GSS context for the DS, so it > could perform RPCs as this synthetic "user" against the DS. > > When a client requests a layout: > - The MDS would reply with the TGT for the synthetic user in fatt4_owner, after That's the problem you need something in the structure to pass back the ticket (TGT is not necessary. service ticket would do). Besides the ticket you need to send the other pieces. > encrypting it in the key for the RPCSEC_GSS context that the client has against the > MDS for its LayoutGet RPC. (ie. It would GSS_Wrap() the TGT.) > --> This is similar to what happens when a Kerberos client does a "kinit", > except the ticket has been encrypted in the RPCSEC_GSS context key > (which it knows) instead of a key based on the principal's password > (which the client does not know). > > The client takes the GSS_Wrap()'d TGT. GSS_Unwrap()s it and puts it in a > credential cache for the "synthetic user". (My Kerberos is rusty, so I can't > remember if the principal name is in the TGT? If not, it needs to be sent > along with the TGT to the client in the Layout.) > > The client can then do the normal RPCSEC_GSS Init sequence against the DS > to get a context for the synthetic user. It can then use this context for > I/O RPCs against the DS. > > If the Kerberos tickets have a short lifetime, but are renewable for a long > time, the RPCSEC_GSS context timeout will normally be set to that short > ticket lifetime and the client will regularily do the RPCSEC_GSS Init sequence again > to get new contexts. > --> This means that, once the MDS deletes the synthetic principal from the KDC, > it won't work for long against the DSs, I think? > (Deleting the principal from the KDC may be useful for fencing off, see > below.) > > I think the "gid" can be handled by using a second "synthetic principal" handled > in the same manner. (ie. It would not "own" the file but would have the "gid" > of the group for the file in the password database.) > > One problem I see with is that the MDS may need "root" access to > the DS, if it is going to do fencing via a change in ownership. > (I think this is doable using Kerberos, but certainly weakens security. > Something like putting a "root@REALM" user principal in the KDC and > generating a keytab entry for it for the MDS. But having a keytab entry for > "root@REALM" is pretty scary;-) > - An alternative that might be worth considering would be to have the MDS delete > the synthetic principal in the KDC, so that clients can no longer use it to access > the file on the DS? > > rick > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Path forward for flex-files David Noveck
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Olga Kornievskaia
- Re: [nfsv4] Path forward for flex-files Thomas Haynes
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Rick Macklem