Re: [nfsv4] Path forward for flex-files
Rick Macklem <rmacklem@uoguelph.ca> Tue, 08 August 2017 00:20 UTC
Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20D69131C9D for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 17:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id si3J4E13bbpI for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 17:20:28 -0700 (PDT)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660076.outbound.protection.outlook.com [40.107.66.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6A16129B25 for <nfsv4@ietf.org>; Mon, 7 Aug 2017 17:20:27 -0700 (PDT)
Received: from YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM (10.165.218.133) by YTXPR01MB0190.CANPRD01.PROD.OUTLOOK.COM (10.165.218.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Tue, 8 Aug 2017 00:20:26 +0000
Received: from YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM ([10.165.218.133]) by YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM ([10.165.218.133]) with mapi id 15.01.1320.018; Tue, 8 Aug 2017 00:20:26 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>, Thomas Haynes <loghyr@primarydata.com>
Thread-Topic: [nfsv4] Path forward for flex-files
Thread-Index: AQHTD9CmyDK3wnPfo0qo8KfOQeaI76J5imGAgAALT0g=
Date: Tue, 08 Aug 2017 00:20:26 +0000
Message-ID: <YTXPR01MB018927D36EFE43FBC06A136ADD8A0@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
References: <YTXPR01MB01898B5A88D647118989E5CEDDB50@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>, <20170807232925.GK70977@kduck.kaduk.org>
In-Reply-To: <20170807232925.GK70977@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rmacklem@uoguelph.ca;
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; YTXPR01MB0190; 6:LIi6F924tACP67XWYvUSrw5l6FdW6AAdxTPYJiaNccIOf3nB+yPh2+DqXhu3AEtjUSH21aQTnukfjh5k6Z+ztgpFU35f/Ua/wQjDGheCmAwVWyiXUSOyFhbF8REA7r37+KHceIH4l96t8brKHHNp/nvdceDbbTuAJd5gB5kOl9az2KyN/bhI9c/RYv8ekuXkx8r4liV3UkQnJ3u0unWyiuXYIr87EXd2X6C5NH3L3H6zBI7H4RygvgF/Tfg8fa0GvUFCW8TgAti0VsGDpXjhiCr4v/Df2MLfv3khCyLmLJi3ZW9Uh7dYTmINDWgQX5OOwKlKb9JCf68mXT5XmZNc7w==; 5:iKnSiYoEnUz4wdASTMxw5R4tK9z99nT7entonkPan6WKo5+NOgUGc9sx/bk9oFNsQIVItu653IODoUO7oY7xQ8ccGZT2hEeemnFFqvJvc/9uWg0mx2lNPVbY/IJ5zqbRtfJ5AsKSuBkFAkcQYzuogg==; 24:nFP8D1ILIcMVVGlroCg0+ZDkHP/k3rAHfzUlh+1TnY7PfwxKzzAJOQF7IV0g03utW7FidIqImqCsDrgHoWAI+gkJ+s32u/NYnvfdPJv8E8c=; 7:xfRlsFtqo8g8ms5tHb0Y6liZwkidVu0cbPDJxjT0XJ5fQYgErIhn2LAClS44Oq/3BTmf4h+D1C3s0Zg5tYgskc5OVONQxjeGFinX68P/uMD/HiCgLyDQHIIPhuw1bYUj7aUNVziyNKtuSZPFypns0ObnwYnScejqNnbZ/TLi1YC6gq3p+3qMIW9+rE5wLFSr3xkmUVq16LlfqfZQnu4S5KnZfNwl72mtcJxls63C/4I=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 7c59cbea-b46e-4213-2020-08d4ddf34491
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:YTXPR01MB0190;
x-ms-traffictypediagnostic: YTXPR01MB0190:
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-microsoft-antispam-prvs: <YTXPR01MB01907386E43DCA74CE9C0743DD8A0@YTXPR01MB0190.CANPRD01.PROD.OUTLOOK.COM>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6041248)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123555025)(20161123564025)(20161123560025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:YTXPR01MB0190; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:YTXPR01MB0190;
x-forefront-prvs: 03932714EB
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39850400002)(39410400002)(39400400002)(39840400002)(39450400003)(189002)(24454002)(199003)(53936002)(86362001)(106356001)(81166006)(77096006)(105586002)(3660700001)(81156014)(55016002)(6506006)(54906002)(2950100002)(6916009)(9686003)(6436002)(2906002)(2171002)(8676002)(229853002)(3280700002)(14454004)(97736004)(33656002)(8936002)(189998001)(6246003)(38730400002)(5660300001)(50986999)(25786009)(2900100001)(54356999)(68736007)(74482002)(76176999)(305945005)(4326008)(102836003)(101416001)(110136004)(74316002)(7696004)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:YTXPR01MB0190; H:YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Aug 2017 00:20:26.2923 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTXPR01MB0190
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/zMYEJIU1wW9s3vITvlPEp8LOs5A>
Subject: Re: [nfsv4] Path forward for flex-files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2017 00:20:30 -0000
Benjamin Kaduk wrote: [stuff snipped] > The solution space looks rather different whether the synthetic principals > are actually being created/deleted on the KDC or synthesized using the > data server's keytab. I'm not sure what you are thinking of w.r.t. synthesized using the data server's keytab, but I am curious? > In the case where the KDC is involved, ticket > lifetimes and principal existence are somewhat annoying to manage -- in > order to have a long-lived TGT but get short-lived service tickets, with > (e.g.) an MIT krb5 KDC you'd either have to use a custom policy plugin to limit > the service ticket lifetime, or set the max lifetime on the data server's > service principal to that short lifetime (which has annoying effects for > anything that's supposed to be connecting to it directly). As far as principal > management, the fencing would not be particularly instantaneous -- the > current ticket would have to expire, and the principal deletion/deactivation > would need to propagate to all KDCs in the realm. IIRC it's also possible > to have a KDC that doesn't even pull up the client principal's database > entry when generating a service ticket from a TGT (i.e., it would not > actually notice the deleted client principal!), which of course would not > work for this use case. Oh well, doesn't sound like a good plan. And I'm happy with a second version of XDR when this is done. rick, who is glad he chose "tightly coupled";-)
- [nfsv4] Path forward for flex-files David Noveck
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Olga Kornievskaia
- Re: [nfsv4] Path forward for flex-files Thomas Haynes
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Rick Macklem
- Re: [nfsv4] Path forward for flex-files Benjamin Kaduk
- Re: [nfsv4] Path forward for flex-files Rick Macklem