Re: nfs-utils 1.0.8-rc1 - J. Bruce Fields

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Neil Brown <neilb@suse.de>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>, nfs@lists.sourceforge.net
Subject: Re: nfs-utils 1.0.8-rc1
Date: Wed, 4 Jan 2006 16:33:18 -0500	[thread overview]
Message-ID: <20060104213318.GA31023@fieldses.org> (raw)
In-Reply-To: <17318.4720.969963.469187@cse.unsw.edu.au>

On Mon, Dec 19, 2005 at 12:52:48PM +1100, Neil Brown wrote:
> 57 	nor 	P3 	All 	bfields@fieldses.org 	NEW 		unable to export to nfs3 krb5 clients without also export...
> 
>   Messy.... the submitter want to allow mount/STATFS and maybe GETATTR
>   to succeed with only AUTH_UNIX, even though /etc/exports says that
>   krb5 is required to access the filesystem.

You could argue that that's dumb, and I'd be sympathetic.
Unfortunately, it's just the way NFSv2/v3 works--see RFC 2623.  So we
need to support this to interoperate well.

>   As there is no list of authorised hosts available in this context,
>   we really need to give filehandles and stats info away to
>   anyone. i.e. even accept AUTH_NONE.  But we only need to do this for
>   filesystems which require krb5.

We won't have to give this information away to everyone once we adopt
the conventional approach of passing security flavors as export options
(sec=krb5) instead of as clients (gss/krb5(rw,no_subtree_check,...)).

So this is another reason to make that switch.  (The other was that some
people want different security flavor requirements enforced on different
IP network, e.g., in case they have a performance-critical trusted local
network but are also willing to export to the world as long as they come
in with krb5p.)

>   Hmmm.. more thought needed.  I don't think this will get into 1.0.8.

Agreed.

> 58 	nor 	P3 	All 	bfields@fieldses.org 	NEW 		unable to require different security flavors for differen...
>   The bit about having the same format 'exports' file as 'the others',
>   while probably a nice goal, is currently awkward.  So that bit won't
>   be possible for 1.0.8.

Yeah.  I think it's a lower priority too.  What's the history of the
linux exports file format?  Was it invented for linux, or taken from
someplace else?

>   The idea of connection IP addresses with GSS auth connects with bug
>   57 somewhat..

Right.

--b.

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

next prev parent reply	other threads:[~2006-01-04 21:33 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-12-16  5:54 nfs-utils 1.0.8-rc1 Neil Brown
2005-12-16  7:33 ` Trond Myklebust
2005-12-19  1:52   ` Neil Brown
2005-12-18 23:47     ` Trond Myklebust
2006-01-04 21:33     ` J. Bruce Fields [this message]
2006-01-06 17:58     ` J. Bruce Fields
2006-01-06 18:03       ` J. Bruce Fields
2005-12-16 14:21 ` Kevin Coffman
2005-12-19  0:20   ` Neil Brown
2005-12-16 15:36 ` Aurélien Charbon
2005-12-19  0:29   ` Neil Brown
2005-12-20  7:49 ` nfs-utils 1.0.8-rc2 Neil Brown
2005-12-20 10:17   ` Aurélien Charbon
2005-12-21  2:59     ` Neil Brown
2005-12-21  3:22       ` Neil Brown
2005-12-21  9:38         ` Aurélien Charbon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060104213318.GA31023@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=neilb@suse.de \
    --cc=nfs@lists.sourceforge.net \
    --cc=trond.myklebust@fys.uio.no \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.