From: Trond Myklebust <Trond.Myklebust@netapp.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH v2 0/4] Allow the admin to turn off NFSv4 uid/gid mapping
Date: Tue, 30 Nov 2010 16:44:13 -0500 [thread overview]
Message-ID: <1291153453.2998.9.camel@heimdal.trondhjem.org> (raw)
In-Reply-To: <20101130192441.GD29091@fieldses.org>
On Tue, 2010-11-30 at 14:24 -0500, J. Bruce Fields wrote:
> On Tue, Nov 30, 2010 at 08:33:59AM -0500, Trond Myklebust wrote:
> > The following patches allow the admin to turn off NFSv4 uid/gid mapping
> > if mounting using AUTH_SYS security.
>
> Maybe that should be "when a mountpoint allows only AUTH_SYS security"?
>
> (Once we start allowing auth_flavor_len > 1, presumably we don't want to
> change mappings depending on which flavor an individual getattr used!)
> Also, maybe it's right, but I'm a little weirded about by the dependency
> on the auth flavor.
The reason for wanting to restrict this to AUTH_SYS is that the latter
authenticates us using the uid/gid rather than a principal. In that case
(and only in that case), it makes sense to add the assumption that there
is an identity mapping between uids and gids on the client and server,
and that we should make use of that identity mapping.
In the case where auth_flavor_len > 1 (if ever we implement that), I
think we should in fact change mappings depending on the flavour
actually used for the RPC call. The reason is that principals may
authenticate to completely different users/groups on the server, even if
the above identity map between uids and gids exists.
Cheers
Trond
--
Trond Myklebust
Linux NFS client maintainer
NetApp
Trond.Myklebust@netapp.com
www.netapp.com
prev parent reply other threads:[~2010-11-30 21:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-30 13:33 [PATCH v2 0/4] Allow the admin to turn off NFSv4 uid/gid mapping Trond Myklebust
2010-11-30 13:34 ` [PATCH v2 1/4] NFSv4: If the server sends us a numeric uid/gid then accept it Trond Myklebust
2010-11-30 13:34 ` [PATCH v2 2/4] NFSv4: Send unmapped uid/gids to the server if the idmapper fails Trond Myklebust
2010-11-30 13:34 ` [PATCH v2 3/4] NFSv4: cleanup idmapper functions to take an nfs_server argument Trond Myklebust
2010-11-30 13:34 ` [PATCH v2 4/4] NFSv4: Send unmapped uid/gids to the server when using auth_sys Trond Myklebust
2010-11-30 19:24 ` [PATCH v2 0/4] Allow the admin to turn off NFSv4 uid/gid mapping J. Bruce Fields
2010-11-30 21:44 ` Trond Myklebust [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1291153453.2998.9.camel@heimdal.trondhjem.org \
--to=trond.myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).