From: Trond Myklebust <trondmy@hammerspace.com>
To: "anna@kernel.org" <anna@kernel.org>, "neilb@suse.de" <neilb@suse.de>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 0/2] NFS: limit use of ACCESS cache for negative responses
Date: Tue, 17 May 2022 00:20:46 +0000 [thread overview]
Message-ID: <72f091ceaaf15069834eb200c04f0630eca7eaef.camel@hammerspace.com> (raw)
In-Reply-To: <165274590805.17247.12823419181284113076@noble.neil.brown.name>
On Tue, 2022-05-17 at 10:05 +1000, NeilBrown wrote:
>
> Hi,
> any thoughts on these patches?
To me, this problem is simply not worth breaking hot path functionality
for. If the credential changes on the server, but not on the client (so
that the cred cache comparison still matches), then why do we care?
IOW: I'm a NACK until convinced otherwise.
>
> Thanks,
> NeilBrown
>
>
> On Thu, 28 Apr 2022, NeilBrown wrote:
> > Since Commit 57b691819ee2 ("NFS: Cache access checks more
> > aggressively")
> > (Linux 4.8) NFS has cached the results of ACCESS indefinitely while
> > the
> > inode isn't changing.
> >
> > This is often a good choice, but doesn't take into account the
> > possibility that changes out side of the inode can change effective
> > permissions.
> >
> > Depending on configuration, some servers can map the user provided
> > in
> > the RPC credential to a group list at time of request. If the
> > group
> > list for a user is changed, the result of ACCESS can change.
> >
> > This is particularly a problem when extra permissions are given on
> > the
> > server. The client may make decisions based on outdated ACCESS
> > results
> > and not even try operations which would in fact succeed.
> >
> > These two patches change the ACCESS cache so that when the cache
> > grants
> > an access, that is trusted indefinitely just as it currently does.
> > However when the cache denies an access, that is only trusted if
> > the
> > cached data is less than acmin seconds old. Otherwise a new ACCESS
> > request is made.
> >
> > This allows additions to group membership to become effective with
> > only a modest delay.
> >
> > The second patch contains even more explanatory detail.
> >
> > Thanks,
> > NeilBrown
> >
> > ---
> >
> > NeilBrown (2):
> > NFS: change nfs_access_get_cached() to
> > nfs_access_check_cached()
> > NFS: limit use of ACCESS cache for negative responses
> >
> >
> > fs/nfs/dir.c | 80 +++++++++++++++++++++++++-------------
> > ----
> > fs/nfs/nfs4proc.c | 25 ++++++-------
> > include/linux/nfs_fs.h | 5 +--
> > 3 files changed, 61 insertions(+), 49 deletions(-)
> >
> > --
> > Signature
> >
> >
--
Trond Myklebust
CTO, Hammerspace Inc
4984 El Camino Real, Suite 208
Los Altos, CA 94022
www.hammer.space
next prev parent reply other threads:[~2022-05-17 0:21 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-28 1:37 [PATCH 0/2] NFS: limit use of ACCESS cache for negative responses NeilBrown
2022-04-28 1:37 ` [PATCH 1/2] NFS: change nfs_access_get_cached() to nfs_access_check_cached() NeilBrown
2022-04-28 1:37 ` [PATCH 2/2] NFS: limit use of ACCESS cache for negative responses NeilBrown
2022-05-17 0:05 ` [PATCH 0/2] " NeilBrown
2022-05-17 0:20 ` Trond Myklebust [this message]
2022-05-17 0:40 ` NeilBrown
2022-05-17 0:55 ` Trond Myklebust
2022-05-17 1:05 ` NeilBrown
2022-05-17 1:14 ` Trond Myklebust
2022-05-17 1:22 ` NeilBrown
2022-05-17 1:36 ` Trond Myklebust
2022-08-26 14:59 ` Benjamin Coddington
2022-08-26 15:44 ` Trond Myklebust
2022-08-26 16:43 ` Benjamin Coddington
2022-08-26 16:56 ` Trond Myklebust
2022-08-26 18:27 ` Benjamin Coddington
2022-08-27 0:52 ` Trond Myklebust
2022-09-19 19:09 ` Benjamin Coddington
2022-09-19 22:38 ` NeilBrown
2022-09-20 1:18 ` Trond Myklebust
2022-08-26 23:39 ` NeilBrown
2022-08-27 3:38 ` Trond Myklebust
2022-08-28 23:32 ` NeilBrown
2022-08-29 14:07 ` Jeff Layton
2022-09-03 9:57 ` NeilBrown
2022-09-03 15:49 ` Trond Myklebust
2022-09-04 23:28 ` NeilBrown
2022-09-04 23:40 ` Trond Myklebust
2022-09-05 0:09 ` NeilBrown
2022-09-05 0:49 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=72f091ceaaf15069834eb200c04f0630eca7eaef.camel@hammerspace.com \
--to=trondmy@hammerspace.com \
--cc=anna@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).