From: Andrew W Elble <aweits@rit.edu>
To: Weston Andros Adamson <dros@primarydata.com>
Cc: linux-nfs list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH RFC 0/4] Deal with lost delegations and EKEYEXPIRED
Date: Wed, 09 Dec 2015 09:17:38 -0500 [thread overview]
Message-ID: <m2bn9zwvst.fsf@discipline.rit.edu> (raw)
In-Reply-To: <38076235-99FC-4CC7-8F16-3518A58CABA2@primarydata.com> (Weston Andros Adamson's message of "Tue, 08 Dec 2015 16:38:22 -0500")
> One part I’m not sure about is in nfsd4_spo_must_allow dealing with putfh like
> ops vs not putfh-like ops. I’ll have to check the spec and take a deeper look at
> that when I get some time, but maybe a brief explanation in a comment would
> help?
Will put on the list for v2.
RFC5561 2.6.3.1.1.7:
The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC to any operation
other than a put filehandle operation, LOOKUP, LOOKUPP, and OPEN (by
component name).
RFC5561 15.4:
| NFS4ERR_WRONGSEC | LINK, LOOKUP, LOOKUPP, OPEN, |
| | PUTFH, PUTPUBFH, PUTROOTFH, |
| | RENAME, RESTOREFH
See need_wrongsec_check() (called from nfsd4_proc_compound()).
The implementation problem is that fh_verify() also calls check_nfsd_access(),
so these contortions are to avoid sending NFS4ERR_WRONGSEC on things we
shouldn't be, while still granting the spo_must_allow operation to succeed.
(based on [somthing-putfh-like]->...->[something-spo_must_allow-like]...->[end-or-putfh])
> To be honest, I've always been hazy on where in the spec the ramifications of
> SP4_MACH_CRED only covering part of a compound is discussed… I’ll take a
> look soon.
I think you mean 2.6.3.1? But it doesn't reference SP4_MACH_CRED
specifically, only 'acceptable security tuple'.
This may also be a little bit heavyweight for how the server is set up
currently. (i.e. simply changing the export (sec=krb5) to
(sec=krb5,krb5i) will eliminate the need for nfsd4_spo_must_allow()).
Thanks,
Andy
--
Andrew W. Elble
aweits@discipline.rit.edu
Infrastructure Engineer, Communications Technical Lead
Rochester Institute of Technology
PGP: BFAD 8461 4CCF DC95 DA2C B0EB 965B 082E 863E C912
prev parent reply other threads:[~2015-12-09 14:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-02 14:39 [PATCH RFC 0/4] Deal with lost delegations and EKEYEXPIRED Andrew Elble
2015-12-02 14:39 ` [PATCH RFC 1/4] nfs/nfsd: Move useful bitfield ops to a commonly accessible place Andrew Elble
2015-12-02 14:39 ` [PATCH RFC 2/4] nfs: machine credential support for additional operations Andrew Elble
2015-12-06 21:47 ` Trond Myklebust
2015-12-08 18:29 ` Andrew W Elble
2015-12-02 14:39 ` [PATCH RFC 3/4] nfsd: allow mach_creds_match to be used more broadly Andrew Elble
2015-12-02 14:39 ` [PATCH RFC 4/4] nfsd: implement machine credential support for some operations Andrew Elble
2015-12-08 21:38 ` [PATCH RFC 0/4] Deal with lost delegations and EKEYEXPIRED Weston Andros Adamson
2015-12-09 14:17 ` Andrew W Elble [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2bn9zwvst.fsf@discipline.rit.edu \
--to=aweits@rit.edu \
--cc=dros@primarydata.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox