On Sep 1, 2009, at 5:22 PM, Trond Myklebust wrote:
On Tue, 2009-09-01 at 16:31 -0400, Chuck Lever wrote:
For v4, you have WRONGSEC, but I don't think NFSv2 makes that
distinction. Would the client probe the server with NFS requests
each
using a different flavor? Would we expect to see the RPC level "weak
authentication" reply in the NFSv2 case? Before Eisler says it, why
would we bother?
Even so, that's a much different proposition than simply reading the
flavor list returned by MNT3PROC, so I'm straining to see how we
could
reuse the logic I'm adding to the kernel's MNT client to do security
negotiation for NFSv2. If Trond is referring only to merging the
kernel's auth flavor lists, then that comment makes more sense.
IMO the goal should be to have _one_ engine that can iterate through a
list of auth flavours (either the list provided by the MNT server, or
the list of all flavours supported by the client) until it gets a
positive response to an RPC call.
OK, but that's not what the MNT client has to do with the list
returned from MNT3PROC. All it needs to do is check the requested
auth flavor against the returned list, or pick the first supported
flavor on the list if the user didn't request one.
So my practical question still remains. For 2.6.32, how should the
kernel's MNT client determine the list of supported authentication
flavors? (I understand that one answer might be "we can't do an
adequate job of that at this point, so we probably should drop MNT
authlist support until we can").
We shouldn't assume that the flavour
that was negotiated at mount time is final.
Why not? That's how NFSv2 and NFSv3 have worked forever. And, how
will client admins enforce the use of a particular security flavor if
they can't be sure that the client won't renegotiate it?
For NFSv3, you can save the list of supported flavors returned by
MNT3PROC on the client to do renegotiation later, but what happens
when the server admin changes the auth flavors for an export that the
client has already mounted?
It makes sense to code this iteration process at the RPC level instead
of at the NFS level. That enables us to use the same engine for NFSv2,
NFSv4, and the NFSv4.0 server (when doing client callbacks). Possibly
also for NLM and MOUNT (apparently IRIX used to support this)...
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html