NFSv4                                                          T. Haynes
Internet-Draft                                              Primary Data
Intended status: Informational                            April 10, 2014
Expires: October 12, 2014


               Considerations for a New pNFS Layout Type
                 draft-haynes-nfsv4-layout-types-02.txt

Abstract

   This document provides help in distinguishing between the
   requirements for Network File System (NFS) version 4.1's Parallel NFS
   (pNFS) and those those specifically directed to the pNFS File Layout.
   The lack of a clear separation between the two set of requirements
   may be troublesome for those trying to specify new Layout Types.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 12, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Haynes                  Expires October 12, 2014                [Page 1]


Internet-Draft                Layout Types                    April 2014


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Difference Between a Data Server and a Storage Device . .   4
     2.2.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   3.  The Control Protocol  . . . . . . . . . . . . . . . . . . . .   4
     3.1.  Protocol Requirements . . . . . . . . . . . . . . . . . .   5
     3.2.  Non-protocol Requirements . . . . . . . . . . . . . . . .   5
     3.3.  Editorial Requirements  . . . . . . . . . . . . . . . . .   6
   4.  Implementations in Existing Layout Types  . . . . . . . . . .   6
     4.1.  File Layout Type  . . . . . . . . . . . . . . . . . . . .   6
     4.2.  Block Layout Type . . . . . . . . . . . . . . . . . . . .   7
     4.3.  Object Layout Type  . . . . . . . . . . . . . . . . . . .   8
   5.  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . .  10
   Appendix B.  RFC Editor Notes . . . . . . . . . . . . . . . . . .  10
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   Both Parallel Network File System (pNFS) and the File Layout Type
   were defined in the Network File System (NFS) version 4.1 protocol
   specification, [RFC5661].  The Block Layout Type was defined in
   [RFC5663] and the Object Layout Type was in turn defined in
   [RFC5664].

   Some implementers have interpreted the text in Sections 12 ("Parallel
   NFS (pNFS)") and 13 ("NFSv4.1 as a Storage Protocol in pNFS: the File
   Layout Type") of [RFC5661] as both being strictly for the File Layout
   Type.  I.e., since Section 13 was not covered in a separate RFC like
   those for both the Block and Object Layout Types, there is some
   confusion as to the responsibilities of both the Metadata Server
   (MDS) and the Data Servers (DS) which were laid out in Section 12.

   As a consequence, new internet drafts (see [FlexFiles] and [Lustre])
   may struggle to meet the requirements to be a pNFS Layout Type.  This
   document clarifies what are the Layout Type independent requirements
   placed on all Layout Types, whether one of the original three or any
   new variant.






Haynes                  Expires October 12, 2014                [Page 2]


Internet-Draft                Layout Types                    April 2014


2.  Definitions

   control protocol:  is a set of requirements for the communication of
      information on layouts, stateids, file metadata, and file data
      between the metadata server and the storage devices.

   Data Server (DS):  is one of the pNFS servers which provide the
      contents of a file system object which is a regular file.
      Depending on the layout, there might be one or more data servers
      over which the data is striped.  Note that while the metadata
      server is strictly accessed over the NFSv4.1 protocol, depending
      on the Layout Type, the data server could be accessed via any
      protocol that meets the pNFS requirements.

   fencing:  is when the metadata server prevents the storage devices
      from processing I/O from a specific client to a specific file.

   layout:  informs a client of which storage devices it needs to
      communicate with (and over which protocol) to perform I/O on a
      file.  The layout might also provide some hints about how the
      storage is physically organized.

   layout iomode:  describes whether the layout granted to the client is
      for read or read/write I/O.

   layout stateid:  is a 128-bit quantity returned by a server that
      uniquely defines the layout state provided by the server for a
      specific layout that describes a Layout Type and file (see
      Section 12.5.2 of [RFC5661]).  Further, Section 12.5.3 describes
      the difference between a layout stateid and a normal stateid.

   Layout Type:  describes both the storage protocol used to access the
      data and the aggregation scheme used to lays out the file data on
      the underlying storage devices.

   metadata:  is that part of the file system object which describes the
      object and not the payload.  E.g., it could be the time since last
      modification, access, etc.

   Metadata Server (MDS):  is the pNFS server which provides metadata
      information for a file system object.  It also is responsible for
      generating layouts for file system objects.  Note that the MDS is
      responsible for directory-based operations.

   recalling a layout:  is when the metadata server uses a back channel
      to inform the client that the layout is to be returned in a
      graceful manner.  Note that the client could be able to flush any
      writes, etc., before replying to the metadata server.



Haynes                  Expires October 12, 2014                [Page 3]


Internet-Draft                Layout Types                    April 2014


   revoking a layout:  is when the metadata server invalidates the
      layout such that neither the metadata server nor any storage
      device will accept any access from the client with that layout.

   stateid:  is a 128-bit quantity returned by a server that uniquely
      defines the open and locking states provided by the server for a
      specific open-owner or lock-owner/open-owner pair for a specific
      file and type of lock.

   storage device:  is another term used almost interchangeably with
      data server.  See Section 2.1 for the nuances between the two.

2.1.  Difference Between a Data Server and a Storage Device

   We defined a data server as a pNFS server, which implies that it can
   utilize the NFSv4.1 protocol to communicate with the client.  As
   such, only the File Layout Type would currently meet this
   requirement.  The more generic concept is a storage device, which can
   use any protocol to communicate with the client.  The requirements
   for a storage device to act together with the metadata server to
   provide data to a client are that there is a Layout Type
   specification for the given protocol and that the metadata server has
   granted a layout to the client.  Note that nothing precludes there
   being multiple supported Layout Types (i.e., protocols) between a
   metadata server, storage devices, and client.

   As storage device is the more encompassing terminology, this document
   utilizes it over data server.

2.2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  The Control Protocol

   In Section 12.2.6 of [RFC5661], the control protocol is introduced.
   There have been no specifications for control protocols, and indeed
   there need not be such a protocol in use for any given
   implementation.  The control protocol is actually a set of
   requirements provided to describe the interaction between the
   metadata server and the storage device.  When specifying a new Layout
   Type, the defining document MUST show how it meets these
   requirements, especially with respect to the security implications.






Haynes                  Expires October 12, 2014                [Page 4]


Internet-Draft                Layout Types                    April 2014


3.1.  Protocol Requirements

   The broad requirements of such interactions between the metadata
   server and the storage devices are:

   (1)  NFSv4.1 clients MUST be able to access a file directly through
        the metadata server and not the storage device.  I.e., the
        metadata server must be able to retrieve the data from the
        constituent storage devices and present it back to the client
        via normal NFSv4.1 operations.  Whether the metadata server
        allows access over other protocols (e.g., NFSv3, Server Message
        Block (SMB), etc) is strictly an implementation choice.

   (2)  The metadata server MUST be able to restrict access to a file on
        the storage devices when it revokes a layout.  The metadata
        server typically would revoke a layout whenever a client fails
        to respond to a recall or fails to renew its lease in time.  It
        might also revoke the layout as a means of enforcing a change in
        state that the storage device cannot directly enforce with the
        client.

   (3)  Storage devices MUST NOT remove NFSv4.1's access controls: ACLs
        and file open modes.

   (4)  Locking MUST be respected.

   (5)  The metadata server and the storage devices MUST agree on
        attributes like modify time, the change attribute, and the end-
        of-file (EOF) position.

        Note that "agree" here means that some state changes need not be
        propagated immediately, although all changes SHOULD be
        propagated promptly.

   Note that there is no requirement on how these are implemented.
   While the File Layout Type does use the stateid to fence off the
   client, there is no requirement that other Layout Types use this
   stateid approach.  But the other Layout Types MUST document how the
   client, metadata server, and storage devices interact to meet these
   requirements.

3.2.  Non-protocol Requirements

   In gathering the requirements from Section 12 of [RFC5661], there are
   some which are notable in their absence:

   (1)  Storage device MUST honor the byte range restrictions present in
        the layout.  I.e., if the layout only provides access to the



Haynes                  Expires October 12, 2014                [Page 5]


Internet-Draft                Layout Types                    April 2014


        first 2 MB of the file, then any access after that MUST NOT be
        granted.

   (2)  The enforcement of authentication and authorization so that
        restrictions that would be enforced by the metadata server are
        also enforced by the storage device.  Examples include both
        export access checks and if the layout has an iomode of
        LAYOUTIOMODE4_READ, then if the client attempts to write, the I/
        O may be rejected.

        While storage devices should make such checks on the layout
        iomode, [RFC5661] does not mandate that all Layout Types have to
        make such checks.

   (3)  The allocation and deallocation of storage.  I.e., creating and
        deleting files.

   Of these, the first two are of concern to this draft and Layout Types
   SHOULD honor them if at all possible,

3.3.  Editorial Requirements

   In addition to these protocol requirements, there are two editorial
   requirements for drafts that present a new Layout Type.  At a
   minimum, the specification needs to address:

   (1)  The approach the new Layout Type takes towards fencing clients
        once the metadata server determines that the layout is revoked.

   (2)  The security considerations of the new Layout Type.

   While these could be envisioned as one section in that the fencing
   issue might be the only security issue, it is recommended to deal
   with them separably.

   The specification of the Layout Type should discuss how the client,
   metadata server, and storage device act together to meet the protocol
   requirements.  I.e., if the storage device cannot enforce mandatory
   byte-range locks, then how can the metadata server and the client
   interact with the layout to enforce those locks?

4.  Implementations in Existing Layout Types

4.1.  File Layout Type

   Not surprisingly, the File Layout Type comes closest to the normal
   semantics of NFSv4.1.  In particular, the stateid used for I/O MUST
   have the same effect and be subject to the same validation on a data



Haynes                  Expires October 12, 2014                [Page 6]


Internet-Draft                Layout Types                    April 2014


   server as it would if the I/O was being performed on the metadata
   server itself in the absence of pNFS.

   And while for most implementations the storage devices can do the
   following validations:

   o  client holds a valid layout,

   o  client I/O matches the layout iomode, and,

   o  client does not go out of the byte ranges,

   these are each presented as a "SHOULD" and not a "MUST".  However, it
   is just these layout specific checks that are optional, not the
   normal file access semantics.  The storage devices MUST make all of
   the required access checks on each READ or WRITE I/O as determined by
   the NFSv4.1 protocol.  If the metadata server would deny a READ or
   WRITE operation on a file due to its ACL, mode attribute, open access
   mode, open deny mode, mandatory byte-range lock state, or any other
   attributes and state, the storage device MUST also deny the READ or
   WRITE operation.  And note that while the NFSv4.1 protocol does not
   mandate export access checks based on the client's IP address, if the
   metadata server implements such a policy, then that counts as such
   state as outlined above.

   As the data filehandle provided by the PUTFH operation and the
   stateid in the READ or WRITE operation are used to ensure that the
   client has a valid layout for the I/O being performed, the client can
   be fenced off for access to a specific file via the invalidation of
   either key.

4.2.  Block Layout Type

   With the Block Layout Type, the storage devices are not guaranteed to
   be able to enforce file-based security.  Typically, storage area
   network (SAN) disk arrays and SAN protocols provide access control
   mechanisms (e.g., Logical Unit Number (LUN) mapping and/or masking),
   which operate at the granularity of individual hosts, not individual
   blocks.  Access to block storage is logically at a lower layer of the
   I/O stack than NFSv4, and hence NFSv4 security is not directly
   applicable to protocols that access such storage directly.  As such,
   [RFC5663] is very careful to define that in environments where pNFS
   clients cannot be trusted to enforce such policies, pNFS Block Layout
   Types SHOULD NOT be used.

   The implication here is that the security burden has shifted from the
   storage devices to the client.  It is the responsibility of the
   administrator doing the deployment to trust the client



Haynes                  Expires October 12, 2014                [Page 7]


Internet-Draft                Layout Types                    April 2014


   implementation.  However, this is not a new requirement when it comes
   to SAN protocols, the client is expected to provide block-based
   protection.

   This implication also extends to ACLs, locks, and layouts.  The
   storage devices might not be able to enforce any of these and the
   burden is pushed to the client to make the appropriate checks before
   sending I/O to the storage devices.  As an example, if the metadata
   server uses a layout iomode for reading to enforce a mandatory read-
   only lock, then the client has to honor that intent by not sending
   WRITEs to the storage devices.  The basic issue here is that the
   storage device can be treated as a local dumb disk such that once the
   client has access to the storage device, it is able to perform either
   READ or WRITE I/O to the entire storage device.  The byte ranges in
   the layout, any locks, the layout iomode, etc, can only be enforced
   by the client.

   While the Block Layout Type does support client fencing upon revoking
   a layout, the above restrictions come into play again: the
   granularity of the fencing can only be at the host/logical-unit
   level.  Thus, if one of a client's layouts is unilaterally revoked by
   the server, it will effectively render useless *all* of the client's
   layouts for files located on the storage units comprising the logical
   volume.  This may render useless the client's layouts for files in
   other file systems.

4.3.  Object Layout Type

   The Object Layout Type focuses security checks to occur during the
   allocation of the layout.  The client will typically ask for a layout
   for each byte-range of either READ or READ/WRITE.  At that time, the
   metadata server should verify permissions against the layout iomode,
   the outstanding locks, the file mode bits or ACLs, etc.  As the
   client may be acting for multiple local users, it MUST authenticate
   and authorize the user by issuing respective OPEN and ACCESS calls to
   the metadata server, similar to having NFSv4 data delegations.

   Upon successful authorization, inside the layout, the client receives
   a set of object capabilities allowing it I/O access to the specified
   objects corresponding to the requested iomode.  These capabilities
   are used to enforce access control at the storage devices.  Whenever
   the metadata server detects one of:

   o  the permissions on the object change,

   o  a conflicting mandatory byte-range lock is granted, or

   o  a layout is revoked and reassigned to another client,



Haynes                  Expires October 12, 2014                [Page 8]


Internet-Draft                Layout Types                    April 2014


   then it MUST change the capability version attribute on all objects
   comprising the file to implicitly invalidate any outstanding
   capabilities before committing to one of these changes.

   When the metadata server wishes to fence off a client to a particular
   object, then it can use the above approach to invalidate the
   capability attribute on the given object.  The client can be informed
   via the storage device that the capability has been rejected and is
   allowed to fetch a refreshed set of capabilities, i.e., re-acquire
   the layout.

5.  Summary

   In the three published Layout Types, the burden of enforcing the
   security of NFSv4.1 can fall to either the storage devices (Files),
   the client (Blocks), or the metadata server (Objects).  Such
   decisions seem to be forced by the native capabilities of the storage
   devices - if a real control protocol can be implemented, then the
   burden can be shifted primarily to the storage devices.

   But as we have seen, the control protocol is actually a set of
   requirements.  And as new Layout Types are published, the enclosing
   documents minimally MUST address:

   (1)  The fencing of clients after a layout is revoked.

   (2)  The security implications of the native capabilities of the
        storage devices with respect to the requirements of the NFSv4.1
        security model.

6.  Security Considerations

   The metadata server MUST be able to fence off a client's access to a
   file stored on a storage device.  When it revokes the layout, the
   client's access MUST be terminated at the storage devices.

7.  IANA Considerations

   This document has no actions for IANA.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", March 1997.





Haynes                  Expires October 12, 2014                [Page 9]


Internet-Draft                Layout Types                    April 2014


   [RFC5661]  Shepler, S., Eisler, M., and D. Noveck, "Network File
              System (NFS) Version 4 Minor Version 1 Protocol", RFC
              5661, January 2010.

   [RFC5663]  Black, D., Fridella, S., and J. Glasgow, "pNFS Block/
              Volume Layout", RFC 5663, January 2010.

   [RFC5664]  Halevy, B., Welch, B., and J. Zelenka, "Object-Based
              Parallel NFS (pNFS) Operations", RFC 5664, January 2010.

8.2.  Informative References

   [FlexFiles]
              Halevy, B., "Parallel NFS (pNFS) Flexible Files Layout",
              draft-bhalevy-nfsv4-flex-files-01 (Work In Progress),
              October 2013.

   [Lustre]   Faibish, S. and P. Tao, "Parallel NFS (pNFS) Lustre Layout
              Operations", draft-faibish-nfsv4-pnfs-lustre-layout-06
              (Work In Progress), November 2013.

Appendix A.  Acknowledgments

   Dave Noveck provided an early review that sharpened the clarity of
   the definitions.

Appendix B.  RFC Editor Notes

   [RFC Editor: please remove this section prior to publishing this
   document as an RFC]

   [RFC Editor: prior to publishing this document as an RFC, please
   replace all occurrences of RFCTBD10 with RFCxxxx where xxxx is the
   RFC number of this document]

Author's Address

   Thomas Haynes
   Primary Data, Inc.
   4300 El Camino Real Ste 100
   Los Altos, CA  94022
   USA

   Phone: +1 408 215 1519
   Email: thomas.haynes@primarydata.com






Haynes                  Expires October 12, 2014               [Page 10]