2008-05-05 20:29:41

by Trond Myklebust

[permalink] [raw]
Subject: Re: 'noacl' NFS parameter seems ineffective (Fedora Core 7)

On Mon, 2008-05-05 at 18:27 +0000, Clay McClure wrote:
> Trond Myklebust <trond.myklebust <at> fys.uio.no> writes:
> > On Fri, 2007-07-06 at 09:40 -0400, Peter Staubach wrote:
> > > It was misguided on someone's part to think that no ACLs meant that
> > > checking the mode bits for permissions was sufficient.
> >
> > Yup.
> It seems to me that disabling ACCESS might prevent clients from knowing
> whether an operation is allowed, but it would not allow clients to bypass
> server ACLs. From a security perspective, then, I would think disabling
> ACCESS would not affect the correctness of the protocol.
> In other words, if a client with ACCESS disabled determined (by mode
> bits alone) that a read operation was allowed, and issued a READ call,
> would the server still determine whether the request was allowed
> (according to its ACL and user mapping policy), and return
> NFS3ERR_ACCES if not?

Yes, but that was never the problem. The problem is that clients can and
do cache data, and need to know who is allowed to access that data.

> > The correct way to deal with the problem of too many ACCESS calls
> > was rather to improve the caching. There should be a vast difference
> > between a 2.6.19 kernel or higher and earlier versions when it comes to
> > the ability to cache credentials from multiple users and I hope that
> > addresses the problems that people were seeing.
> ACCESS calls make up 17% of the NFS ops generated by our application
> running on a stock CentOS 5 2.6.18 kernel. We don't use ACLs or root
> mapping. One user (root) performs all file access on the NFS volume
> in question.
> Would the credential caching you mention in 2.6.19 help us reduce the
> number of ACCESS operations we see (even though only one user is
> performing file I/O)?

Since CentOS 5 is a copy of RHEL-5, I would expect it to already have
the patch applied.

> Is it safe to apply a patch to eliminate ACCESS altogether?

In general? No (see above).

That said, you can always find corner cases with peculiar environments.
Perhaps in your particular environment where there is only one user,
removing access is safe and will actually produce a win, as opposed to
generating yet more GETATTR calls in order to revalidate the cached
modebit data. It all depends on the underlying reason for why you are
seeing such a high number of ACCESS calls.