| Network File System Version 4 | C. Lever |
| Internet-Draft | Oracle |
| Intended status: Standards Track | S. Sorce |
| Expires: November 3, 2016 | Red Hat |
| May 2, 2016 |
A Simpler Mechanism For Organizing FedFS NSDBs
draft-cel-nfsv4-federated-fs-nce-05
This document describes a new, simpler mechanism for searching FedFS NSDBs (Name Space Data Bases) for FedFS records. This mechanism replaces the mechanism described in existing FedFS Proposed Standards.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 3, 2016.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
A FedFS junction is an object stored on a fileserver that redirects file-access clients to other fileserver shares. Using junctions, multiple fileserver shares on many fileservers can be joined into a single filename namespace. Think of a junction as a symlink that points to the root directory of a share stored on another fileserver.
The target locations of these remote shares are not stored in FedFS junctions. Instead, a junction contains a reference to a set of location information stored in an LDAP directory. The LDAP directory is referred to as a Name Space Data Base, or NSDB.
The fundamental and most frequent operation performed with an NSDB is "FSN resolution," described in section 5.2.2 of [RFC7532]. This is the act of reading the reference stored in a junction, retrieving the referenced location information from an NSDB, and forming a filesystem referral to send to file-access clients using a native filesystem protocol. In this scenario, a fileserver acts as an NSDB client.
FedFS records in any NSDB are stored as descendants of an NSDB Container Entry, or NCE, for short. An NSDB client specifies a search base when forming an LDAP query to search an NSDB for FedFS records. The Distinguished Name of an NCE is that search base.
FedFS junctions contain only the hostname and port of the NSDB service and a UUID. NSDB clients use a standard procedure for probing NSDBs for their NCEs. For the purposes of this discussion, we refer to procedures which retrieve putative NCEs from an NSDB as "NCE discovery mechanisms."
Implementation experience has shown that the NCE discovery mechanism currently defined in sections 4.1 and 5.2.1 of [RFC7532] can be problematic for some LDAP server implementations or deployments. In particular, altering the rootDSE of LDAP servers in any way is an onerous requirement. We present a new mechanism for expressing NCEs that does not require alteration of the rootDSE.
As described in Section 4.1 of [RFC7532], the LDAP naming context that is superior to an NCE is modified to include the fedfsNsdbContainerInfo object class. This object class carries the mandatory fedfsNceDN attribute, whose value is the Distinguished Name of the NCE that resides under that naming context.
To discover all NCEs on an NSDB, NSDB clients use the procedure described in Section 5.2.1 of [RFC7532]. NSDB clients look for naming context entries that include the fedfsNsdbContainerInfo object class. The fedfsNceDN attribute points directly to the NCE under that root suffix.
Difficulty arises because there is often a high bar to altering an LDAP server's rootDSE.
Neither [RFC7532] nor [RFC5716] discuss the motivation for referring to an NCE record via the rootDSE. The use of the current NCE discovery mechanism is simply a convenience that enables the contents of junctions to exclude the LDAP search base when specifying the LDAP record containing the junction's target locations.
Originally, an NSDB Container Entry DN was stored in each junction, along with an FSN UUID and the name of the NSDB where the FSN was stored.
To simplify the contents of junctions, the NCE DN was removed from junctions as the design of the NSDB protocol was finalized. NSDB clients were tasked with discovering the correct LDAP search base to use by searching the target NSDB's rootDSE for the NCE DN.
The current approach is described in Section 5.2.2 of [RFC7532]:
The search stops when one or more FSLs are returned or when all NCEs have been searched.
Without the fedfsNsdbContainerInfo object class, a root suffix DN is an adequate LDAP search base to use when searching for FSL records. For administrative purposes, however, the construct of NCE is maintained.
Rather than relying on a Distinguish Name stored in an attribute by an administrative tool, an NSDB client might instead use a search query that is natural to LDAP to obtain that DN.
Currently an NSDB Container Entry record is entirely unremarkable, except for its position in the DIT. It includes no special object class, Distinguished Name, or attribute that defines it as an NCE. It becomes an NCE only because its parent naming context points to it via the context's fedfsNceDN attribute.
If each NCE were instead tagged with an object class specific only to NCEs, NSDB clients could discover NCEs simply by filtering on that object class. Then no change to the LDAP server's rootDSE is required.
The following sections provide a protocol specification, similar to [RFC7532], for the new NCE discovery mechanism.
An NSDB is constructed using an LDAP Directory. This LDAP Directory can have multiple naming contexts. The LDAP Directory's DSA-specific entry (its rootDSE) has a multi-valued namingContext attribute. Each value of the namingContext attribute is the DN of the naming context's root entry (see [RFC4512]).
For each naming context that contains federation entries (e.g., FSNs and FSLs):
An NCE may have no children. When an NSDB is first created, there are no federation entries aside from the NCE, which therefore has no federation-related descendents.
NSDB administrative operations, such as those described in Section 5.1 of [RFC7532], may use NCEs to demark the position of repositories for federation entries.
If a naming context does not host an NSDB DIT, it MUST NOT contain an entry that includes the fedfsNsdbContainerEntry object class. For example, an LDAP directory might have the following entries:
-+ [root DSE]
| namingContext: o=fedfs
| namingContext: dc=example,dc=com
| namingContext: ou=system
|
|
+---- [o=fedfs]
| objectClass: fedfsNsdbContainerEntry
|
|
+---- [dc=example,dc=com]
|
+-------- [ou=corp-it,dc=example,dc=com]
|
+------------ [ou=fedfs,ou=corp-it,dc=example,dc=com]
| objectClass: fedfsNsdbContainerEntry
|
|
+---- [ou=system]
In this case, the o=fedfs naming context is also an NSDB Container Entry; the dc=example,dc=com naming context has an NSDB Container Entry at ou=fedfs,ou=corp-it,dc=example,dc=com, and the ou=system naming context has no NSDB Container Entry.
The NSDB SHOULD be configured with one or more privileged LDAP users. These users are able to modify the contents of the LDAP database. To perform the operations described in Section 5.1 of [RFC7532], a user SHOULD authenticate using the DN of a privileged LDAP user.
It MUST be possible for an unprivileged (unauthenticated) user to perform LDAP queries that access NSDB data. A fileserver performs the operations described in Section 5.2 of [RFC7532] as an unprivileged user.
All NSDB implementations SHOULD use the same schema. At minimum, each MUST use a schema that includes all attributes and objects named in Section 4.2 of [RFC7532] and in Section 2.2. If it is necessary for an implementation to privately extend the schema defined there, consider using one of the following ways:
This section is an addendum to the FedFS NSDB schema specified in Section 4.1 of [RFC7532].
The fedfsNsdbContainerEntry object class signifies that an LDAP record acts as an NSDB Container Entry (NCE).
A fedfsNsdbContainerEntry's has no mandatory attributes. A fedfsNsdbContainerEntry's fedfsAnnotation and fedfsDescr attributes are OPTIONAL.
<CODE BEGINS>
///
/// objectclass (
/// a.b.c.d.e.f.g.h.i NAME 'fedfsNsdbContainerEntry'
/// DESC 'Denotes an NSDB Container Entry'
/// SUP top AUXILIARY
/// MAY (
/// fedfsAnnotation
/// $ fedfsDescr
/// ))
///
<CODE ENDS>
To find NCEs residing on the NSDB nsdb.example.com, an NSDB client SHOULD do the following:
<CODE BEGINS>
nce_list = empty
connect to the LDAP directory at nsdb.example.com
for each namingContext value $BAR in the root DSE
/* $BAR is a DN */
query for fedfsNsdbContainerEntry objects under $BAR
include the DN of such objects on the nce_list
<CODE ENDS>
The [RFC4516] LDAP URL for the search query inside the loop would be:
ldap://nsdb.example.com:389/$BAR??sub?
(objectClass=fedfsNsdbContainerEntry)
NSDBs might serve NSDB client populations that contain clients that comply only with [RFC7532] as well as clients that use the query described in Section 2.3.
In this case, both the mechanism described in Section 2.1 and the mechanism described in [RFC7532] can be concurrently implemented in the NSDB to support both types of NSDB client.
To remain compatible with NSDB clients that comply with [RFC7532], each naming context on such an NSDB MUST contain either zero or one NCE records.
During a transition period to the new NCE discovery mechanism, NSDB clients may have to resolve FSNs on NSDBs that comply with [RFC7532] as well as NSDBs that have deployed the mechanism described in Section 2.1.
In this case, an NSDB client can try the query described in Section 2.3 first. If no NCE is found by this method, the NSDB client can try the query described in Section 5.2.1 of [RFC7532].
An NSDB client that encounters more than one NCE record under a naming context MUST return FEDFS_ERR_NSDB_NONCE if it does not support multiple NCEs per naming context.
To maintain separation of privileges, privileged users that are permitted to perform NSDB administrative operations should not be permitted access to other areas of the LDAP server's DIT. The use of LDAP ACLs is recommended to permit unauthenticated access to FedFS records (FSNs, FSLs, and NCEs) while restricting the ability to change these records to one or a few privileged user accounts.
IANA is to update the registry entitled "FedFS Object Identifiers" for the purpose of recording the change in status of existing FedFS Object Identifiers (OIDs) mentioned by this document. This includes the fedfsNceDN entry (OID 1.3.6.1.4.1.31103.1.14) and the fedfsNsdbContainerInfo entry (OID 1.3.6.1.4.1.31103.1.1001). The designation of "historic" is to be added to the "Reference" column of both entries.
In accordance with Section 5.2 of [RFC4520], object identifier descriptors for the fedfsNsdbContainerInfo object class and the fedfsNceDN attribute are to be marked as "historic in nature" in IANA's LDAP parameters "Object Identifier Descriptors" table, after Expert Review.
In accordance with Section 3.4 and Section 4 of [RFC4520], object identifier descriptors for the new fedfsNsdbContainerEntry object class defined in this document will be assigned and registered via the Expert Review process.
The author of this document gratefully acknowledges the contributions and patience of Rob Thurlow, Tom Haynes, and David Noveck. This work would not have been possible without the efforts of the authors and contributors to [RFC7532].
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
| [RFC4512] | Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, DOI 10.17487/RFC4512, June 2006. |
| [RFC4516] | Smith, M. and T. Howes, "Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator", RFC 4516, DOI 10.17487/RFC4516, June 2006. |
| [RFC4520] | Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 4520, DOI 10.17487/RFC4520, June 2006. |
| [RFC7532] | Lentini, J., Tewari, R. and C. Lever, "Namespace Database (NSDB) Protocol for Federated File Systems", RFC 7532, DOI 10.17487/RFC7532, March 2015. |
| [RFC5716] | Lentini, J., Everhart, C., Ellard, D., Tewari, R. and M. Naik, "Requirements for Federated File Systems", RFC 5716, DOI 10.17487/RFC5716, January 2010. |