Nethserver-NFS think tank

stephdl · March 3, 2017, 3:41pm

@gerald_FS It is a rainy weekend, I want to jump on it

gerald_FS · March 3, 2017, 3:56pm

@stephdl
Cool, thanks!
I’m looking forward.
We have according to the weather a fantastic weather - sun …

davidep · March 3, 2017, 6:42pm

I think it is reasonable as a first prototype.

Next steps could be:

IP access policy for SMB too: is it possible? It would be good for LDAP accounts provider!
kerberos auth for NFS too!

It would be great to have the same features on both protocols!

JOduMonT · March 4, 2017, 7:00am

I don’t know about others, but for me NFS (Network File System) is more to interconnect servers such as iSCSI;

Personally on Nethserver; I’ll use it to mount a drive inside a KVM such as CoreOS to store my datas
So authentication based on IP works very well for this kind of usage.

stephdl · March 4, 2017, 9:33am

Correction, it is a snowy day

stephdl · March 5, 2017, 8:07am

I’m thinking loudly, please add your mind

When I did a contrib for SME Server, I added a lot of protections mostly IP based, it means

you cannot get a RW export if the ip is not on the LAN
you cannot get a RW export if the export is for the whole LAN (each IP with RW right must be set)

I created also the possibility to create your own rule manually when the option in the panel are not enough, but I forbid

‘*’ since it means accept from everywhere
domain name (so easy to spoof)
no space between IP and option (it means accept from everywhere)

Do you want the same, or it is useless

stephdl · March 5, 2017, 9:19pm

gerald_FS · March 5, 2017, 9:27pm

great!

cool!

stephdl · March 6, 2017, 6:30am

Check box or radio button…the first one could give the interface lighter :-?

dnutan · March 6, 2017, 8:38am

IMO delay, hide, secure, each with a single checkbox. Maybe also RW.

davidep · March 6, 2017, 8:57am

I’d prefer one interface to rule them all!

I mean: NFS and SMB features are similar. IP-based access policy could be added to smb.conf with an hosts allow = ... directive.

And authentication can be added to NFS (ok, in a second step). We’ll get the same features on both protocols!

If we move towards this goal we can design one interface for both protocols and ease the configuration.

Also at DB level the props could be the same!

What do you think?

stephdl · March 6, 2017, 5:37pm

Agreed, but I have two minds on it, we need to assume that we might have two different policies because we have two different protocols.

Why not But I would prefer a panel for each protocol.

Authentication with kerberos, why not, the only change (quite near) is the export definition, so we can imagine several way to use nfs

IP based and UID/GID
IP based
Kerberos

It is really flexible

This is a great Idea you gave me, reuse some db…I was thinking to another tricky way.At least ‘GroupAccess’ could be used instead of NfsRW. However other db are specific…hard to reuse it.

My workarea is at GitHub - stephdl/nethserver-nfs of course it is not polished

davidep · March 7, 2017, 8:54am

A distinct panel could be required for those features that are provided by a specific protocol only.

For instance, sync/async is an NFS-only option. It does not apply to SMB (and we could discuss if it is worth exposing it on the UI…).

The list of IP addresses that are allowed to connect the shared folder should be the same for both protocols. I mean: if the sysadmin requested an IP-based access policy I think it is correct to enforce it on any possible protocol.

What do you think?

stephdl · March 7, 2017, 9:32pm

Agreed

I tend to think the contrary, and I want to hide them by an ‘advanced setting’ menu

I get your point, now let’s talk of the difficulty to code it

My worry is the need to get Two panels for NFS. NFS is IP based, I don’t allow to share something in RW easily, You have to write all allowed IP in the textbox area, then if needed you can allow them in RW mode and/or set all other options. For the 'Read mode ’ from your LAN, you have a checkbox, however the options are restricted by the UI(all_squash,ro,secure).

Then we will have two panels (one for setting, one for IP), it is less handy. After that I’m not sure a sysadmin will want obviously the IP restriction for the two protocols, but we can imagine a chekbox in samba to enable/disable it.

If an IP panel is wanted, how make it ?

With a table from a specific key → nice, but not easy to fill (one IP by step)
With a textarea box(simple, easy to copy and paste, a bit oldy)

For the textarea, I succeed the last night to verify the IP line directly in nethgui, I need now to verify that the range is good in the trusted network…a new (little) victory

stephdl · March 7, 2017, 10:49pm

davidep · March 8, 2017, 8:26am

I’d definitely go with it! Please, have a look to an already existing implementation for “Email > SMTP access”:

github.com

NethServer/nethserver-mail-common/blob/master/root/usr/share/nethesis/NethServer/Module/Mail/SmtpAccess.php#L90


      
              $condition = $viewText === 'yes';
              $values = (array) $this->parameters['AccessPolicies'];
              $status = in_array($optionName, $values);
              if ($condition != $status) {
                  $values = $status ? array_diff($values, array($optionName)) : array_merge($values, array($optionName));
              }
              $this->parameters['AccessPolicies'] = array_filter($values);
              return array();
          }
          
          public function validate(\Nethgui\Controller\ValidationReportInterface $report)
          {
              parent::validate($report);
              $itemValidator = $this->getPlatform()->createValidator(\Nethgui\System\PlatformInterface::IP);
          
              foreach (self::splitLines($this->parameters['AccessBypassList']) as $v) {
                  if ( ! $itemValidator->evaluate($v)) {
                      $report->addValidationErrorMessage($this, 'AccessBypassList', 'IP address list', array($v));
                      break;
                  }
              }

About the interface design, I think we need to draw some use cases to validate it. I hope someone else wants to chime in! /cc @dev_team @quality_team.

What comes to my mind is

Primary, historical use case: authenticated access, ro/rw perms for team collaboration, optional ro for everyone
ro/rw guest access
IP based + guest access: ideal for machine backups, could be useful where authenticated access is not provided (LDAP accounts provider)

This is the reason because I’d like the IP textarea in the General tab (and develop a smb.conf template for it). In the future I’d like authenticated access on NFS, too: is it possible?

About the NFS tab: I agree, it could list the “advanced options” of NFS protocol. But I’d list only options that are useful to real use cases!

stephdl · March 8, 2017, 10:04pm

Thank, already developed, I saw this code the last weekend, It works

OK for NFS, ro for the whole lan if needed

I called this the lazzy mode, but each IP mus be allowed in the textbox

Similar as above, already coded. I tested nethserver-nfs, either with samba AD or with Openldap, it works on the two scenarios.

we can share the same db property and get for each tab a textarea box to allow the client IP…is it acceptable ?
Or a new separate tab and let the client there…but I don’t like the idea to not get the textbox in the same panel than the NFS one…a bit like you when you want a textbox in the ‘General’ tab

This future is soon, except some code polish and tests, the module is quite good, we can have a look to this now.

davidep · March 8, 2017, 10:31pm

if it’s almost completed, I wait to see it in action!

dnutan · March 25, 2017, 7:40pm

Update on this feature: