diff mbox

nfs.man: add description of multiple sec= options

Message ID 1383064066-1139-1-git-send-email-dros@netapp.com (mailing list archive)
State New, archived
Headers show

Commit Message

Weston Andros Adamson Oct. 29, 2013, 4:27 p.m. UTC
The client now supports multiple sec= options as a colon delimited list.

Signed-off-by: Weston Andros Adamson <dros@netapp.com>
---
 utils/mount/nfs.man | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Chuck Lever III Oct. 29, 2013, 4:30 p.m. UTC | #1
On Oct 29, 2013, at 12:27 PM, Weston Andros Adamson <dros@netapp.com> wrote:

> The client now supports multiple sec= options as a colon delimited list.
> 
> Signed-off-by: Weston Andros Adamson <dros@netapp.com>
> ---
> utils/mount/nfs.man | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index 2a42b93..17b8d88 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -380,9 +380,10 @@ If a value of zero is specified, the
> .BR mount (8)
> command exits immediately after the first failure.
> .TP 1.5i
> -.BI sec= flavor
> -The security flavor to use for accessing files on this mount point.
> -If the server does not support this flavor, the mount operation fails.
> +.BI sec= flavors
> +A colon-delimited list of security flavors to use for accessing files on
> +this mount point. If the server does not support any of these flavors,
> +the mount operation fails.

Just a nit:  The new text kind of suggests that the colons are required.  "sec=single flavor" is also still supported.  Typically man page language is careful to show both.


> If
> .B sec=
> is not specified, the client attempts to find
> -- 
> 1.8.3.1 (Apple Git-46)
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Trond Myklebust Oct. 29, 2013, 4:36 p.m. UTC | #2
> -----Original Message-----
> From: linux-nfs-owner@vger.kernel.org [mailto:linux-nfs-
> owner@vger.kernel.org] On Behalf Of Chuck Lever
> Sent: Tuesday, October 29, 2013 12:30 PM
> To: Weston Andros Adamson
> Cc: steved@redhat.com; linux-nfs@vger.kernel.org
> Subject: Re: [PATCH] nfs.man: add description of multiple sec= options
> 
> 
> On Oct 29, 2013, at 12:27 PM, Weston Andros Adamson <dros@netapp.com>
> wrote:
> 
> > The client now supports multiple sec= options as a colon delimited list.
> >
> > Signed-off-by: Weston Andros Adamson <dros@netapp.com>
> > ---
> > utils/mount/nfs.man | 7 ++++---
> > 1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man index
> > 2a42b93..17b8d88 100644
> > --- a/utils/mount/nfs.man
> > +++ b/utils/mount/nfs.man
> > @@ -380,9 +380,10 @@ If a value of zero is specified, the .BR mount
> > (8) command exits immediately after the first failure.
> > .TP 1.5i
> > -.BI sec= flavor
> > -The security flavor to use for accessing files on this mount point.
> > -If the server does not support this flavor, the mount operation fails.
> > +.BI sec= flavors
> > +A colon-delimited list of security flavors to use for accessing files
> > +on this mount point. If the server does not support any of these
> > +flavors, the mount operation fails.
> 
> Just a nit:  The new text kind of suggests that the colons are required.
> "sec=single flavor" is also still supported.  Typically man page language is
> careful to show both.

How about "colon-separated list of one or more security flavours"? That's less ambiguous than "colon-delimited"...

Cheers
  Trond
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Chuck Lever III Oct. 29, 2013, 4:40 p.m. UTC | #3
On Oct 29, 2013, at 12:36 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:

>> -----Original Message-----
>> From: linux-nfs-owner@vger.kernel.org [mailto:linux-nfs-
>> owner@vger.kernel.org] On Behalf Of Chuck Lever
>> Sent: Tuesday, October 29, 2013 12:30 PM
>> To: Weston Andros Adamson
>> Cc: steved@redhat.com; linux-nfs@vger.kernel.org
>> Subject: Re: [PATCH] nfs.man: add description of multiple sec= options
>> 
>> 
>> On Oct 29, 2013, at 12:27 PM, Weston Andros Adamson <dros@netapp.com>
>> wrote:
>> 
>>> The client now supports multiple sec= options as a colon delimited list.
>>> 
>>> Signed-off-by: Weston Andros Adamson <dros@netapp.com>
>>> ---
>>> utils/mount/nfs.man | 7 ++++---
>>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>> 
>>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man index
>>> 2a42b93..17b8d88 100644
>>> --- a/utils/mount/nfs.man
>>> +++ b/utils/mount/nfs.man
>>> @@ -380,9 +380,10 @@ If a value of zero is specified, the .BR mount
>>> (8) command exits immediately after the first failure.
>>> .TP 1.5i
>>> -.BI sec= flavor
>>> -The security flavor to use for accessing files on this mount point.
>>> -If the server does not support this flavor, the mount operation fails.
>>> +.BI sec= flavors
>>> +A colon-delimited list of security flavors to use for accessing files
>>> +on this mount point. If the server does not support any of these
>>> +flavors, the mount operation fails.
>> 
>> Just a nit:  The new text kind of suggests that the colons are required.
>> "sec=single flavor" is also still supported.  Typically man page language is
>> careful to show both.
> 
> How about "colon-separated list of one or more security flavours"? That's less ambiguous than "colon-delimited"...

Maybe Dros could also update the EXAMPLES section with one of each.  Just a thought.
Weston Andros Adamson Oct. 29, 2013, 4:40 p.m. UTC | #4
On Oct 29, 2013, at 12:30 PM, Chuck Lever <chuck.lever@oracle.com> wrote:

> 
> On Oct 29, 2013, at 12:27 PM, Weston Andros Adamson <dros@netapp.com> wrote:
> 
>> The client now supports multiple sec= options as a colon delimited list.
>> 
>> Signed-off-by: Weston Andros Adamson <dros@netapp.com>
>> ---
>> utils/mount/nfs.man | 7 ++++---
>> 1 file changed, 4 insertions(+), 3 deletions(-)
>> 
>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>> index 2a42b93..17b8d88 100644
>> --- a/utils/mount/nfs.man
>> +++ b/utils/mount/nfs.man
>> @@ -380,9 +380,10 @@ If a value of zero is specified, the
>> .BR mount (8)
>> command exits immediately after the first failure.
>> .TP 1.5i
>> -.BI sec= flavor
>> -The security flavor to use for accessing files on this mount point.
>> -If the server does not support this flavor, the mount operation fails.
>> +.BI sec= flavors
>> +A colon-delimited list of security flavors to use for accessing files on
>> +this mount point. If the server does not support any of these flavors,
>> +the mount operation fails.
> 
> Just a nit:  The new text kind of suggests that the colons are required.  "sec=single flavor" is also still supported.  Typically man page language is careful to show both.

Good point.

Should there be separate sections or should we do something like:

sec=flavor(s)

The  security flavor or flavors to use for accessing files on this
mount point.  Multiple security flavors may be specified as a
colon-delimited list. If the server does not support any of these flavors 
the mount operation fails.

...

-dros

> 
> 
>> If
>> .B sec=
>> is not specified, the client attempts to find
>> -- 
>> 1.8.3.1 (Apple Git-46)
>> 
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> -- 
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Weston Andros Adamson Oct. 29, 2013, 4:54 p.m. UTC | #5
On Oct 29, 2013, at 12:36 PM, Myklebust, Trond <Trond.Myklebust@netapp.com> wrote:

>> -----Original Message-----

>> From: linux-nfs-owner@vger.kernel.org [mailto:linux-nfs-

>> owner@vger.kernel.org] On Behalf Of Chuck Lever

>> Sent: Tuesday, October 29, 2013 12:30 PM

>> To: Weston Andros Adamson

>> Cc: steved@redhat.com; linux-nfs@vger.kernel.org

>> Subject: Re: [PATCH] nfs.man: add description of multiple sec= options

>> 

>> 

>> On Oct 29, 2013, at 12:27 PM, Weston Andros Adamson <dros@netapp.com>

>> wrote:

>> 

>>> The client now supports multiple sec= options as a colon delimited list.

>>> 

>>> Signed-off-by: Weston Andros Adamson <dros@netapp.com>

>>> ---

>>> utils/mount/nfs.man | 7 ++++---

>>> 1 file changed, 4 insertions(+), 3 deletions(-)

>>> 

>>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man index

>>> 2a42b93..17b8d88 100644

>>> --- a/utils/mount/nfs.man

>>> +++ b/utils/mount/nfs.man

>>> @@ -380,9 +380,10 @@ If a value of zero is specified, the .BR mount

>>> (8) command exits immediately after the first failure.

>>> .TP 1.5i

>>> -.BI sec= flavor

>>> -The security flavor to use for accessing files on this mount point.

>>> -If the server does not support this flavor, the mount operation fails.

>>> +.BI sec= flavors

>>> +A colon-delimited list of security flavors to use for accessing files

>>> +on this mount point. If the server does not support any of these

>>> +flavors, the mount operation fails.

>> 

>> Just a nit:  The new text kind of suggests that the colons are required.

>> "sec=single flavor" is also still supported.  Typically man page language is

>> careful to show both.

> 

> How about "colon-separated list of one or more security flavours"? That's less ambiguous than "colon-delimited"…


OK, but fwiw I aped that from the exports manpage:

       sec=   The  sec= option, followed by a colon-delimited list of security
              flavors, restricts the export to clients  using  those  flavors.
              Available  security flavors include sys (the default--no crypto?
…

So it:
 1) isn’t clear that one flavor is an option.
 2) says “colon-delimited"

Should we clean this up too?

-dros
Chuck Lever III Oct. 29, 2013, 5 p.m. UTC | #6
On Oct 29, 2013, at 12:40 PM, Weston Andros Adamson <dros@netapp.com> wrote:

> 
> On Oct 29, 2013, at 12:30 PM, Chuck Lever <chuck.lever@oracle.com> wrote:
> 
>> 
>> On Oct 29, 2013, at 12:27 PM, Weston Andros Adamson <dros@netapp.com> wrote:
>> 
>>> The client now supports multiple sec= options as a colon delimited list.
>>> 
>>> Signed-off-by: Weston Andros Adamson <dros@netapp.com>
>>> ---
>>> utils/mount/nfs.man | 7 ++++---
>>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>> 
>>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>>> index 2a42b93..17b8d88 100644
>>> --- a/utils/mount/nfs.man
>>> +++ b/utils/mount/nfs.man
>>> @@ -380,9 +380,10 @@ If a value of zero is specified, the
>>> .BR mount (8)
>>> command exits immediately after the first failure.
>>> .TP 1.5i
>>> -.BI sec= flavor
>>> -The security flavor to use for accessing files on this mount point.
>>> -If the server does not support this flavor, the mount operation fails.
>>> +.BI sec= flavors
>>> +A colon-delimited list of security flavors to use for accessing files on
>>> +this mount point. If the server does not support any of these flavors,
>>> +the mount operation fails.
>> 
>> Just a nit:  The new text kind of suggests that the colons are required.  "sec=single flavor" is also still supported.  Typically man page language is careful to show both.
> 
> Good point.
> 
> Should there be separate sections or should we do something like:
> 
> sec=flavor(s)
> 
> The  security flavor or flavors to use for accessing files on this
> mount point.  Multiple security flavors may be specified as a
> colon-delimited list. If the server does not support any of these flavors 
> the mount operation fails.

The current text is:

       sec=flavor     The security flavor to use for accessing files  on  this  mount
                      point.   If  the server does not support this flavor, the mount
                      operation fails.  If sec= is not specified, the client attempts
                      to  find  a security flavor that both the client and the server
                      supports.  Valid flavors are none, sys, krb5, krb5i, and krb5p.
                      Refer to the SECURITY CONSIDERATIONS section for details.

You might consider:

> sec=flavorlist
> 
> The security flavor or flavors to use when accessing files on this mount point.  Multiple flavors are specified as a colon-delimited list.  If sec= is not specified, the mount's security flavor list contains all security flavors the client supports.
> 
> The client chooses the strongest flavor on this list that is supported by the export's security policy.  If the server does not support any of these flavors, the mount operation fails.
> 
> Valid flavors are ....


I think my description of the negotiation strategy could be made more accurate, and you should mention how (whether?) flavor list ordering works.  Do you feel this is too much for a single section?  Some detail can be moved to SECURITY CONSIDERATIONS.
diff mbox

Patch

diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
index 2a42b93..17b8d88 100644
--- a/utils/mount/nfs.man
+++ b/utils/mount/nfs.man
@@ -380,9 +380,10 @@  If a value of zero is specified, the
 .BR mount (8)
 command exits immediately after the first failure.
 .TP 1.5i
-.BI sec= flavor
-The security flavor to use for accessing files on this mount point.
-If the server does not support this flavor, the mount operation fails.
+.BI sec= flavors
+A colon-delimited list of security flavors to use for accessing files on
+this mount point. If the server does not support any of these flavors,
+the mount operation fails.
 If
 .B sec=
 is not specified, the client attempts to find