nfsv4: support anonymous state IDs for read and write

kofemann · kofemann · commit c8d57f2af817 · 2025-07-16T12:48:29.000+02:00
Motivation: rfc7530#section-9.1.4.3 defiles so-called anonymous state IDs (other and seq all ones) that allow file access without OPEN call. Modification: Update OperationREAD and OperationWRITE to accept anonymous state IDs. File permissions are still checked. Enable corresponding pynfs tests. Result: better spec compliance. Fixes: #160 Acked-by: Marina Sahakyan Target: master
diff --git a/core/src/main/java/org/dcache/nfs/v4/OperationREAD.java b/core/src/main/java/org/dcache/nfs/v4/OperationREAD.java
@@ -23,6 +23,7 @@
 import java.nio.ByteBuffer;
 
 import org.dcache.nfs.nfsstat;
+import org.dcache.nfs.status.AccessException;
 import org.dcache.nfs.status.OpenModeException;
 import org.dcache.nfs.v4.xdr.READ4res;
 import org.dcache.nfs.v4.xdr.READ4resok;
@@ -47,24 +48,32 @@ public void process(CompoundContext context, nfs_resop4 result) throws IOExcepti
         final READ4res res = result.opread;
 
         stateid4 stateid = Stateids.getCurrentStateidIfNeeded(context, _args.opread.stateid);
-
-        NFS4Client client;
-        if (context.getMinorversion() == 0) {
-            /*
-             * The NFSv4.0 spec requires lease renewal on READ. See: https://tools.ietf.org/html/rfc7530#page-119
-             *
-             * With introduction of sessions in v4.1 update of the lease time done through SEQUENCE operations.
-             */
-            context.getStateHandler().updateClientLeaseTime(stateid);
-            client = context.getStateHandler().getClientIdByStateId(stateid);
+        var inode = context.currentInode();
+        if (Stateids.isStateLess(stateid)) {
+            // Anonymous access as per RFC 7530
+            // https://datatracker.ietf.org/doc/html/rfc7530#section-9.1.4.3
+            // we only check file access rights.
+            if (context.getFs().access(context.getSubject(), inode, nfs4_prot.ACCESS4_READ) == 0) {
+                throw new AccessException();
+            }
         } else {
-            client = context.getSession().getClient();
-        }
+            NFS4Client client;
+            if (context.getMinorversion() == 0) {
+                /*
+                 * The NFSv4.0 spec requires lease renewal on READ. See: https://tools.ietf.org/html/rfc7530#page-119
+                 *
+                 * With introduction of sessions in v4.1 update of the lease time done through SEQUENCE operations.
+                 */
+                context.getStateHandler().updateClientLeaseTime(stateid);
+                client = context.getStateHandler().getClientIdByStateId(stateid);
+            } else {
+                client = context.getSession().getClient();
+            }
 
-        var inode = context.currentInode();
-        int shareAccess = context.getStateHandler().getFileTracker().getShareAccess(client, inode, stateid);
-        if ((shareAccess & nfs4_prot.OPEN4_SHARE_ACCESS_READ) == 0) {
-            throw new OpenModeException("Invalid open mode");
+            int shareAccess = context.getStateHandler().getFileTracker().getShareAccess(client, inode, stateid);
+            if ((shareAccess & nfs4_prot.OPEN4_SHARE_ACCESS_READ) == 0) {
+                throw new OpenModeException("Invalid open mode");
+            }
         }
 
         long offset = _args.opread.offset.value;
diff --git a/core/src/main/java/org/dcache/nfs/v4/OperationWRITE.java b/core/src/main/java/org/dcache/nfs/v4/OperationWRITE.java
@@ -23,6 +23,7 @@
 
 import org.dcache.nfs.ChimeraNFSException;
 import org.dcache.nfs.nfsstat;
+import org.dcache.nfs.status.AccessException;
 import org.dcache.nfs.status.InvalException;
 import org.dcache.nfs.status.IsDirException;
 import org.dcache.nfs.status.NfsIoException;
@@ -66,24 +67,34 @@ public void process(CompoundContext context, nfs_resop4 result) throws ChimeraNF
             throw new InvalException("path is a symlink");
         }
 
-        NFS4Client client;
-        if (context.getMinorversion() == 0) {
-            /*
-             * The NFSv4.0 spec requires lease renewal on WRITE. See: https://tools.ietf.org/html/rfc7530#page-119
-             *
-             * With introduction of sessions in v4.1 update of the lease time done through SEQUENCE operations.
-             */
-            context.getStateHandler().updateClientLeaseTime(stateid);
-            client = context.getStateHandler().getClientIdByStateId(stateid);
-        } else {
-            client = context.getSession().getClient();
-        }
-
         var inode = context.currentInode();
+        if (Stateids.isStateLess(stateid)) {
+            // Anonymous access as per RFC 7530
+            // https://datatracker.ietf.org/doc/html/rfc7530#section-9.1.4.3
+            // we only check file access rights.
+            if (context.getFs().access(context.getSubject(), inode, nfs4_prot.ACCESS4_MODIFY) == 0) {
+                throw new AccessException();
+            }
+
+        } else {
 
-        int shareAccess = context.getStateHandler().getFileTracker().getShareAccess(client, inode, stateid);
-        if ((shareAccess & nfs4_prot.OPEN4_SHARE_ACCESS_WRITE) == 0) {
-            throw new OpenModeException("Invalid open mode");
+            NFS4Client client;
+            if (context.getMinorversion() == 0) {
+                /*
+                 * The NFSv4.0 spec requires lease renewal on WRITE. See: https://tools.ietf.org/html/rfc7530#page-119
+                 *
+                 * With introduction of sessions in v4.1 update of the lease time done through SEQUENCE operations.
+                 */
+                context.getStateHandler().updateClientLeaseTime(stateid);
+                client = context.getStateHandler().getClientIdByStateId(stateid);
+            } else {
+                client = context.getSession().getClient();
+            }
+
+            int shareAccess = context.getStateHandler().getFileTracker().getShareAccess(client, inode, stateid);
+            if ((shareAccess & nfs4_prot.OPEN4_SHARE_ACCESS_WRITE) == 0) {
+                throw new OpenModeException("Invalid open mode");
+            }
         }
 
         long offset = _args.opwrite.offset.value;
diff --git a/full-test.yml b/full-test.yml
@@ -32,10 +32,10 @@ services:
           noLKU9 noLKUNONE noLOCK12a noLOCK12b noLOCK13 noLOCKRNG noLOCKCHGU noLOCKCHGD noRLOWN3 \
           noOPCF1 noOPCF6 noOPDG2 noOPDG3 noOPDG6 noOPDG7 noOPEN15 noOPEN18 noOPEN2 noOPEN20 noOPEN22 \
           noOPEN23 noOPEN24 noOPEN26 noOPEN27 noOPEN28 noOPEN3 noOPEN30 noOPEN4 noRENEW3 noRD1 noRD10 \
-          noRD2 noRD3 noRD5 noRD5a noRD6 noRD7a noRD7b noRD7c noRD7d noRD7f noRD7s noRDDR12 noRDDR11 \
+          noRD3 noRD5 noRD5a noRD6 noRD7a noRD7b noRD7c noRD7d noRD7f noRD7s noRDDR12 noRDDR11 \
           noRPLY1 noRPLY10 noRPLY12 \
           noRPLY14 noRPLY2 noRPLY3 noRPLY5 noRPLY6 noRPLY7 noRPLY8 noRPLY9 \
-          noSEC7 noWRT1 noWRT11 noWRT13 noWRT14 noWRT15 noWRT18 noWRT19 noWRT1b noWRT2 \
+          noSEC7 noWRT1 noWRT11 noWRT13 noWRT14 noWRT15 noWRT18 noWRT19 noWRT1b \
           noWRT3 noWRT6a noWRT6b noWRT6c noWRT6d noWRT6f noWRT6s noWRT8 noWRT9
         /run-nfs4.1.sh --noinit --minorversion=2 --xml=/report/xunit-report-v41.xml nfs4j:/data all nochar nosocket noblock nofifo deleg \
           noCOUR2 noCSESS25 noCSESS26 noCSESS27 noCSESS28 noCSESS29 noCSID9 noDELEG2 noDELEG8 noEID5f \
