Re: [Lsf-pc] Authentication Contexts for network file systems and Containers was Re: [LSF/MM ATTEND] FS jitter testing, network caching, Lustre, cluster filesystems.

From: Trond Myklebust <trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org>
To: "jaltman-hRzEac23uH1Wk0Htik3J/w@public.gmane.org"
	<jaltman-hRzEac23uH1Wk0Htik3J/w@public.gmane.org>,
	"James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org"
	<James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
Cc: "linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
	<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	"containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org"
	<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
	"lsf-pc-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org"
	<lsf-pc-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Subject: Re: [Lsf-pc] Authentication Contexts for network file systems and Containers was Re: [LSF/MM ATTEND] FS jitter testing, network caching, Lustre, cluster filesystems.
Date: Tue, 17 Jan 2017 16:34:15 +0000	[thread overview]
Message-ID: <1484670853.4725.1.camel@primarydata.com> (raw)
In-Reply-To: <7ba053a6-90af-ffc6-e8cd-9bfe0be41a18-hRzEac23uH1Wk0Htik3J/w@public.gmane.org>

On Tue, 2017-01-17 at 11:29 -0500, Jeffrey Altman wrote:
> 	Error verifying signature: parse error
> On 1/16/2017 4:03 PM, James Bottomley wrote:
> > [...]
> > 
> > OK, so snipping all the details: it's a per process property and
> > inherited, I don't even see that it needs anything container
> > specific. 
> > The pid namespace should be sufficient to keep any potential
> > security
> > leaks contained and the inheritance model should just work with
> > containers.
> 
> Agreed.
> 
> > > While a file system can internally create an association between
> > > an
> > > authentication content with a file descriptor once it is created
> > > and
> > > with pages for write-back, I believe there would be benefit from
> > > a 
> > > more generic method of tracking authentication contexts in file
> > > descriptors and pages.  In particular would be better defined 
> > > behavior when a file has been opened for "write" from processes 
> > > associated with more than one authentication context.
> > 
> > As long as an "authentication" becomes a property of a file
> > descriptor
> > (like a token), then I don't see any container problems: fds are
> > namespace blind, so they can be passed between containers and your
> > authorizations would go with them.  If you need to go back to a
> > process
> > as part of the authorization, then there would be problems because
> > processes are namespaced.
> > 
> > > For example, the problems that AFS is currently experiencing with
> > > systemd. A good description of problem by Jonathan Billings can
> > > be
> > > found at
> > > 
> > > 
> > > https://docs.google.com/document/d/1P27fP1uj-C8QdxDKMKtI-Qh00c5_9
> > > zJa4
> > > YHjn=pB6ODM/pub
> > 
> > This is giving me "Sorry, the file you have requested does not
> > exist."
> 
> Not sure how an extra '=' got in there.
> 
> https://docs.google.com/document/d/1P27fP1uj-C8QdxDKMKtI-Qh00c5_9zJa4
> YHjnpB6ODM/pub
> 
> Jeffrey Altman
> 

There is the usual problem when you have to do an upcall in order to
set up the authentication context for session based protocols, such as
RPCSEC_GSS.

-- 
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@primarydata.com
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers