From: Trond Myklebust <trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org>
To: "jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"kolga-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org"
<kolga-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org>
Cc: "dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"neilb-IBi9RG/b67k@public.gmane.org"
<neilb-IBi9RG/b67k@public.gmane.org>,
"linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [RFC 1/1] destroy_creds.2: new page documenting destroy_creds()
Date: Fri, 11 Aug 2017 15:12:13 +0000 [thread overview]
Message-ID: <1502464329.5352.1.camel@primarydata.com> (raw)
In-Reply-To: <1502461341.4762.1.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Fri, 2017-08-11 at 10:22 -0400, Jeff Layton wrote:
> I think I wasn't clear here. I'm not proposing that you move everyone
> to
> KEYRING: credcaches. This would not be a visible change to userland.
> We'd still use rpc.gssd to upcall for creds.
>
> What I'm saying is that instead of storing the creds in a hashtable
> like
> we do today, we'd just stash them in one of the keyrings hanging off
> of
> struct cred.
>
> Change all of the authgss_ops operations to do query/store from the
> appropriate keyring directly. With that, the effective lifetime of
> GSSAPI creds would be bounded by the lifetime of the keyrings that
> hold
> references to it.
>
> We'd probably need a new key_type for this to ensure that this
> couldn't
> be manipulated directly from userland. Or...maybe you'd still want to
> allow userland to destroy the creds? No need for a new syscall with
> that
> -- they can just do a "keyctl unlink". There are a lot of options
> here.
>
> It's a non-trivial amount of work though (rpcauth_lookupcred() on
> down
> would probably need to be reworked) and I haven't looked at it
> detail.
> Still, it seems like it could be a more modern and cleaner design
> than
> what we have today.
>
The main annoyance with going from a global to a local cache such as
the keyrings is that it makes comparing credentials a lot more work.
Today, because the credentials are essentially unique per server, we
just do pointer comparisons. Once we have non-global caches, we would
need to do more elaborate comparisons to ensure that the uid, gid, and
list of groups match.
That's also why we never made the leap to using 'struct cred', btw...
--
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@primarydata.com
WARNING: multiple messages have this Message-ID (diff)
From: Trond Myklebust <trondmy@primarydata.com>
To: "jlayton@redhat.com" <jlayton@redhat.com>,
"kolga@netapp.com" <kolga@netapp.com>
Cc: "dhowells@redhat.com" <dhowells@redhat.com>,
"neilb@suse.com" <neilb@suse.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [RFC 1/1] destroy_creds.2: new page documenting destroy_creds()
Date: Fri, 11 Aug 2017 15:12:13 +0000 [thread overview]
Message-ID: <1502464329.5352.1.camel@primarydata.com> (raw)
In-Reply-To: <1502461341.4762.1.camel@redhat.com>
T24gRnJpLCAyMDE3LTA4LTExIGF0IDEwOjIyIC0wNDAwLCBKZWZmIExheXRvbiB3cm90ZToNCj4g
SSB0aGluayBJIHdhc24ndCBjbGVhciBoZXJlLiBJJ20gbm90IHByb3Bvc2luZyB0aGF0IHlvdSBt
b3ZlIGV2ZXJ5b25lDQo+IHRvDQo+IEtFWVJJTkc6IGNyZWRjYWNoZXMuIFRoaXMgd291bGQgbm90
IGJlIGEgdmlzaWJsZSBjaGFuZ2UgdG8gdXNlcmxhbmQuDQo+IFdlJ2Qgc3RpbGwgdXNlIHJwYy5n
c3NkIHRvIHVwY2FsbCBmb3IgY3JlZHMuDQo+IA0KPiBXaGF0IEknbSBzYXlpbmcgaXMgdGhhdCBp
bnN0ZWFkIG9mIHN0b3JpbmcgdGhlIGNyZWRzIGluIGEgaGFzaHRhYmxlDQo+IGxpa2UNCj4gd2Ug
ZG8gdG9kYXksIHdlJ2QganVzdCBzdGFzaCB0aGVtIGluIG9uZSBvZiB0aGUga2V5cmluZ3MgaGFu
Z2luZyBvZmYNCj4gb2YNCj4gc3RydWN0IGNyZWQuDQo+IA0KPiBDaGFuZ2UgYWxsIG9mIHRoZSBh
dXRoZ3NzX29wcyBvcGVyYXRpb25zIHRvIGRvIHF1ZXJ5L3N0b3JlIGZyb20gdGhlDQo+IGFwcHJv
cHJpYXRlIGtleXJpbmcgZGlyZWN0bHkuIFdpdGggdGhhdCwgdGhlIGVmZmVjdGl2ZSBsaWZldGlt
ZSBvZg0KPiBHU1NBUEkgY3JlZHMgd291bGQgYmUgYm91bmRlZCBieSB0aGUgbGlmZXRpbWUgb2Yg
dGhlIGtleXJpbmdzIHRoYXQNCj4gaG9sZA0KPiByZWZlcmVuY2VzIHRvIGl0Lg0KPiANCj4gV2Un
ZCBwcm9iYWJseSBuZWVkIGEgbmV3IGtleV90eXBlIGZvciB0aGlzIHRvIGVuc3VyZSB0aGF0IHRo
aXMNCj4gY291bGRuJ3QNCj4gYmUgbWFuaXB1bGF0ZWQgZGlyZWN0bHkgZnJvbSB1c2VybGFuZC4g
T3IuLi5tYXliZSB5b3UnZCBzdGlsbCB3YW50IHRvDQo+IGFsbG93IHVzZXJsYW5kIHRvIGRlc3Ry
b3kgdGhlIGNyZWRzPyBObyBuZWVkIGZvciBhIG5ldyBzeXNjYWxsIHdpdGgNCj4gdGhhdA0KPiAt
LSB0aGV5IGNhbiBqdXN0IGRvIGEgImtleWN0bCB1bmxpbmsiLiBUaGVyZSBhcmUgYSBsb3Qgb2Yg
b3B0aW9ucw0KPiBoZXJlLg0KPiANCj4gSXQncyBhIG5vbi10cml2aWFsIGFtb3VudCBvZiB3b3Jr
IHRob3VnaCAocnBjYXV0aF9sb29rdXBjcmVkKCkgb24NCj4gZG93bg0KPiB3b3VsZCBwcm9iYWJs
eSBuZWVkIHRvIGJlIHJld29ya2VkKSBhbmQgSSBoYXZlbid0IGxvb2tlZCBhdCBpdA0KPiBkZXRh
aWwuDQo+IFN0aWxsLCBpdCBzZWVtcyBsaWtlIGl0IGNvdWxkIGJlIGEgbW9yZSBtb2Rlcm4gYW5k
IGNsZWFuZXIgZGVzaWduDQo+IHRoYW4NCj4gd2hhdCB3ZSBoYXZlIHRvZGF5Lg0KPiANCg0KVGhl
IG1haW4gYW5ub3lhbmNlIHdpdGggZ29pbmcgZnJvbSBhIGdsb2JhbCB0byBhIGxvY2FsIGNhY2hl
IHN1Y2ggYXMNCnRoZSBrZXlyaW5ncyBpcyB0aGF0IGl0IG1ha2VzIGNvbXBhcmluZyBjcmVkZW50
aWFscyBhIGxvdCBtb3JlIHdvcmsuDQpUb2RheSwgYmVjYXVzZSB0aGUgY3JlZGVudGlhbHMgYXJl
IGVzc2VudGlhbGx5IHVuaXF1ZSBwZXIgc2VydmVyLCB3ZQ0KanVzdCBkbyBwb2ludGVyIGNvbXBh
cmlzb25zLiBPbmNlIHdlIGhhdmUgbm9uLWdsb2JhbCBjYWNoZXMsIHdlIHdvdWxkDQpuZWVkIHRv
IGRvIG1vcmUgZWxhYm9yYXRlIGNvbXBhcmlzb25zIHRvIGVuc3VyZSB0aGF0IHRoZSB1aWQsIGdp
ZCwgYW5kDQpsaXN0IG9mIGdyb3VwcyBtYXRjaC4NClRoYXQncyBhbHNvIHdoeSB3ZSBuZXZlciBt
YWRlIHRoZSBsZWFwIHRvIHVzaW5nICdzdHJ1Y3QgY3JlZCcsIGJ0dy4uLg0KDQotLSANClRyb25k
IE15a2xlYnVzdA0KTGludXggTkZTIGNsaWVudCBtYWludGFpbmVyLCBQcmltYXJ5RGF0YQ0KdHJv
bmQubXlrbGVidXN0QHByaW1hcnlkYXRhLmNvbQ0K
WARNING: multiple messages have this Message-ID (diff)
From: Trond Myklebust <trondmy@primarydata.com>
To: "jlayton@redhat.com" <jlayton@redhat.com>,
"kolga@netapp.com" <kolga@netapp.com>
Cc: "dhowells@redhat.com" <dhowells@redhat.com>,
"neilb@suse.com" <neilb@suse.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [RFC 1/1] destroy_creds.2: new page documenting destroy_creds()
Date: Fri, 11 Aug 2017 15:12:13 +0000 [thread overview]
Message-ID: <1502464329.5352.1.camel@primarydata.com> (raw)
In-Reply-To: <1502461341.4762.1.camel@redhat.com>
On Fri, 2017-08-11 at 10:22 -0400, Jeff Layton wrote:
> I think I wasn't clear here. I'm not proposing that you move everyone
> to
> KEYRING: credcaches. This would not be a visible change to userland.
> We'd still use rpc.gssd to upcall for creds.
>
> What I'm saying is that instead of storing the creds in a hashtable
> like
> we do today, we'd just stash them in one of the keyrings hanging off
> of
> struct cred.
>
> Change all of the authgss_ops operations to do query/store from the
> appropriate keyring directly. With that, the effective lifetime of
> GSSAPI creds would be bounded by the lifetime of the keyrings that
> hold
> references to it.
>
> We'd probably need a new key_type for this to ensure that this
> couldn't
> be manipulated directly from userland. Or...maybe you'd still want to
> allow userland to destroy the creds? No need for a new syscall with
> that
> -- they can just do a "keyctl unlink". There are a lot of options
> here.
>
> It's a non-trivial amount of work though (rpcauth_lookupcred() on
> down
> would probably need to be reworked) and I haven't looked at it
> detail.
> Still, it seems like it could be a more modern and cleaner design
> than
> what we have today.
>
The main annoyance with going from a global to a local cache such as
the keyrings is that it makes comparing credentials a lot more work.
Today, because the credentials are essentially unique per server, we
just do pointer comparisons. Once we have non-global caches, we would
need to do more elaborate comparisons to ensure that the uid, gid, and
list of groups match.
That's also why we never made the leap to using 'struct cred', btw...
--
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@primarydata.com
next prev parent reply other threads:[~2017-08-11 15:12 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-07 21:23 [RFC v3 0/3] VFS/NFS support to destroy FS credentials Olga Kornievskaia
2017-08-07 21:23 ` Olga Kornievskaia
2017-08-07 21:23 ` [RFC v3 1/3] VFS adding destroy_creds call Olga Kornievskaia
2017-08-07 21:23 ` Olga Kornievskaia
2017-08-07 21:23 ` [RFC 1/1] destroy_creds.2: new page documenting destroy_creds() Olga Kornievskaia
2017-08-07 21:23 ` Olga Kornievskaia
2017-08-09 12:30 ` Jeff Layton
[not found] ` <1502281848.12841.2.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-08-09 15:45 ` Olga Kornievskaia
2017-08-09 15:45 ` Olga Kornievskaia
2017-08-11 7:17 ` NeilBrown
2017-08-11 7:17 ` NeilBrown
[not found] ` <87378yr2sx.fsf-wvvUuzkyo1HefUI2i7LXDhCRmIWqnp/j@public.gmane.org>
2017-08-11 11:18 ` Jeff Layton
2017-08-11 11:18 ` Jeff Layton
[not found] ` <1502450305.4950.4.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-08-11 14:05 ` Olga Kornievskaia
2017-08-11 14:05 ` Olga Kornievskaia
2017-08-11 14:05 ` Olga Kornievskaia
[not found] ` <E127503D-3DFC-4FD3-99F6-012D100C168B@netapp.com>
[not found] ` <E127503D-3DFC-4FD3-99F6-012D100C168B-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org>
2017-08-11 14:22 ` Jeff Layton
2017-08-11 14:22 ` Jeff Layton
[not found] ` <1502461341.4762.1.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-08-11 15:12 ` Trond Myklebust [this message]
2017-08-11 15:12 ` Trond Myklebust
2017-08-11 15:12 ` Trond Myklebust
[not found] ` <1502464329.5352.1.camel-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org>
2017-08-13 11:38 ` Jeff Layton
2017-08-13 11:38 ` Jeff Layton
[not found] ` <1502624339.4839.4.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-08-14 15:43 ` Olga Kornievskaia
2017-08-14 15:43 ` Olga Kornievskaia
2017-08-14 15:43 ` Olga Kornievskaia
[not found] ` <CB7D102A-5711-4661-928F-3689895A1A5A@netapp.com>
[not found] ` <CB7D102A-5711-4661-928F-3689895A1A5A-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org>
2017-08-14 15:59 ` Jeff Layton
2017-08-14 15:59 ` Jeff Layton
2017-08-11 13:37 ` Olga Kornievskaia
2017-08-11 13:37 ` Olga Kornievskaia
2017-08-11 13:37 ` Olga Kornievskaia
2017-08-11 14:09 ` Olga Kornievskaia
2017-08-11 14:09 ` Olga Kornievskaia
2017-08-11 14:09 ` Olga Kornievskaia
[not found] ` <20170807212355.29127-3-kolga-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org>
2017-08-09 16:08 ` Andy Lutomirski
2017-08-09 16:08 ` Andy Lutomirski
2017-08-09 16:44 ` Olga Kornievskaia
[not found] ` <20170807212355.29127-1-kolga-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org>
2017-08-07 21:23 ` [RFC v3 2/3] SUNRPC mark user credentials destroyed Olga Kornievskaia
2017-08-07 21:23 ` Olga Kornievskaia
2017-08-07 21:23 ` [RFC v3 3/3] NFS define vfs destroy_creds functions Olga Kornievskaia
2017-08-07 21:23 ` Olga Kornievskaia
2017-08-09 12:55 ` [RFC v3 0/3] VFS/NFS support to destroy FS credentials David Howells
2017-08-09 12:55 ` David Howells
2017-08-10 16:52 ` Olga Kornievskaia
[not found] ` <CAN-5tyE11DaCCXdn3y+Q4V+Lyt_UgtzU+JBhwP68gxQc5_v6pQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-08-11 6:53 ` NeilBrown
2017-08-11 6:53 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1502464329.5352.1.camel@primarydata.com \
--to=trondmy-7i+n7zu2hftekmmhf/gkza@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=kolga-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=neilb-IBi9RG/b67k@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.