From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Steve Dickson <SteveD@redhat.com>,
Jeff Layton <jlayton@redhat.com>,
Trond Myklebust <Trond.Myklebust@netapp.com>,
Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Adding the nfs4_use_min_auth module parameter
Date: Fri, 8 Nov 2013 15:14:46 -0500 [thread overview]
Message-ID: <20131108201446.GG3533@fieldses.org> (raw)
In-Reply-To: <38DC086C-0EB7-42C3-9DCA-858A3225AAD0@oracle.com>
On Fri, Nov 08, 2013 at 10:09:18AM -0800, Chuck Lever wrote:
> I let this pass earlier, but...
>
> The krb5i setting is _ONLY_ for lease management, not for data access. Traversing the pseudo-fs counts as data access. Our client is supposed to use the security flavor specified on the mount command line for the pseudo-fs. (That's why the pseudo-fs security policy is the union of all the real exports on the server, right?)
>
> If no flavor is specified by the client administrator, we have SECINFO_NONAME for negotiating the pseudo-fs security flavor in NFSv4.1, and some roughly equivalent heuristics for this in NFSv4.0, which doesn't have the SECINFO_NONAME operation. Since 3.11, I believe, our client should be using these mechanisms instead of just plowing ahead with AUTH_SYS.
That makes sense.
(By the way: if a mount is done with krb5*, are we guaranteed the entire
export path is looked up with security at least as strong, or is it
possible we trust cached lookups possibly originally obtained with
weaker security?)
--b.
next prev parent reply other threads:[~2013-11-08 20:14 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-07 19:09 [PATCH] Adding the nfs4_use_min_auth module parameter Steve Dickson
2013-11-07 19:25 ` Chuck Lever
2013-11-07 21:01 ` Jeff Layton
2013-11-07 21:40 ` Steve Dickson
2013-11-07 22:04 ` Jeff Layton
2013-11-07 21:35 ` Steve Dickson
2013-11-07 23:05 ` Chuck Lever
2013-11-08 12:41 ` Steve Dickson
2013-11-08 13:22 ` Jeff Layton
2013-11-08 15:00 ` Steve Dickson
2013-11-08 15:12 ` Jeff Layton
2013-11-08 16:10 ` Steve Dickson
2013-11-08 16:17 ` J. Bruce Fields
2013-11-08 16:19 ` Steve Dickson
2013-11-08 16:22 ` J. Bruce Fields
2013-11-08 16:28 ` Steve Dickson
2013-11-08 16:39 ` J. Bruce Fields
2013-11-08 16:45 ` Steve Dickson
2013-11-08 18:12 ` Chuck Lever
2013-11-08 18:09 ` Chuck Lever
2013-11-08 20:14 ` J. Bruce Fields [this message]
2013-11-08 20:32 ` Steve Dickson
2013-11-09 2:04 ` NeilBrown
2013-11-08 16:27 ` Weston Andros Adamson
2013-11-08 16:38 ` Steve Dickson
2013-11-08 15:04 ` J. Bruce Fields
2013-11-08 15:54 ` Chuck Lever
2013-11-08 16:14 ` J. Bruce Fields
2013-11-08 17:58 ` Chuck Lever
2013-11-08 18:46 ` Chuck Lever
2013-11-08 21:09 ` J. Bruce Fields
2013-11-08 16:17 ` Steve Dickson
2013-11-08 15:46 ` Chuck Lever
2013-11-08 21:25 ` Steve Dickson
2013-11-07 19:26 ` Myklebust, Trond
2013-11-07 21:25 ` Steve Dickson
2013-11-07 21:39 ` Myklebust, Trond
2013-11-07 21:57 ` Steve Dickson
2013-11-07 22:29 ` Myklebust, Trond
2013-11-08 12:21 ` Steve Dickson
2013-11-08 14:30 ` Myklebust, Trond
2013-11-08 15:08 ` Steve Dickson
2013-11-08 15:16 ` Myklebust, Trond
2013-11-08 16:31 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131108201446.GG3533@fieldses.org \
--to=bfields@fieldses.org \
--cc=SteveD@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=chuck.lever@oracle.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.