Re: Re: [PATCH] in-core AFS multiplexor and PAG support

["Douglas E. Engert" <deengert@anl.gov>]

"Neulinger, Nathan" wrote:
> 
> > > >  (2) gettok(const char *fs, const char *key, size_t size,
> > void *buffer)
> > > >
> > > >      Get a copy of an authentication token.
> > >
> > > Not sure what the use of this is for userspace. I can see how your
> > > kernel module would use it.
> >
> > OpenAFS has it, but I'm not sure what uses it.
> 
> Any afs user space tool that needs to talk to file servers - such as all
> the administration utilities - vos, bos, pts, etc. Eventually they could
> use kerberos cred caches directly, but not until they are converted to
> kerberos. Right now, they fetch the current auth data from the kernel
> and use it to authenticate to whatever non-kernel service they are
> talking to.

If the PAG was implemented well, then even the Kerberos credentials
could be contained within the PAG, or accessible only by other processes
in the same PAG. 

One way to think of the PAG is a way of getting around the limited
capabilities of UNIX to have only a UID which is only locally unique. 
The PAG identifies the user globally, and stores credentials to use
to prove it to other systems of file systems. 

Linus said in two previous note:

> I think we should make the current "tsk->user" thing _be_ the "PAG".  

and:
> A "user" is by definition what the unix filesystem considers to be the
> "atom of security".

This may well be true, but current UNIX file systems continue to use the
simple UID and GID for access. Maybe there something that can be done
here as well. 
    


> 
> -- Nathan
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444