From mboxrd@z Thu Jan 1 00:00:00 1970 From: Trond Myklebust Subject: Re: [OpenAFS-devel] Re: [PATCH] PAG support, try #2 Date: 15 May 2003 03:34:25 +0200 Sender: linux-fsdevel-owner@vger.kernel.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Garance A Drosihn , Jan Harkes , David Howells , , , Return-path: Received: from pat.uio.no ([129.240.130.16]:30698 "EHLO pat.uio.no") by vger.kernel.org with ESMTP id S263567AbTEOBVw (ORCPT ); Wed, 14 May 2003 21:21:52 -0400 To: Linus Torvalds In-Reply-To: List-Id: linux-fsdevel.vger.kernel.org >>>>> " " == Linus Torvalds writes: > I'm interested in a much more generic issue of "user > credentials", and here a PAG can be _one_ credential that a > user holds on to. But to be useful, a user has to be able to > have multiple such credentials. While one might be his "AFS > userid", another will be his NFS mount credentials, and a third > one will be his key to decrypt his home directory on that > machine. The interesting thing about a PAG is that it is a handle that is shared between userland and the kernel, and carries information about which collection of authentication tokens/credentials a process holds. RPCSEC can be made to use it to communicate which bag of creds the userland daemon may use when it attempts to negotiate a new security context for an NFS user. At the moment all we can tell is 'use the credentials of uid=zyx' which is no good if the user wants 2 subprocesses to authenticate using different remote kerberos accounts, say. Cheers, Trond