From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Steve Dickson <SteveD@redhat.com>,
Jeff Layton <jlayton@redhat.com>,
Trond Myklebust <Trond.Myklebust@netapp.com>,
Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Adding the nfs4_use_min_auth module parameter
Date: Fri, 8 Nov 2013 15:14:46 -0500 [thread overview]
Message-ID: <20131108201446.GG3533@fieldses.org> (raw)
In-Reply-To: <38DC086C-0EB7-42C3-9DCA-858A3225AAD0@oracle.com>
On Fri, Nov 08, 2013 at 10:09:18AM -0800, Chuck Lever wrote:
> I let this pass earlier, but...
>
> The krb5i setting is _ONLY_ for lease management, not for data access. Traversing the pseudo-fs counts as data access. Our client is supposed to use the security flavor specified on the mount command line for the pseudo-fs. (That's why the pseudo-fs security policy is the union of all the real exports on the server, right?)
>
> If no flavor is specified by the client administrator, we have SECINFO_NONAME for negotiating the pseudo-fs security flavor in NFSv4.1, and some roughly equivalent heuristics for this in NFSv4.0, which doesn't have the SECINFO_NONAME operation. Since 3.11, I believe, our client should be using these mechanisms instead of just plowing ahead with AUTH_SYS.
That makes sense.
(By the way: if a mount is done with krb5*, are we guaranteed the entire
export path is looked up with security at least as strong, or is it
possible we trust cached lookups possibly originally obtained with
weaker security?)
--b.
next prev parent reply other threads:[~2013-11-08 20:14 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-07 19:09 [PATCH] Adding the nfs4_use_min_auth module parameter Steve Dickson
2013-11-07 19:25 ` Chuck Lever
2013-11-07 21:01 ` Jeff Layton
2013-11-07 21:40 ` Steve Dickson
2013-11-07 22:04 ` Jeff Layton
2013-11-07 21:35 ` Steve Dickson
2013-11-07 23:05 ` Chuck Lever
2013-11-08 12:41 ` Steve Dickson
2013-11-08 13:22 ` Jeff Layton
2013-11-08 15:00 ` Steve Dickson
2013-11-08 15:12 ` Jeff Layton
2013-11-08 16:10 ` Steve Dickson
2013-11-08 16:17 ` J. Bruce Fields
2013-11-08 16:19 ` Steve Dickson
2013-11-08 16:22 ` J. Bruce Fields
2013-11-08 16:28 ` Steve Dickson
2013-11-08 16:39 ` J. Bruce Fields
2013-11-08 16:45 ` Steve Dickson
2013-11-08 18:12 ` Chuck Lever
2013-11-08 18:09 ` Chuck Lever
2013-11-08 20:14 ` J. Bruce Fields [this message]
2013-11-08 20:32 ` Steve Dickson
2013-11-09 2:04 ` NeilBrown
2013-11-08 16:27 ` Weston Andros Adamson
2013-11-08 16:38 ` Steve Dickson
2013-11-08 15:04 ` J. Bruce Fields
2013-11-08 15:54 ` Chuck Lever
2013-11-08 16:14 ` J. Bruce Fields
2013-11-08 17:58 ` Chuck Lever
2013-11-08 18:46 ` Chuck Lever
2013-11-08 21:09 ` J. Bruce Fields
2013-11-08 16:17 ` Steve Dickson
2013-11-08 15:46 ` Chuck Lever
2013-11-08 21:25 ` Steve Dickson
2013-11-07 19:26 ` Myklebust, Trond
2013-11-07 21:25 ` Steve Dickson
2013-11-07 21:39 ` Myklebust, Trond
2013-11-07 21:57 ` Steve Dickson
2013-11-07 22:29 ` Myklebust, Trond
2013-11-08 12:21 ` Steve Dickson
2013-11-08 14:30 ` Myklebust, Trond
2013-11-08 15:08 ` Steve Dickson
2013-11-08 15:16 ` Myklebust, Trond
2013-11-08 16:31 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131108201446.GG3533@fieldses.org \
--to=bfields@fieldses.org \
--cc=SteveD@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=chuck.lever@oracle.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).