From: David Howells <dhowells@redhat.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: dhowells@redhat.com, Simo Sorce <simo@redhat.com>,
keyrings@linux-nfs.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
linux-nfs@vger.kernel.org, krbdev@mit.edu,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
Date: Fri, 02 Aug 2013 18:50:44 +0100 [thread overview]
Message-ID: <7664.1375465844@warthog.procyon.org.uk> (raw)
In-Reply-To: <51FAAF3D.3010806@fifthhorseman.net>
Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> I guess this raises the question from a different perspective: if the
> kernel already supports arbitrary shm segments, filesystem locations,
> etc, which can be used for storing/passing opaque bytestrings between
> different parts of userspace, what advantages do we gain from having
> this new specific mechanism in the kernel? Why couldn't those parts of
> userspace just rely on already-existing mechanisms instead of
> introducing this new interface?
Kernel services can use keys directly by calling request_key() without
necessarily having to upcall.
The keys service in the kernel was created initially for use by the kAFS
filesystem in the kernel which uses it for passing authentication tokens
around. Let me describe how I originally envisioned this working as it may
help the discussion.
Every time a non-fd-based operation[*] is called, kAFS calls request_key() to
get a key containing an authentication token for the cell.
[*] That is things like lookup, open(), rmdir() and stat() but not read() and
write() which use a key cached in the file struct.
Keys can be preemptively added for kAFS by calling a klog or an aklog program
talk to the authentication server and then use add_key() to add a key into the
kernel. The filesystem subsequently finds this and uses it without the need to
upcall.
Currently, that's all you can do with kAFS.
However, on my todo list is to make it able to upcall when it doesn't have a
key available. This is provided for by the request_key() mechanism.
request_key() searches for the key and if one if is available, it returns it
otherwise it can[*] partially construct a key and then upcall to ask userspace
to instantiate it.
[*] If the caller permits it to.
request_key() can upcall to a program it execs itself or it can upcall to a
running program (though the exact mechanism of the latter is to be worked out).
Say userspace then decides to do a Kerberos ticket request. It could call
request_key() itself to search the original process's keyrings for a TGT which
it can then use to request a ticket.
Once it has the ticket, it can place the ticket data into the partially
constructed key and link the key into the kerberos ccache keyring to retain it.
Now, one of the problems I've got is that the name in the partially constructed
key is from the filesystem's view of the world - and this doesn't necessarily
coincide with that of the authentication server. For example, the kAFS
filesystem wants a key named for the cell, eg.:
afs.redhat.com
but the Kerberos ticket might look like:
AFS/afs.redhat.com@REDHAT.COM
Now, I do permit partial matching, so I could ignore the "@REDHAT.COM" and just
slap "AFS/" on the front of what I'm looking for.
A further problem is the fact that keys have types and search only finds the
type asked for - though that can be dealt with in the keyring search algorithm.
David
next prev parent reply other threads:[~2013-08-02 17:50 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-01 17:38 [RFC][PATCH 0/2] KEYS: Kerberos caching support David Howells
2013-08-01 17:38 ` [PATCH 1/2] KEYS: Implement a big key type that can save to tmpfs David Howells
2013-08-02 20:49 ` Nico Williams
2013-08-02 20:50 ` Nico Williams
2013-08-08 14:46 ` David Howells
2013-08-09 16:24 ` Nico Williams
2013-08-01 17:39 ` [PATCH 2/2] KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches David Howells
2013-08-01 17:54 ` Daniel Kahn Gillmor
2013-08-01 18:29 ` Simo Sorce
2013-08-01 18:55 ` Daniel Kahn Gillmor
2013-08-01 19:10 ` Simo Sorce
2013-08-02 17:50 ` David Howells [this message]
2013-08-01 23:09 ` Eric W. Biederman
2013-08-02 13:55 ` Jeff Layton
2013-08-02 14:16 ` Simo Sorce
2013-08-02 20:20 ` Nico Williams
2013-08-02 16:53 ` David Howells
2013-08-02 17:00 ` Simo Sorce
2013-08-02 17:02 ` David Howells
2013-08-02 17:13 ` Jeff Layton
2013-08-02 17:00 ` David Howells
2013-08-02 17:05 ` David Howells
2013-08-02 17:44 ` Eric W. Biederman
2013-08-02 17:12 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7664.1375465844@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dkg@fifthhorseman.net \
--cc=ebiederm@xmission.com \
--cc=keyrings@linux-nfs.org \
--cc=krbdev@mit.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=serge.hallyn@ubuntu.com \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).