From: Nico Williams <nico@cryptonector.com>
To: "Adamson, Andy" <William.Adamson@netapp.com>
Cc: "Myklebust, Trond" <Trond.Myklebust@netapp.com>,
Simo Sorce <simo@redhat.com>, dhowells <dhowells@redhat.com>,
"<linux-nfs@vger.kernel.org>" <linux-nfs@vger.kernel.org>,
krbdev <krbdev@mit.edu>
Subject: Re: GSSAPI Proxy initiative
Date: Fri, 4 Nov 2011 11:42:14 -0500 [thread overview]
Message-ID: <CAK3OfOjisvAjafpE04p-fFpAkqQuTgfEH5t3Ne6oTtLfYbW-rg@mail.gmail.com> (raw)
In-Reply-To: <4110733A-4C73-481B-96D5-D6C3BDBB16CD@netapp.com>
On Fri, Nov 4, 2011 at 11:30 AM, Adamson, Andy
<William.Adamson@netapp.com> wrote:
> Well, don't all GSS mechanisms have credentials? We use the UID to map between the RPCSEC_GSS context and the credential, so we don't need to store the credential along side of the context.
The problem is that for some mechs credentials can get huge over time
(e.g., Kerberos ccaches). Ensuring that all those credentials are
available when we need them in order to reestablish RPCSEC_GSS
contexts with the server so we can WRITE out cached dirty blocks in a
memory pressure situation is... difficult or impossible -- anything we
do to make that possible will be generally brittle.
If the GSS-API gave us a way to extract a "sub-credential" we might
make do, BUT, that's ugly, IMO, and we still have to deal with the
fact that that sub-credential's expiration time might not be
convenient, thus needing extra code to refresh it proactively, and so
on. I.e., a GSS-based solution to this problem could be a nightmare.
An RPCSEC_GSS-based solution seems trivial by comparison.
> That said, I agree that a light-weight method of re-establishing a context is very appealing.
Not least because any re--auth credential refresh operations will
involve only that client and server.
Nico
--
next prev parent reply other threads:[~2011-11-04 16:42 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-02 21:26 GSSAPI Proxy initiative Simo Sorce
2011-11-02 23:05 ` Simo Sorce
2011-11-03 3:24 ` Nico Williams
2011-11-03 14:58 ` Simo Sorce
2011-11-03 16:05 ` Nico Williams
2011-11-03 16:31 ` Simo Sorce
2011-11-03 18:57 ` Nico Williams
2011-11-03 20:39 ` Trond Myklebust
2011-11-03 20:53 ` Nico Williams
2011-11-03 21:30 ` Simo Sorce
2011-11-03 21:46 ` Trond Myklebust
2011-11-03 22:00 ` Simo Sorce
2011-11-03 22:16 ` Myklebust, Trond
2011-11-03 23:47 ` Simo Sorce
2011-11-04 14:34 ` J. Bruce Fields
2011-11-04 15:13 ` Nico Williams
2011-11-04 15:36 ` Nico Williams
2011-11-04 15:55 ` Adamson, Andy
2011-11-04 16:20 ` Nico Williams
2011-11-04 16:25 ` Simo Sorce
2011-11-04 16:43 ` Nico Williams
2011-11-04 16:30 ` Adamson, Andy
2011-11-04 16:42 ` Nico Williams [this message]
2011-11-04 14:51 ` Nico Williams
2011-11-03 21:58 ` Tom Yu
2011-11-03 15:42 ` Nico Williams
2011-11-03 16:10 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK3OfOjisvAjafpE04p-fFpAkqQuTgfEH5t3Ne6oTtLfYbW-rg@mail.gmail.com \
--to=nico@cryptonector.com \
--cc=Trond.Myklebust@netapp.com \
--cc=William.Adamson@netapp.com \
--cc=dhowells@redhat.com \
--cc=krbdev@mit.edu \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).