From: Nico Williams <nico@cryptonector.com>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: Simo Sorce <simo@redhat.com>, dhowells <dhowells@redhat.com>,
linux-nfs@vger.kernel.org, krbdev <krbdev@mit.edu>
Subject: Re: GSSAPI Proxy initiative
Date: Fri, 4 Nov 2011 10:13:38 -0500 [thread overview]
Message-ID: <CAK3OfOjqCjU4O--XwVBpSBE9pwwkyBEU6OiNLN8_dM6wYe5A1w@mail.gmail.com> (raw)
In-Reply-To: <2E1EB2CF9ED1CB4AA966F0EB76EAB4430BFA90EE@SACMVEXC2-PRD.hq.netapp.com>
On Thu, Nov 3, 2011 at 5:16 PM, Myklebust, Trond
<Trond.Myklebust@netapp.com> wrote:
>> It is ok to use keyring if that's deemed the right place for session keys, but I
>> think you already have structures where you currently store them so I don't
>> thik you necessarily need to change that part of the kernel implementation.
>
> No, but we still need to be able to do recovery of rpcsec_gss contexts once they are broken, and right now we have a major flaw due to the fact that recovery depends on a lot of small processes and data that is allowed to be swapped out at the moment when we need them the most (i.e. in a memory reclaim situation).
>
> If the server reboots while our client is in the middle of writing back a file (or several files), then the client needs to recover those rpcsec_gss contexts that authenticate the processes which own any dirty pages that remain to be written out.
> Key security is an irrelevant concern once your kernel deadlocks in an OOM state.
Ah, this problem. Hopefully the client has enough resources to thrash
a lot in the process but still manage to recover. A better solution
(see below) is possible, but will require more protocol/mechanism
work.
>> Currently credential caches are stored in files, is there a problem with that
>> model ? Do you need access to credential caches from the kernel when
>> under memory pressure ?
>
> Yes, there is a major problem with that model, and yes we do potentially need access to credential caches when in a recovery situation (which is a situation when we are usually under memory pressure).
Ideally we could store in each RPCSEC_GSS context (not GSS context)
enough state on the client side to recover quickly when the server
reboots. How would we do this? Suppose the server gives the client a
"ticket", and a key much like the Kerberos ticket session key is
agreed upon or sent by the server -- that could be stored in the
RPCSEC_GSS context and could be used to recover it quickly for
recovery from server reboot. I'm eliding a lot of details here, but I
believe this is fundamentally workable.
A similar solution would be to store some GSS "sub-credential" in the
RPCSEC_GSS context, but this would work for Kerberos and maybe not so
well for other mechanisms -- and even with Kerberos, the service
ticket might be expired when it comes time to recover. So I prefer
the RPCSEC_GSS-level solution I mentioned above.
If you agree with me on this then this sub-thread will be best moved
to the NFSv4 WG, particularly if we agree on a protocol-level
solution.
Nico
--
next prev parent reply other threads:[~2011-11-04 15:13 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-02 21:26 GSSAPI Proxy initiative Simo Sorce
2011-11-02 23:05 ` Simo Sorce
2011-11-03 3:24 ` Nico Williams
2011-11-03 14:58 ` Simo Sorce
2011-11-03 16:05 ` Nico Williams
2011-11-03 16:31 ` Simo Sorce
2011-11-03 18:57 ` Nico Williams
2011-11-03 20:39 ` Trond Myklebust
2011-11-03 20:53 ` Nico Williams
2011-11-03 21:30 ` Simo Sorce
2011-11-03 21:46 ` Trond Myklebust
2011-11-03 22:00 ` Simo Sorce
2011-11-03 22:16 ` Myklebust, Trond
2011-11-03 23:47 ` Simo Sorce
2011-11-04 14:34 ` J. Bruce Fields
2011-11-04 15:13 ` Nico Williams [this message]
2011-11-04 15:36 ` Nico Williams
2011-11-04 15:55 ` Adamson, Andy
2011-11-04 16:20 ` Nico Williams
2011-11-04 16:25 ` Simo Sorce
2011-11-04 16:43 ` Nico Williams
2011-11-04 16:30 ` Adamson, Andy
2011-11-04 16:42 ` Nico Williams
2011-11-04 14:51 ` Nico Williams
2011-11-03 21:58 ` Tom Yu
2011-11-03 15:42 ` Nico Williams
2011-11-03 16:10 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK3OfOjqCjU4O--XwVBpSBE9pwwkyBEU6OiNLN8_dM6wYe5A1w@mail.gmail.com \
--to=nico@cryptonector.com \
--cc=Trond.Myklebust@netapp.com \
--cc=dhowells@redhat.com \
--cc=krbdev@mit.edu \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).