[fedfs-utils] [PATCH 0/5] RPCSEC GSS support for rpc.fedfsd

Chuck Lever chuck.lever at oracle.com
Wed Dec 18 09:17:26 PST 2013 

This series adds RPCSEC GSS support to our FedFS ADMIN protocol
server.

To make authentication meaningful, I added an access authorization
mechanism where the fileserver administrator can list users (either
AUTH_SYS or Kerberos principals) that are allowed to perform ADMIN
operations.

There are some libtirpc limitations at this time that make RPCSEC
GSS support provisional.  For example:

 1.  The new rpc.fedfsd access authorization mechanism recognizes
     various GSS service levels that are allowed.  The fileserver
     administrator can use this to prevent access via clear-text
     security levels, for example.

     However, libtirpc does not currently export APIs that expose
     a client's GSS service level, so limiting access by service
     does not work at this time.

 2.  The server-side RPCSEC GSS implementation in libtirpc currently
     supports only one GSS credential at a time.  If more than one
     ADMIN client attempts to perform ADMIN operations concurrently
     using GSS security, they will step on each other's GSS context.

I'm working on libtirpc updates that should allow GSS support in
rpc.fedfsd to be fully operational in fedfs-utils 0.11.

---

Chuck Lever (5):
      contrib: run rpcfedfsd.service after network.target is started
      fedfsd: Clean up fedfsd.h
      fedfsd: Control access to ADMIN service
      fedfsd: Add RPCSEC_GSS support to fedfsd
      README: Remove warnings about fedfsd


 Makefile.am                    |    2 
 README                         |   53 ++--
 configure.ac                   |    8 +
 contrib/init/rpcfedfsd.service |    2 
 doc/man/rpc.fedfsd.8           |   65 ++++-
 src/fedfsd/Makefile.am         |    5 
 src/fedfsd/access.c            |  554 ++++++++++++++++++++++++++++++++++++++++
 src/fedfsd/fedfsd.h            |   26 ++
 src/fedfsd/gss.c               |  180 +++++++++++++
 src/fedfsd/main.c              |    6 
 src/fedfsd/svc.c               |   44 +++
 sysconf/Makefile.am            |   29 ++
 sysconf/fedfsd/access.conf     |   55 ++++
 13 files changed, 982 insertions(+), 47 deletions(-)
 create mode 100644 src/fedfsd/access.c
 create mode 100644 src/fedfsd/gss.c
 create mode 100644 sysconf/Makefile.am
 create mode 100644 sysconf/fedfsd/access.conf

-- 
Chuck Lever

More information about the fedfs-utils-devel mailing list