[fedfs-utils] [PATCH 0/5] RPCSEC GSS support for rpc.fedfsd
Chuck Lever
chuck.lever at oracle.com
Wed Dec 18 09:17:26 PST 2013
This series adds RPCSEC GSS support to our FedFS ADMIN protocol
server.
To make authentication meaningful, I added an access authorization
mechanism where the fileserver administrator can list users (either
AUTH_SYS or Kerberos principals) that are allowed to perform ADMIN
operations.
There are some libtirpc limitations at this time that make RPCSEC
GSS support provisional. For example:
1. The new rpc.fedfsd access authorization mechanism recognizes
various GSS service levels that are allowed. The fileserver
administrator can use this to prevent access via clear-text
security levels, for example.
However, libtirpc does not currently export APIs that expose
a client's GSS service level, so limiting access by service
does not work at this time.
2. The server-side RPCSEC GSS implementation in libtirpc currently
supports only one GSS credential at a time. If more than one
ADMIN client attempts to perform ADMIN operations concurrently
using GSS security, they will step on each other's GSS context.
I'm working on libtirpc updates that should allow GSS support in
rpc.fedfsd to be fully operational in fedfs-utils 0.11.
---
Chuck Lever (5):
contrib: run rpcfedfsd.service after network.target is started
fedfsd: Clean up fedfsd.h
fedfsd: Control access to ADMIN service
fedfsd: Add RPCSEC_GSS support to fedfsd
README: Remove warnings about fedfsd
Makefile.am | 2
README | 53 ++--
configure.ac | 8 +
contrib/init/rpcfedfsd.service | 2
doc/man/rpc.fedfsd.8 | 65 ++++-
src/fedfsd/Makefile.am | 5
src/fedfsd/access.c | 554 ++++++++++++++++++++++++++++++++++++++++
src/fedfsd/fedfsd.h | 26 ++
src/fedfsd/gss.c | 180 +++++++++++++
src/fedfsd/main.c | 6
src/fedfsd/svc.c | 44 +++
sysconf/Makefile.am | 29 ++
sysconf/fedfsd/access.conf | 55 ++++
13 files changed, 982 insertions(+), 47 deletions(-)
create mode 100644 src/fedfsd/access.c
create mode 100644 src/fedfsd/gss.c
create mode 100644 sysconf/Makefile.am
create mode 100644 sysconf/fedfsd/access.conf
--
Chuck Lever
More information about the fedfs-utils-devel
mailing list