[fedfs-utils] [PATCH 0/5] RPCSEC GSS support for rpc.fedfsd

Chuck Lever chuck.lever at oracle.com
Wed Dec 18 09:21:22 PST 2013 

On Dec 18, 2013, at 12:17 PM, Chuck Lever <chuck.lever at oracle.com> wrote:

> This series adds RPCSEC GSS support to our FedFS ADMIN protocol
> server.
> 
> To make authentication meaningful, I added an access authorization
> mechanism where the fileserver administrator can list users (either
> AUTH_SYS or Kerberos principals) that are allowed to perform ADMIN
> operations.
> 
> There are some libtirpc limitations at this time that make RPCSEC
> GSS support provisional.  For example:
> 
> 1.  The new rpc.fedfsd access authorization mechanism recognizes
>     various GSS service levels that are allowed.  The fileserver
>     administrator can use this to prevent access via clear-text
>     security levels, for example.
> 
>     However, libtirpc does not currently export APIs that expose
>     a client's GSS service level, so limiting access by service
>     does not work at this time.
> 
> 2.  The server-side RPCSEC GSS implementation in libtirpc currently
>     supports only one GSS credential at a time.  If more than one
>     ADMIN client attempts to perform ADMIN operations concurrently
>     using GSS security, they will step on each other's GSS context.
> 
> I'm working on libtirpc updates that should allow GSS support in
> rpc.fedfsd to be fully operational in fedfs-utils 0.11.

By the way, review period ends Thursday, December 26, 2013 at midnight ET.


> 
> ---
> 
> Chuck Lever (5):
>      contrib: run rpcfedfsd.service after network.target is started
>      fedfsd: Clean up fedfsd.h
>      fedfsd: Control access to ADMIN service
>      fedfsd: Add RPCSEC_GSS support to fedfsd
>      README: Remove warnings about fedfsd
> 
> 
> Makefile.am                    |    2 
> README                         |   53 ++--
> configure.ac                   |    8 +
> contrib/init/rpcfedfsd.service |    2 
> doc/man/rpc.fedfsd.8           |   65 ++++-
> src/fedfsd/Makefile.am         |    5 
> src/fedfsd/access.c            |  554 ++++++++++++++++++++++++++++++++++++++++
> src/fedfsd/fedfsd.h            |   26 ++
> src/fedfsd/gss.c               |  180 +++++++++++++
> src/fedfsd/main.c              |    6 
> src/fedfsd/svc.c               |   44 +++
> sysconf/Makefile.am            |   29 ++
> sysconf/fedfsd/access.conf     |   55 ++++
> 13 files changed, 982 insertions(+), 47 deletions(-)
> create mode 100644 src/fedfsd/access.c
> create mode 100644 src/fedfsd/gss.c
> create mode 100644 sysconf/Makefile.am
> create mode 100644 sysconf/fedfsd/access.conf
> 
> -- 
> Chuck Lever
> 
> _______________________________________________
> fedfs-utils-devel mailing list
> fedfs-utils-devel at oss.oracle.com
> https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

More information about the fedfs-utils-devel mailing list