[fedfs-utils] [PATCH 0/5] RPCSEC GSS support for rpc.fedfsd
Chuck Lever
chuck.lever at oracle.com
Wed Dec 18 09:21:22 PST 2013
On Dec 18, 2013, at 12:17 PM, Chuck Lever <chuck.lever at oracle.com> wrote:
> This series adds RPCSEC GSS support to our FedFS ADMIN protocol
> server.
>
> To make authentication meaningful, I added an access authorization
> mechanism where the fileserver administrator can list users (either
> AUTH_SYS or Kerberos principals) that are allowed to perform ADMIN
> operations.
>
> There are some libtirpc limitations at this time that make RPCSEC
> GSS support provisional. For example:
>
> 1. The new rpc.fedfsd access authorization mechanism recognizes
> various GSS service levels that are allowed. The fileserver
> administrator can use this to prevent access via clear-text
> security levels, for example.
>
> However, libtirpc does not currently export APIs that expose
> a client's GSS service level, so limiting access by service
> does not work at this time.
>
> 2. The server-side RPCSEC GSS implementation in libtirpc currently
> supports only one GSS credential at a time. If more than one
> ADMIN client attempts to perform ADMIN operations concurrently
> using GSS security, they will step on each other's GSS context.
>
> I'm working on libtirpc updates that should allow GSS support in
> rpc.fedfsd to be fully operational in fedfs-utils 0.11.
By the way, review period ends Thursday, December 26, 2013 at midnight ET.
>
> ---
>
> Chuck Lever (5):
> contrib: run rpcfedfsd.service after network.target is started
> fedfsd: Clean up fedfsd.h
> fedfsd: Control access to ADMIN service
> fedfsd: Add RPCSEC_GSS support to fedfsd
> README: Remove warnings about fedfsd
>
>
> Makefile.am | 2
> README | 53 ++--
> configure.ac | 8 +
> contrib/init/rpcfedfsd.service | 2
> doc/man/rpc.fedfsd.8 | 65 ++++-
> src/fedfsd/Makefile.am | 5
> src/fedfsd/access.c | 554 ++++++++++++++++++++++++++++++++++++++++
> src/fedfsd/fedfsd.h | 26 ++
> src/fedfsd/gss.c | 180 +++++++++++++
> src/fedfsd/main.c | 6
> src/fedfsd/svc.c | 44 +++
> sysconf/Makefile.am | 29 ++
> sysconf/fedfsd/access.conf | 55 ++++
> 13 files changed, 982 insertions(+), 47 deletions(-)
> create mode 100644 src/fedfsd/access.c
> create mode 100644 src/fedfsd/gss.c
> create mode 100644 sysconf/Makefile.am
> create mode 100644 sysconf/fedfsd/access.conf
>
> --
> Chuck Lever
>
> _______________________________________________
> fedfs-utils-devel mailing list
> fedfs-utils-devel at oss.oracle.com
> https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
More information about the fedfs-utils-devel
mailing list