[fedfs-utils] [PATCH 0/5] RPCSEC GSS support for rpc.fedfsd

Chuck Lever chuck.lever at oracle.com
Fri Dec 27 11:37:49 PST 2013 

On Dec 18, 2013, at 12:21 PM, Chuck Lever <chuck.lever at oracle.com> wrote:

> 
> On Dec 18, 2013, at 12:17 PM, Chuck Lever <chuck.lever at oracle.com> wrote:
> 
>> This series adds RPCSEC GSS support to our FedFS ADMIN protocol
>> server.
>> 
>> To make authentication meaningful, I added an access authorization
>> mechanism where the fileserver administrator can list users (either
>> AUTH_SYS or Kerberos principals) that are allowed to perform ADMIN
>> operations.
>> 
>> There are some libtirpc limitations at this time that make RPCSEC
>> GSS support provisional.  For example:
>> 
>> 1.  The new rpc.fedfsd access authorization mechanism recognizes
>>    various GSS service levels that are allowed.  The fileserver
>>    administrator can use this to prevent access via clear-text
>>    security levels, for example.
>> 
>>    However, libtirpc does not currently export APIs that expose
>>    a client's GSS service level, so limiting access by service
>>    does not work at this time.
>> 
>> 2.  The server-side RPCSEC GSS implementation in libtirpc currently
>>    supports only one GSS credential at a time.  If more than one
>>    ADMIN client attempts to perform ADMIN operations concurrently
>>    using GSS security, they will step on each other's GSS context.
>> 
>> I'm working on libtirpc updates that should allow GSS support in
>> rpc.fedfsd to be fully operational in fedfs-utils 0.11.
> 
> By the way, review period ends Thursday, December 26, 2013 at midnight ET.

These have been committed.  See you next year!


> 
> 
>> 
>> ---
>> 
>> Chuck Lever (5):
>>     contrib: run rpcfedfsd.service after network.target is started
>>     fedfsd: Clean up fedfsd.h
>>     fedfsd: Control access to ADMIN service
>>     fedfsd: Add RPCSEC_GSS support to fedfsd
>>     README: Remove warnings about fedfsd
>> 
>> 
>> Makefile.am                    |    2 
>> README                         |   53 ++--
>> configure.ac                   |    8 +
>> contrib/init/rpcfedfsd.service |    2 
>> doc/man/rpc.fedfsd.8           |   65 ++++-
>> src/fedfsd/Makefile.am         |    5 
>> src/fedfsd/access.c            |  554 ++++++++++++++++++++++++++++++++++++++++
>> src/fedfsd/fedfsd.h            |   26 ++
>> src/fedfsd/gss.c               |  180 +++++++++++++
>> src/fedfsd/main.c              |    6 
>> src/fedfsd/svc.c               |   44 +++
>> sysconf/Makefile.am            |   29 ++
>> sysconf/fedfsd/access.conf     |   55 ++++
>> 13 files changed, 982 insertions(+), 47 deletions(-)
>> create mode 100644 src/fedfsd/access.c
>> create mode 100644 src/fedfsd/gss.c
>> create mode 100644 sysconf/Makefile.am
>> create mode 100644 sysconf/fedfsd/access.conf
>> 
>> -- 
>> Chuck Lever
>> 
>> _______________________________________________
>> fedfs-utils-devel mailing list
>> fedfs-utils-devel at oss.oracle.com
>> https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
> 
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
> 
> 
> 
> 
> _______________________________________________
> fedfs-utils-devel mailing list
> fedfs-utils-devel at oss.oracle.com
> https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

More information about the fedfs-utils-devel mailing list