[fedfs-utils] [PATCH 0/5] RPCSEC GSS support for rpc.fedfsd
Chuck Lever
chuck.lever at oracle.com
Fri Dec 27 11:37:49 PST 2013
On Dec 18, 2013, at 12:21 PM, Chuck Lever <chuck.lever at oracle.com> wrote:
>
> On Dec 18, 2013, at 12:17 PM, Chuck Lever <chuck.lever at oracle.com> wrote:
>
>> This series adds RPCSEC GSS support to our FedFS ADMIN protocol
>> server.
>>
>> To make authentication meaningful, I added an access authorization
>> mechanism where the fileserver administrator can list users (either
>> AUTH_SYS or Kerberos principals) that are allowed to perform ADMIN
>> operations.
>>
>> There are some libtirpc limitations at this time that make RPCSEC
>> GSS support provisional. For example:
>>
>> 1. The new rpc.fedfsd access authorization mechanism recognizes
>> various GSS service levels that are allowed. The fileserver
>> administrator can use this to prevent access via clear-text
>> security levels, for example.
>>
>> However, libtirpc does not currently export APIs that expose
>> a client's GSS service level, so limiting access by service
>> does not work at this time.
>>
>> 2. The server-side RPCSEC GSS implementation in libtirpc currently
>> supports only one GSS credential at a time. If more than one
>> ADMIN client attempts to perform ADMIN operations concurrently
>> using GSS security, they will step on each other's GSS context.
>>
>> I'm working on libtirpc updates that should allow GSS support in
>> rpc.fedfsd to be fully operational in fedfs-utils 0.11.
>
> By the way, review period ends Thursday, December 26, 2013 at midnight ET.
These have been committed. See you next year!
>
>
>>
>> ---
>>
>> Chuck Lever (5):
>> contrib: run rpcfedfsd.service after network.target is started
>> fedfsd: Clean up fedfsd.h
>> fedfsd: Control access to ADMIN service
>> fedfsd: Add RPCSEC_GSS support to fedfsd
>> README: Remove warnings about fedfsd
>>
>>
>> Makefile.am | 2
>> README | 53 ++--
>> configure.ac | 8 +
>> contrib/init/rpcfedfsd.service | 2
>> doc/man/rpc.fedfsd.8 | 65 ++++-
>> src/fedfsd/Makefile.am | 5
>> src/fedfsd/access.c | 554 ++++++++++++++++++++++++++++++++++++++++
>> src/fedfsd/fedfsd.h | 26 ++
>> src/fedfsd/gss.c | 180 +++++++++++++
>> src/fedfsd/main.c | 6
>> src/fedfsd/svc.c | 44 +++
>> sysconf/Makefile.am | 29 ++
>> sysconf/fedfsd/access.conf | 55 ++++
>> 13 files changed, 982 insertions(+), 47 deletions(-)
>> create mode 100644 src/fedfsd/access.c
>> create mode 100644 src/fedfsd/gss.c
>> create mode 100644 sysconf/Makefile.am
>> create mode 100644 sysconf/fedfsd/access.conf
>>
>> --
>> Chuck Lever
>>
>> _______________________________________________
>> fedfs-utils-devel mailing list
>> fedfs-utils-devel at oss.oracle.com
>> https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
>
>
>
>
> _______________________________________________
> fedfs-utils-devel mailing list
> fedfs-utils-devel at oss.oracle.com
> https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
More information about the fedfs-utils-devel
mailing list