[OpenAFS] Re: vos dump authorization based on bos adduser?
Derrick J Brashear [EMAIL PROTECTED] writes: -localauth. (but aklog doesn't *require* ptserver; see afslog) bosserver can't depend on ptserver.. you indicate above that -localauth should be used in situations where bosserver must be used without any running ptservers? That's bos. i said bosserver can't depend on ptserver. Ok, point taken. Still, How does the bosserver decide you're eligible if there's no ptserver? Okay, take 2: first, bosserver checks the request to see if it was directly signed with the KeyFile (ie you invoked bos with -localauth). Since it has the KeyFile, it should be able to do this without the help of ptserver. If this is the case, it permits your request. If not, it tries to contact ptserver. If it is unable to contact the ptserver, it rejects your request. Is your concern that in the all-ptservers-are-down case, this leaves a thread/lwp on the bosserver waiting for a reply from the ptserver? I guess I can appreciate that that is sort of inelegant, but aren't there lots of places where stuff like this happens in the server code? Somewhat related: is it possible to run a dbserver+fileserver using something like runit instead of bosserver? - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: vos dump authorization based on bos adduser?
Adam Megacz [EMAIL PROTECTED] wrote: Derrick J Brashear [EMAIL PROTECTED] writes: -localauth. (but aklog doesn't *require* ptserver; see afslog) bosserver can't depend on ptserver.. you indicate above that -localauth should be used in situations where bosserver must be used without any running ptservers? That's bos. i said bosserver can't depend on ptserver. Ok, point taken. Still, How does the bosserver decide you're eligible if there's no ptserver? Okay, take 2: first, bosserver checks the request to see if it was directly signed with the KeyFile (ie you invoked bos with -localauth). Since it has the KeyFile, it should be able to do this without the help of ptserver. If this is the case, it permits your request. If not, it tries to contact ptserver. If it is unable to contact the ptserver, it rejects your request. So how would I issue bos shutdown for an entire cell, and then bos startup? Logon to one of the AFS servers so that I have access to the KeyFile? This isn't ideal in certain situations. Is your concern that in the all-ptservers-are-down case, this leaves a thread/lwp on the bosserver waiting for a reply from the ptserver? I guess I can appreciate that that is sort of inelegant, but aren't there lots of places where stuff like this happens in the server code? Well, one often uses the bos command to stop all AFS server instances except bosserver. Bos restart, bos shutdown, bos startup, etc. Sometimes these commands are issued remotely and the KeyFile is usually only on the AFS servers themselves for security reasons. Besides, sometimes having a seperate UserList is a good thing and one can restrict certain operations by placing a user in either system:administrators or the UserList, but not both. Or in the UserList on some servers and not others. Where are there other places where this happens in the server code? Somewhat related: is it possible to run a dbserver+fileserver using something like runit instead of bosserver? Yes, as per: http://www.openafs.org/pipermail/openafs-info/2005-December/020653.html CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: vos dump authorization based on bos adduser?
Adam Megacz wrote: Derrick J Brashear [EMAIL PROTECTED] writes: How does the bosserver decide you're eligible if there's no ptserver? Okay, take 2: first, bosserver checks the request to see if it was directly signed with the KeyFile (ie you invoked bos with -localauth). Since it has the KeyFile, it should be able to do this without the help of ptserver. If this is the case, it permits your request. If not, it tries to contact ptserver. If it is unable to contact the ptserver, it rejects your request. All authenticated requests are encrypted using the key in the KeyFile. The KeyFile is the file that stores the keys used to encrypt the authenticator. This has nothing at all to do with ptserver. The ptserver maintains the authorization database. In the AFS server model, a client authenticates to the server and then the server queries the ptserver for the authorization data for that user. Based upon the contents of the authorization data, the server permits or denies the user's request. bosserver cannot depend on ptserver because bosserver is the tool that is used to start / stop ptserver. Therefore, bosserver has its own authorization data that is stored in a file. Jeffrey Altman Secure Endpoints Inc. smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Re: vos dump authorization based on bos adduser?
On Fri, 8 Jun 2007, Adam Megacz wrote: Derrick J Brashear [EMAIL PROTECTED] writes: -localauth. (but aklog doesn't *require* ptserver; see afslog) bosserver can't depend on ptserver.. you indicate above that -localauth should be used in situations where bosserver must be used without any running ptservers? That's bos. i said bosserver can't depend on ptserver. Ok, point taken. Still, How does the bosserver decide you're eligible if there's no ptserver? Okay, take 2: first, bosserver checks the request to see if it was directly signed with the KeyFile (ie you invoked bos with -localauth). Since it has the KeyFile, it should be able to do this without the help of ptserver. If this is the case, it permits your request. If not, it tries to contact ptserver. If it is unable to contact the ptserver, it rejects your request. Is your concern that in the all-ptservers-are-down case, this leaves a thread/lwp on the bosserver waiting for a reply from the ptserver? I guess I can appreciate that that is sort of inelegant, but aren't there lots of places where stuff like this happens in the server code? Sure. Why do we want to add more? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: vos dump authorization based on bos adduser?
Derrick J Brashear [EMAIL PROTECTED] writes: Actually, now that I think about it, if all the ptserver instances are down, how would an admin be able to aklog (in order to run bos commands)? -localauth. (but aklog doesn't *require* ptserver; see afslog) But localauth doesn't even require the bos adduser list... I guess I'm just wondering if the bos userlist can be eliminated and bosserver/volserver can use system:administrators instead. I'll write up a patch adding an option for this unless there's some reason why this is a Very Bad Idea. bosserver can't depend on ptserver.. I think we're going in circles here... didn't you indicate above that -localauth should be used in situations where bosserver must be used without any running ptservers? - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: vos dump authorization based on bos adduser?
On Thu, 7 Jun 2007, Adam Megacz wrote: Derrick J Brashear [EMAIL PROTECTED] writes: Actually, now that I think about it, if all the ptserver instances are down, how would an admin be able to aklog (in order to run bos commands)? -localauth. (but aklog doesn't *require* ptserver; see afslog) But localauth doesn't even require the bos adduser list... I guess I'm just wondering if the bos userlist can be eliminated and bosserver/volserver can use system:administrators instead. I'll write up a patch adding an option for this unless there's some reason why this is a Very Bad Idea. bosserver can't depend on ptserver.. I think we're going in circles here... didn't you indicate above that -localauth should be used in situations where bosserver must be used without any running ptservers? That's bos. i said bosserver can't depend on ptserver. Your mind is going in circles, my explanation is not. How does the bosserver decide you're eligible if there's no ptserver? Well, it times out and then just allows localauth. Timeout. Ick. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: vos dump authorization based on bos adduser?
Derrick J Brashear [EMAIL PROTECTED] writes: You can have servers with a more limited set of admins. If they have admin powers on even a single fileserver, can't they steal the KeyFile and wreak havoc? Actually, now that I think about it, if all the ptserver instances are down, how would an admin be able to aklog (in order to run bos commands)? -localauth. (but aklog doesn't *require* ptserver; see afslog) But localauth doesn't even require the bos adduser list... I guess I'm just wondering if the bos userlist can be eliminated and bosserver/volserver can use system:administrators instead. I'll write up a patch adding an option for this unless there's some reason why this is a Very Bad Idea. - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: vos dump authorization based on bos adduser?
On Tue, 5 Jun 2007, Adam Megacz wrote: Derrick J Brashear [EMAIL PROTECTED] writes: You can have servers with a more limited set of admins. If they have admin powers on even a single fileserver, can't they steal the KeyFile and wreak havoc? Actually, now that I think about it, if all the ptserver instances are down, how would an admin be able to aklog (in order to run bos commands)? -localauth. (but aklog doesn't *require* ptserver; see afslog) But localauth doesn't even require the bos adduser list... I guess I'm just wondering if the bos userlist can be eliminated and bosserver/volserver can use system:administrators instead. I'll write up a patch adding an option for this unless there's some reason why this is a Very Bad Idea. bosserver can't depend on ptserver.. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info