On Dec 18, 2013, at 12:21 PM, Chuck Lever <[email protected]> wrote:
> > On Dec 18, 2013, at 12:17 PM, Chuck Lever <[email protected]> wrote: > >> This series adds RPCSEC GSS support to our FedFS ADMIN protocol >> server. >> >> To make authentication meaningful, I added an access authorization >> mechanism where the fileserver administrator can list users (either >> AUTH_SYS or Kerberos principals) that are allowed to perform ADMIN >> operations. >> >> There are some libtirpc limitations at this time that make RPCSEC >> GSS support provisional. For example: >> >> 1. The new rpc.fedfsd access authorization mechanism recognizes >> various GSS service levels that are allowed. The fileserver >> administrator can use this to prevent access via clear-text >> security levels, for example. >> >> However, libtirpc does not currently export APIs that expose >> a client's GSS service level, so limiting access by service >> does not work at this time. >> >> 2. The server-side RPCSEC GSS implementation in libtirpc currently >> supports only one GSS credential at a time. If more than one >> ADMIN client attempts to perform ADMIN operations concurrently >> using GSS security, they will step on each other's GSS context. >> >> I'm working on libtirpc updates that should allow GSS support in >> rpc.fedfsd to be fully operational in fedfs-utils 0.11. > > By the way, review period ends Thursday, December 26, 2013 at midnight ET. These have been committed. See you next year! > > >> >> --- >> >> Chuck Lever (5): >> contrib: run rpcfedfsd.service after network.target is started >> fedfsd: Clean up fedfsd.h >> fedfsd: Control access to ADMIN service >> fedfsd: Add RPCSEC_GSS support to fedfsd >> README: Remove warnings about fedfsd >> >> >> Makefile.am | 2 >> README | 53 ++-- >> configure.ac | 8 + >> contrib/init/rpcfedfsd.service | 2 >> doc/man/rpc.fedfsd.8 | 65 ++++- >> src/fedfsd/Makefile.am | 5 >> src/fedfsd/access.c | 554 >> ++++++++++++++++++++++++++++++++++++++++ >> src/fedfsd/fedfsd.h | 26 ++ >> src/fedfsd/gss.c | 180 +++++++++++++ >> src/fedfsd/main.c | 6 >> src/fedfsd/svc.c | 44 +++ >> sysconf/Makefile.am | 29 ++ >> sysconf/fedfsd/access.conf | 55 ++++ >> 13 files changed, 982 insertions(+), 47 deletions(-) >> create mode 100644 src/fedfsd/access.c >> create mode 100644 src/fedfsd/gss.c >> create mode 100644 sysconf/Makefile.am >> create mode 100644 sysconf/fedfsd/access.conf >> >> -- >> Chuck Lever >> >> _______________________________________________ >> fedfs-utils-devel mailing list >> [email protected] >> https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel > > -- > Chuck Lever > chuck[dot]lever[at]oracle[dot]com > > > > > _______________________________________________ > fedfs-utils-devel mailing list > [email protected] > https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel -- Chuck Lever chuck[dot]lever[at]oracle[dot]com _______________________________________________ fedfs-utils-devel mailing list [email protected] https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
