Douglas E. Engert wrote:
Derrick J Brashear wrote:
Ok, that's great. So, what should we do about it?
Reimplement groups. No, really.
Is there another way to look at the PAG problem rather then having to
use the groups? Using the groups to store a PAG was a convenience for the AFS Kernel routines to find credentials associated with a process,
but does not appear to be a requirement.
There is no other way. The reason passing a PAG as a special pair of groups gives us the right semantics across a dozen platforms is because PAGs do what "regular" groups were supposed to do.
The sad part is, groups just don't cut it anymore. The /etc/groups is a poor substitute for ptserver, and -rwxrwxrwx is a poor substitute for file level ACLs. The process supplemental groups list should become a generic credential handle cache with no specific groups in it. Instead, those groups should be stored in a "local" credential structure just like AFS tokens, the coming NFS credentials, and as yet unthought of credentials, respectively, should be stored.
Reimplementing local groups as just one of many credentials mechanisms would be a big shift, but the supplemental groups list has exactly the right semantics; recreating those semantics via another mechanism is just wrong -- aesthetically wrong in the sense that it'll never make it past the kernel developers. The major changes of late that have made the cut do just the opposite; they generalize similar redundant mechanisms. It would have to be really well done so that current group handling doesn't take a significant hit. The kernel gatekeepers aren't going to take such a change unless there are obvious payoffs. Perhaps with NFS also needing such a facility, and NFS being more palatable to the kernel guys, they might at least give it a look.
Yeah, I'm supposed to provide the patch with such a suggestion. Sorry. But I'm firmly convinced that PAGs are not the bag-on-the-side of the existing groups facility, but rather unix groups were the good enough for the times bag-on-the-side implementation from back before we understood what credentials really were or what they could do for us.
Cheers,
--
+--------------------------------------------------------------+
/ [EMAIL PROTECTED] 919-962-5273 http://www.unc.edu/~utoddl /
/ Marriage is the mourning after the knot before. /
+--------------------------------------------------------------+
p.s.: Yes, I'm the guy that suggested eliminating tabs from the OpenAFS sources. Radical ideas for radical times, no?
_______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
