The session key is _NOT_ a UNIX session, but a key shared across all processes descended via fork/vfork/clone/exec from the process where the keyring is originally set.
Ok. That's not the impression I got from previous discussion and from what I read of the documentation in earlier versions of David's code. I stand corrected, and thank you for clearing up the misunderstanding.
My main point is, why do we need PAGs? You don't just have to store credentials in a keyring, you can store a (single) shared connection.
Things a PAG is not: - a set of credentials - a place to store things - a 32-bit number - a pair of funny groups
A PAG is a set of processes. In fact, it's very nearly identical to what you called a "key session". We do in fact need PAG's, or something equivalent. And, we need a way to "name" PAG's, so that we can label other data structures as to which PAG they belong to.
We're not tied to labelling PAG's with a 32-bit integer. It could easily be something else, like a larger integer or a pointer.
We're certainly not tied to representing processes' PAG membership as groups. It's just a kludge to get the job done. We hate it as much as anyone else. But it does get the job done.
However, we do need to be able to label open connections and cached access rights as to what PAG they belong to. Note that we're not talking about one open connection per PAG; we're talking about one open connection per PAG per fileserver. And we're not talking about a cached set of groups or SID's or something; we're talking about cached data on individual files indicating what operations we are allowed to do on that file. So, it's not a couple of items per PAG; it could be in the tens of thousands.
We already have data structures and code which manages this information. That code is cross-platform, and we'd like to keep it that way. Introducing a pervasive platform-dependent difference in behaviour does not improve the maintainability of our code.
So, my question is... what do I use as a label?
It's very fast, simple, and well designed
Says the guy who designed it. :-)
I didn't design or write it. :-P I helped out David Howells by commenting on his code and design, but I did not code a single line for it.
Hm; that wasn't the impression I got during our previous discussion, around the time some of the design work was happening. But OK. I suppose I should say for the benefit of others reading that I wasn't trying to devalue your comment, just giving credit where I thought it was due.
We really do appreciate all the work you and David have done on this.
-- Jeff _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
