On Jul 19, 2006, at 09:21, David Thompson wrote:
Ken Hornstein wrote:
Yes and no. The issue in our application is that we need to make
many
authentications quickly (mostly for the same pts ids over and
over), and
cannot afford the 1 pag per second cost to create a new pag each
time we need
one.
I guess I am missing something. How come you need to get a new
pag to
reauthenticate?
Think things like web servers that run authenticated as the (each)
web page author. Or, <scream volume="primal"> think things like
authenticated mail delivery.</scream> In either case, I have to
authenticate as the same principal over and over, and I can't wait
for a new pag for each request. So, I create (and authenticate) a
pag for each principal, and I can authenticate quickly via a
setgroups() call to select the appropriate authentication (pag).
Our implementation consists of more than that, but that's the core
of it.
Here's one approach.
I was working on an enhancement to Umich's 'mod_waklog', which seems
to use a different PAG for each web server process, so for each
authentication it wasn't getting a new PAG... but it WAS going
against the KDC to get AFS service tickets and turn them into
tokens. My enhancement (which I think pretty much worked, I really
need to get back to it and finish it up) was to cache the tokens for
each user in a shared memory pool, and just ktc_SetToken'ing it (if
it was still valid) into the existing PAG for that process.
I always thought mucking with groups was a little shakey, as you'd be
beholden to the PAG-stuff continuing to be group-based. This way, if
you've got ktc_SetToken & ktc_GetToken, you're good to go.
-rob
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
