> >The interesting thing about this thread, to me, is that we seem to > >have people interested in pushing the envelope, and using new > >userland capabilities to get better scoping semantics. > > The kernel hacks in AFS/DFS were only necessary because their respective > filesystem drivers wanted to use those credentials instead of the standard > Unix credentials. The reason we can have a discussion about userland > solutions for Kerberos in general is because there are no kernel/filesystem > considerations to muddy the water, the information is only needed in > userland. If you decide that you want a credential cache that will also > work for AFS and OpenDCE then efficiency will dictate bringing us back to > kernel mode.
It's not just AFS and OpenDCE (does anyone use OpenDCE?).. NFSv4 and Lustre are two other kernel-level filesystems that want to share credentials with userspace. The linux kernel keyring model looks like it has potential to support a lot of these things, and it has buy-in from the linux community. If we are going to do anything with more advanced credential sharing/management, it needs to take advantage of OS-kernel features for secure keyrings on platforms that have it. I would also suggest that those interested in other platforms also lobby the platform developers. _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel
