On Sunday, February 25, 2007 04:21:45 PM -0600 Nicolas Williams <[EMAIL PROTECTED]> wrote:
A while back I designed such an API, which I called the generic credential store API (GCS-API) that provides a way to get a handle to the current credential store for a given thread, process, session or user, a way to associate a credential store handle with a thread, process, session or user, a way to list the credentials references in a store, and so on.
Note that while you can do that, it doesn't actually answer AFS's need, which goes beyond merely storing credentials. We also have to be able to associate a PAG(*) with cached connection state and access control data, which is threaded through other data structures in a way we can't easily change for each platform. That means it's necessary for each PAG to actually have a unique, long-lived, unforgeable identifier.
(*) "PAG" is short for "Process Authentication Group". Some people are apparently confused about what this means, so I thought I'd try to clarify up front -- a PAG is a set of processes, not a place to store credentials. AFS does track credentials on a per-PAG basis, but the essential thing we need from an OS is not a credential store; it's a way to obtain the identifier for the PAG to which a given process belongs.
-- Jeff _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
