[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MEMORY credential cache interop between Heimdal and MIT?

To: heimdal-discuss@sics.se, Howard Chu <hyc@highlandsun.com>
Subject: Re: MEMORY credential cache interop between Heimdal and MIT?
From: Troy Benjegerdes <hozer@hozed.org>
Date: Wed, 29 Aug 2007 17:34:05 -0500
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>, OpenAFS Devel <openafs-devel@openafs.org>
In-Reply-To: <46D5E877.2030508@highlandsun.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <46D4D0CD.3050003@highlandsun.com> <20070828223248.a5e62570.miallen@ioplex.com> <46D4DEAA.1030407@highlandsun.com> <20070828231655.f17fa922.miallen@ioplex.com> <46D4EE4C.8070405@highlandsun.com> <46D4F025.50600@highlandsun.com> <20070829120921.f8fe84e1.miallen@ioplex.com> <46D5A2F3.3010603@highlandsun.com> <F422B16A-AFED-4DC2-AEEA-2D2F08A8895B@jpl.nasa.gov> <46D5E877.2030508@highlandsun.com>
Reply-To: heimdal-discuss@sics.se, Troy Benjegerdes <hozer@hozed.org>
User-Agent: Mutt/1.5.13 (2006-08-11)

> >The interesting thing about this thread, to me, is that we seem to  
> >have people interested in pushing the envelope, and using new  
> >userland capabilities to get better scoping semantics.
> 
> The kernel hacks in AFS/DFS were only necessary because their respective 
> filesystem drivers wanted to use those credentials instead of the standard 
> Unix credentials. The reason we can have a discussion about userland 
> solutions for Kerberos in general is because there are no kernel/filesystem 
> considerations to muddy the water, the information is only needed in 
> userland. If you decide that you want a credential cache that will also 
> work for AFS and OpenDCE then efficiency will dictate bringing us back to 
> kernel mode.

It's not just AFS and OpenDCE (does anyone use OpenDCE?).. NFSv4 and
Lustre are two other kernel-level filesystems that want to share
credentials with userspace.

The linux kernel keyring model looks like it has potential to support a
lot of these things, and it has buy-in from the linux community. If we
are going to do anything with more advanced credential
sharing/management, it needs to take advantage of OS-kernel features for
secure keyrings on platforms that have it. I would also suggest that
those interested in other platforms also lobby the platform developers.

References:
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: MEMORY credential cache interop between Heimdal and MIT?
Next by Date: Cool, Thanks!
Prev by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Next by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Index(es):
- Date
- Thread