On Dec 18, 2013, at 12:17 PM, Chuck Lever <[email protected]> wrote:
> This series adds RPCSEC GSS support to our FedFS ADMIN protocol > server. > > To make authentication meaningful, I added an access authorization > mechanism where the fileserver administrator can list users (either > AUTH_SYS or Kerberos principals) that are allowed to perform ADMIN > operations. > > There are some libtirpc limitations at this time that make RPCSEC > GSS support provisional. For example: > > 1. The new rpc.fedfsd access authorization mechanism recognizes > various GSS service levels that are allowed. The fileserver > administrator can use this to prevent access via clear-text > security levels, for example. > > However, libtirpc does not currently export APIs that expose > a client's GSS service level, so limiting access by service > does not work at this time. > > 2. The server-side RPCSEC GSS implementation in libtirpc currently > supports only one GSS credential at a time. If more than one > ADMIN client attempts to perform ADMIN operations concurrently > using GSS security, they will step on each other's GSS context. > > I'm working on libtirpc updates that should allow GSS support in > rpc.fedfsd to be fully operational in fedfs-utils 0.11. By the way, review period ends Thursday, December 26, 2013 at midnight ET. > > --- > > Chuck Lever (5): > contrib: run rpcfedfsd.service after network.target is started > fedfsd: Clean up fedfsd.h > fedfsd: Control access to ADMIN service > fedfsd: Add RPCSEC_GSS support to fedfsd > README: Remove warnings about fedfsd > > > Makefile.am | 2 > README | 53 ++-- > configure.ac | 8 + > contrib/init/rpcfedfsd.service | 2 > doc/man/rpc.fedfsd.8 | 65 ++++- > src/fedfsd/Makefile.am | 5 > src/fedfsd/access.c | 554 ++++++++++++++++++++++++++++++++++++++++ > src/fedfsd/fedfsd.h | 26 ++ > src/fedfsd/gss.c | 180 +++++++++++++ > src/fedfsd/main.c | 6 > src/fedfsd/svc.c | 44 +++ > sysconf/Makefile.am | 29 ++ > sysconf/fedfsd/access.conf | 55 ++++ > 13 files changed, 982 insertions(+), 47 deletions(-) > create mode 100644 src/fedfsd/access.c > create mode 100644 src/fedfsd/gss.c > create mode 100644 sysconf/Makefile.am > create mode 100644 sysconf/fedfsd/access.conf > > -- > Chuck Lever > > _______________________________________________ > fedfs-utils-devel mailing list > [email protected] > https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel -- Chuck Lever chuck[dot]lever[at]oracle[dot]com _______________________________________________ fedfs-utils-devel mailing list [email protected] https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
