On 10/27/06, Leggett, Jeff <[EMAIL PROTECTED]> wrote:
Hi, Sorry if these are covered somewhere, but my Architecture team is
having issues with my proposal to evaluate AFS as part of an
Environmental Segregation project.  We have an issue where we have four
distinct environments, that are basically mirrors of each other.  From
what I am reading, it seems AFS would provide some functionality to
allow us to segregate application environments (in conjunction with
other tools).  Our four environments are:

Dev - Development
SIT - System Integration Testing
UAT - user Acceptance testing
PRD - production

We want to limit developers having access to say UAT and PRD, QA people
from getting into DEV, etc.  Am I completely off-base in thinking that
this is possible?  From what I read, a combination of authentication
mechansisms with AFS ACL's would allow this.  I realize a big piece of
this would be the network segregation part, but it seems like AFS would
go along ways toward letting us maintain a mirrored application arena
for each.  Does this make sense?

Yes; as long as you have one sys admin group who you trust with admin
rights to all of the data, then this can be trivially accomplished
with a single AFS cell, and a well-maintained set of groups and ACLs.
In this respect it is very similar to CIFS.

If you need to have separate servers with separate sets of admins,
then I'm pretty sure you would have to have multiple AFS cells (a
single AFS cell can have any number of servers, but I am pretty sure
that if you have root on any of those servers, then you can in theory
access data on any other server); however because of the AFS global
namespace, this is significantly less annoying than would be the case
with multiple NFS servers (and they could pretty much be exact images
of each other sans a few config files), and you could set up trust
relationships between the various Kerberos domains associated with
each AFS cell, or if there is a common trusted Active Directory
domain, you could use that for authentication.

My team is rather adamantly opposed to this idea as AFS has a horrible
reputation as a nightmare to integrate.  Has that improved?   I have not
used AFS since my days at IBM in the early 90's (Damn that makes me feel
old to type that).

I find AFS to be somewhat harder to set up than NFS, but significantly
easier to admin in the long run, from both the client and server
perspectives. Also I'm very afraid if E*TRADE is using NFSv3 in any
capacity due to the complete insecurity of that protocol; a good doc
on this is at http://www.usenix.org/publications/login/2005-02/pdfs/musings.pdf

--
Daniel Joseph Barnhart Clark
http://www.pobox.com/users/dclark
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to