[OpenAFS] New Cell setup - ideas?
Tom Keiser
tkeiser@sinenomine.net
Wed, 27 Jan 2010 23:17:56 -0500
On Wed, Jan 27, 2010 at 3:22 AM, Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
> - -no single user (person) should be identified accessing that data by
> sharing organization (to see which department is fine, but not the
> single persons of the accessing department)
>
The AFS-3 security model _cannot_ satisfy this anonymization
requirement. With the current security model, each file server must
know the identity of the caller in order to perform RPC authorization.
I suppose you could give them file server binaries with auditing
support disabled, call back table dump support disabled, and then hope
that the satellite site admins don't know enough about AFS to dissect
rxkad clear packets, file server cores, or use cmdebug to make
educated inferences. But then again, if they know enough to do any of
that, then I suppose they also know that the KeyFile effectively gives
them full control over the entire distributed infrastructure.
Cheers,
-Tom