[AFS3-std] Re: Thoughts on SetCallBackKey and token format

Benjamin Kaduk kaduk@MIT.EDU
Tue, 4 Feb 2014 20:24:41 -0500 (EST)


On Mon, 3 Feb 2014, Benjamin Kaduk wrote:

>
> To fulfill the last point, we could potentially use a separate field in file 
> server tokens to store the CM identity (and ~require different data 
> structures for dbserver and fileserver tokens), but my proposal keeps a 
> single identities list and uniform token data structure, calling out the last 
> identity in the list as the cache manager identity.  To account for the case 
> when the token1 argument to AFSCombineTokens is empty, I create a new kind of 
> PrAuthName (PRAUTHTYPE_EMPTY) to use as a placeholder.
> Since extended callbacks require a CM identity, it's easy to check what's 
> where.

It seems that I have been thinking about this some more, and the thinking 
has been finding reasons to use a separate field for the CM identity.
I wrote "~require" above, since I had originally thought it was a strict 
requirement but noted as I was writing the email that we could just leave 
a field unused in non-fileserver tokens (much as the appdata field of the 
authenticator is only presently used for the UUID of a cache manager); the 
extra word to indicate a zero-length array is actually smaller in the 
encoded blob than the three words that would be needed for 
PRAUTHTYPE_EMPTY and two length zeros (for the data and display parts). 
The real "killer feature", though, is that a combined token could be used 
as the CM identity.  Thus, a two-user machine without a keytab could have 
the CM take two user tokens, combine them with regular CombineTokens, and 
use the result as its CM identity.  The resulting key would not be 
determinable without collusion between both users, so no one user can 
corrupt the cache for the other.  (This does make keeping a non-expired CM 
token around a bit harder, but if we allow the fileserver to maintain a 
handful of the (UUID, identity, key) triples, the transitions should not 
be too bad.)

If there are no flaws in that reasoning, I can write it up as an -05.

-Ben