[OpenAFS-devel] Re: [OpenAFS] 2.6 kernel support anytime soon?Workarounds?

Todd M. Lewis Todd_Lewis@unc.edu
Wed, 12 May 2004 11:38:44 -0400 

Douglas E. Engert wrote:
> 
> Derrick J Brashear wrote:
> 
>>Ok, that's great. So, what should we do about it?

Reimplement groups. No, really.

> Is there another way to look at the PAG problem rather then having to
> use the groups? Using the groups to store a PAG was a convenience for 
> the AFS Kernel routines to find credentials associated with a process,
> but does not appear to be a requirement. 

There is no other way. The reason passing a PAG as a special pair of 
groups gives us the right semantics across a dozen platforms is because 
PAGs do what "regular" groups were supposed to do.

The sad part is, groups just don't cut it anymore. The /etc/groups is a 
poor substitute for ptserver, and -rwxrwxrwx is a poor substitute for 
file level ACLs. The process supplemental groups list should become a 
generic credential handle cache with no specific groups in it. Instead, 
those groups should be stored in a "local" credential structure just 
like AFS tokens, the coming NFS credentials, and as yet unthought of 
credentials, respectively, should be stored.

Reimplementing local groups as just one of many credentials mechanisms 
would be a big shift, but the supplemental groups list has exactly the 
right semantics; recreating those semantics via another mechanism is 
just wrong -- aesthetically wrong in the sense that it'll never make it 
past the kernel developers. The major changes of late that have made the 
cut do just the opposite; they generalize similar redundant mechanisms. 
It would have to be really well done so that current group handling 
doesn't take a significant hit. The kernel gatekeepers aren't going to 
take such a change unless there are obvious payoffs. Perhaps with NFS 
also needing such a facility, and NFS being more palatable to the kernel 
guys, they might at least give it a look.

Yeah, I'm supposed to provide the patch with such a suggestion. Sorry. 
But I'm firmly convinced that PAGs are not the bag-on-the-side of the 
existing groups facility, but rather unix groups were the good enough 
for the times bag-on-the-side implementation from back before we 
understood what credentials really were or what they could do for us.

Cheers,
-- 
    +--------------------------------------------------------------+
   / Todd_Lewis@unc.edu  919-962-5273  http://www.unc.edu/~utoddl /
  /        Marriage is the mourning after the knot before.       /
+--------------------------------------------------------------+
p.s.: Yes, I'm the guy that suggested eliminating tabs from the OpenAFS 
sources. Radical ideas for radical times, no?