[OpenAFS-devel] Re: openafs / opendfs collaboration

Kyle Moffett mrmacman_g4@mac.com
Tue, 25 Jan 2005 17:28:42 -0500


On Jan 25, 2005, at 07:53, Todd M. Lewis wrote:
> Kyle Moffett wrote:
>> The keyring stuff essentially allows you to associate arbitrary BLOBs
>> with processes via a simple kernel interface.  OpenAFS could store
>> the credentials in a session keyring and all processes in that
>> session would have access to the credentials.  Then OpenAFS could
>> just run a key search for the credentials when it needs to perform
>> operations (Such as passing them to the server) with them.  It's very
>> fast, simple, and well designed
>
> This is encouraging. How closely do the semantics of "session keyring
> and all processes in that session" match those of PAGs?  (Group
> membership inheritance across fork/exec seems pretty clear; sessions
> have always seemed a little fuzzy to me.)

I describe in more detail in my other email, but basically a given
"key-session" is preserved across clone/fork/vfork/exec.  The only
way to change "key-session"s is with the keyctl syscall, using
PR_JOIN_SESSION_KEYRING to join an existing keyring or create a new
anonymous one.

Actually, Jeffrey Hutzelman has an excellent summary of the other kinds
of "sessions" on Linux in his email, he just doesn't have the specifics
right for "key-sessions".

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r  
!y?(-)
------END GEEK CODE BLOCK------