[OpenAFS-devel] "prdb extensions" vs gssklog-map

[Jeffrey Hutzelman]

On Sunday, October 23, 2005 09:53:37 PM -0700 Adam Megacz 
<megacz@cs.berkeley.edu> wrote:

>
> Just checking if I understand this correctly... the "prdb extensions"
> described here:
>
>   http://www.afsig.se/snipsnap/space/prdb+extensions
>
> amount to a generalization of pts that would let it do what gssklogd
> currently does, right?  And, if I'm not mistaken, the new API calls
> serve a function similar to gssklogd's "gssklog-map" file, right?

These extensions serve a similar purpose, but in a somewhat different way.
Because the fileserver constructs a client's PTS name from its Kerberos
principal name, only a limited set of mappings are possible.  The new
architecture moves the responsiblity for mapping credentials onto PTS
entries to a central location (the ptserver), allowing both mechanical
name transformations and specific, individual mappings.

Jeff noted a variety of benefits of this model, but with something of an
emphasis on auditing and the needs of certain agencies and companies.
It's worth noting that while these extensions would be useful to those
users, they are not the only reason to have them.  In my (admittedly
biased) opinion, the proposed changes result in a much cleaner design,
improved flexibility, and (eventually) eliminate the need for external
tools like gssklog.

-- Jeff