[OpenAFS-devel] setgroups() fails to change pag under linux 2.6
Robert Banz
banz@umbc.edu
Wed, 19 Jul 2006 11:49:44 -0400
On Jul 19, 2006, at 09:21, David Thompson wrote:
> Ken Hornstein wrote:
>>> Yes and no. The issue in our application is that we need to make
>>> many
>>> authentications quickly (mostly for the same pts ids over and
>>> over), and
>>> cannot afford the 1 pag per second cost to create a new pag each
>>> time we need
>>
>>> one.
>>
>> I guess I am missing something. How come you need to get a new
>> pag to
>> reauthenticate?
>
> Think things like web servers that run authenticated as the (each)
> web page author. Or, <scream volume="primal"> think things like
> authenticated mail delivery.</scream> In either case, I have to
> authenticate as the same principal over and over, and I can't wait
> for a new pag for each request. So, I create (and authenticate) a
> pag for each principal, and I can authenticate quickly via a
> setgroups() call to select the appropriate authentication (pag).
>
> Our implementation consists of more than that, but that's the core
> of it.
Here's one approach.
I was working on an enhancement to Umich's 'mod_waklog', which seems
to use a different PAG for each web server process, so for each
authentication it wasn't getting a new PAG... but it WAS going
against the KDC to get AFS service tickets and turn them into
tokens. My enhancement (which I think pretty much worked, I really
need to get back to it and finish it up) was to cache the tokens for
each user in a shared memory pool, and just ktc_SetToken'ing it (if
it was still valid) into the existing PAG for that process.
I always thought mucking with groups was a little shakey, as you'd be
beholden to the PAG-stuff continuing to be group-based. This way, if
you've got ktc_SetToken & ktc_GetToken, you're good to go.
-rob