[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Harald Barth haba@pdc.kth.se
Wed, 22 Mar 2006 11:04:59 +0100 (MET)


Hi there!

Alexis wrote about the $USER:
> They want to be prompted for tickets when they need new ones (or have  
> them automatically acquired in the pkinit case).

Just my 0.50SEK: In that case the apps accessing the file system must
get a lot smarter. I don't even know if they could do the job without
a crystal ball.

Take the Finder. Say my box is in the pdc.kth.se cell per default
autenticated in the NADA.KTH.SE realm. Now I go down into
/afs/stacken.kth.se/home/haba and open something. One of the questions
is if it should be opened for reading or writing? The ACLs of what I'm
opening indicate that haba@STACKEN.KTH.SE has full access but there is
also a group containing haba@NADA.KTH.SE and haba@KTH.SE which has r/w
access but not administer. So should Finder try to obtain a cross
realm or prompt me for a new password haba@STACKEN.KTH.SE. Or
haba@KTH.SE? And can the finder detect which tokens actually work in
the end because cross realm with NADA.KTH.SE is broken and with KTH.SE
works this week? If all fails, will I be prompted for
haba/admin@STACKEN.KTH.SE which is in system:administrators?

I don't say it is impossible. But for an application that is still
dumber than mv (it does not detect cross volume rename() and does the
right thing) it seems to be an overwhelming task to even be able to
ask the user the right questions.

And I'm feeling that I have just scratched the surface. So there will
be the need for some graphical thingie that displays AFSs view of
what credentials are valid and then a way to tie them to apps or
the other way around. Today I do that with some scripts and pagsh
and so on but that is so 90s ;-)

Harald.