[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

Troy Benjegerdes hozer@hozed.org
Wed, 29 Aug 2007 17:34:05 -0500


> >The interesting thing about this thread, to me, is that we seem to  
> >have people interested in pushing the envelope, and using new  
> >userland capabilities to get better scoping semantics.
> 
> The kernel hacks in AFS/DFS were only necessary because their respective 
> filesystem drivers wanted to use those credentials instead of the standard 
> Unix credentials. The reason we can have a discussion about userland 
> solutions for Kerberos in general is because there are no kernel/filesystem 
> considerations to muddy the water, the information is only needed in 
> userland. If you decide that you want a credential cache that will also 
> work for AFS and OpenDCE then efficiency will dictate bringing us back to 
> kernel mode.

It's not just AFS and OpenDCE (does anyone use OpenDCE?).. NFSv4 and
Lustre are two other kernel-level filesystems that want to share
credentials with userspace.

The linux kernel keyring model looks like it has potential to support a
lot of these things, and it has buy-in from the linux community. If we
are going to do anything with more advanced credential
sharing/management, it needs to take advantage of OS-kernel features for
secure keyrings on platforms that have it. I would also suggest that
those interested in other platforms also lobby the platform developers.