[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
Troy Benjegerdes
hozer@hozed.org
Wed, 29 Aug 2007 17:34:05 -0500
> >The interesting thing about this thread, to me, is that we seem to
> >have people interested in pushing the envelope, and using new
> >userland capabilities to get better scoping semantics.
>
> The kernel hacks in AFS/DFS were only necessary because their respective
> filesystem drivers wanted to use those credentials instead of the standard
> Unix credentials. The reason we can have a discussion about userland
> solutions for Kerberos in general is because there are no kernel/filesystem
> considerations to muddy the water, the information is only needed in
> userland. If you decide that you want a credential cache that will also
> work for AFS and OpenDCE then efficiency will dictate bringing us back to
> kernel mode.
It's not just AFS and OpenDCE (does anyone use OpenDCE?).. NFSv4 and
Lustre are two other kernel-level filesystems that want to share
credentials with userspace.
The linux kernel keyring model looks like it has potential to support a
lot of these things, and it has buy-in from the linux community. If we
are going to do anything with more advanced credential
sharing/management, it needs to take advantage of OS-kernel features for
secure keyrings on platforms that have it. I would also suggest that
those interested in other platforms also lobby the platform developers.