[OpenAFS-devel] Re: rxk5 branch is ready; please test

[Jeffrey Hutzelman]

--On Tuesday, January 15, 2008 10:46:55 PM -0500 Derrick Brashear 
<shadow@gmail.com> wrote:

> On Jan 6, 2008 2:08 PM, Adam Megacz <megacz@hcoop.net> wrote:
>
>>
>> Jim Rees <rees@umich.edu> writes:
>> > Please test this code.  Even if you don't plan to use any of the rxk5
>> > features, please build it and report back here.
>>
>> I had heard rumors that rxk5 might (eventually) include support for
>> using a different KeyFile on each fileserver.  Is this functionality
>> on the branch by any chance?
>>
>>
>>
>
> rxgk was going to. rxk5, news to me.

At the rxgk hackathon last year, we discussed and in some cases designed 
the mechanisms that would be necessary to make this happen, as well as to 
handle secure negotiation of security classes in a mixed-mode cell.  The 
solutions we came up with were not specific to rxgk, but also have largely 
not been implemented.  Note that supporting separate service keys for each 
server is _very_ complex; it not only requires the cache manager to 
discover the correct service principals and maintain separate sets of 
tickets for each server, but also for a variety of administrative tools to 
handle using different tickets to talk to different servers, as when you 
use 'vos' to perform an operation that requires both updating the VLDB and 
performing volume operations on one or more servers.  It also makes volume 
moves and releases considerably more complex.  And that's just the start.

So, don't go looking for this functionality any time soon.  It's harder 
than it looks, and not real high on most people's priority lists.

-- Jeff