[OpenAFS-devel] Re: rxkad.keytab rotation
Benjamin Kaduk
kaduk@MIT.EDU
Fri, 8 Nov 2013 20:52:58 -0500 (EST)
On Fri, 8 Nov 2013, Andrew Deason wrote:
> On Fri, 8 Nov 2013 11:32:42 -0500
> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>
> I'll get to it soon :) I just had a couple of urgent things hit me
> recently.
Okay, I'll look for it to review.
>> (*) I seem to recall a couple of places where verious ubik recovery
>> scenarios could lead to refreshing credentials, but I think these are
>> rare.
>
> We can reinitialize the _conn_ sometimes, but ubik_CRXSecurityProc is
> only ever called once, in ubeacon_InitServerListCommon.
Oh, great, this is one of those things which is different between 1.6 and
master. On master, it looks like afsconf_ClientAuth is assigned to
secLayerProc and ubik_CRXSecurityProc is unused.
ubeacon_InitSecurityClass() is called in ubeacon_ReinitServer(), which is
called in urecovery_LostServer(), which is called at two places in the
logic of ubeacon_Interact(). I didn't go and re-trace what scenarios
those call sites correspond to, though.
Looking at 1.6, ubik_CRXSecurityProc is called in
ubeacon_InitServerListCommon, which is called from ubeacon_InitServerList*
(for appropriate values of '*'). This is called from
ubik_ServerInitCommon(), called by ubik_ServerInit* (ibid). This is, in
fact, only called at startup of the individual servers (from main() or
similar), so you're right.
I have the strangest feeling of deja vu ... probably because of
https://rt.central.org/rt/Ticket/Display.html?id=131591#txn-456805 and
https://rt.central.org/rt/Ticket/Display.html?id=131591#txn-456809 .
Sigh.
-Ben