[OpenAFS-devel] Initial implementation of RestrictedQuery, please comment (was: Re: Lockdown for VL and VOL RPC interfaces for non-authenticated user)

Gergely Risko gergely@risko.hu
Tue, 18 Mar 2014 12:03:55 +0100 

Hi all,

I have an initial implementation for the feature that I call as
RestrictedQuery (feel free to suggest alternative names, I'm not
attached to it).

The patch can be seen here:
https://github.com/nilcons/openafs/commit/d39157c3580ba3ca42c6c5311f0e27088b2f01c0

After applying and recompiling and restarting vlserver and volserver,
you have to touch /etc/openafs/server/RestrictedQuery to enable the
feature (by default it's off).

Interesting things that I discovered:
  - afs-newcell.pl is kind of broken, but easy to fix, maybe I should
    hack around a bit more and update the documentation, I have some
    start here:
    https://github.com/nilcons/openafs/commit/a84f74450ef0e89abcb7537485a9aff522651011
  - Jeffrey missed the VL_ListEntry RPC in his list, but otherwise his
    list was complete and very helpful;
  - the PR server can be firewalled altogether and after using aklog
    with the -noprdb option everything seems to be working (I'll check
    windows and MacOS later today):
    - for fs listacl and fs setacl you don't need ptserver access even
      if you're using names,
    - of course you can't access membership listing and other ptserver stuff.

This patch is deployed with the option enabled at /afs/nilcons.com, feel
free to send random RPCs to us and hack around.

Currently when the restriction is on then only administrators are
allowed to execute the RPCs.  I'm willing to implement the authuser
option if there is really someone around who would set it.  But the
authuser+guest cells feature seems to be complicated enough to create in
a separate patch later.

I also have some new questions, maybe a bit controversial:

  - would anything break if we wouldn't return the volume name when the
    GetVolumeByID is used if you're unauthenticated?  Or if we would
    return an anonymized fake name, but still return the correct name
    when you're authenticated (or administrator?)?  Is that OK with the
    IBM guys?

  - is the option handling like this (etc/RestrictedQuery) OK?  Or
    should we do something more complicated?  I'd rather not.

Comments, reviews?  Should I go ahead and start the discussion instead
in gerrit?

Thanks,
Gergely