[OpenAFS-devel] Re: Initial implementation of RestrictedQuery, please comment

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 18 Mar 2014 13:22:01 -0400


On Tue, 2014-03-18 at 12:07 -0500, Andrew Deason wrote:

> With an anonymous connection, all you have is an IP, which is not great.
> Requiring an rxkad-authenticated connection would give you a krb5
> principal name (possibly restricted to specific realms), which is
> better. This becomes useless if you can create a kind of anonymous krb5
> identity (I think this is possible in some setups? or it's being
> discussed?), but the krb5 administrator should be able to control that.

Yes, Kerberos has a mechanism for "anonymous" authentication, where the
server doesn't get to know the client's identity, and the KDC may not
even know it.  That has to be enabled at the KDC, and shows up to
application servers primarily as a special principal name.  For services
that do "real" authorization, rather than "anyone who can get a ticket",
this is not an issue.  If you're going to add that type of lightweight
"authorization" to AFS, you should exclude anonymous principals.

Probably, rxkad should refuse krb5 tickets for the anonymous principal,
or something.  Though it might not be a stretch to consider an anonymous
foreign-realm user to be a member of system:authuser@that.realm.
However, that would be a separate patch.


> I'm not sure if we can avoid doing ptserver lookups in the vlserver
> forever... it seems like that would be required for having in-band
> delegated volume administration and things like that (unless we create
> our own separate authz database for such operations). But I'm just
> thinking aloud.

No, we probably can't.  But that's a fairly large change with serious
operational implications.  It will require some design and
implementation work and some serious testing, and it doesn't seem fair
to make this block on that.

-- Jeff