[OpenAFS] Some questions about the future of OpenAFS

Derek Atkins warlord@MIT.EDU
01 May 2002 12:32:59 -0400


"Douglas E. Engert" <deengert@anl.gov> writes:

> Maybe. You can still use Kerberos internally, and so the cell could
> be in a realm. But with K5 you now have cross realm as a feature,
> and needs to be addressed. This then this brings up the
> authorization questions.

Right.  In other words, it would act very similarly to how it does
today, the cell is in a realm.

> AFS has done the authorization via the PTS. Will this continue to
> work the same way? Would you map foreign users to local users in the PTS?

I would assume that PTS would continue to behave as it does today,
mapping a principal name to an AFS ID.  Note that that is _all_ that
PTS does -- it maps names to numbers, and maintains group lists (again
mapping names to numbers).

Also note that foreign users work today, and I don't see how this
would change.  If a user in realm1 authenticates to the AFS service in
realm2, they get a cross-cell authentication and PTS would convert
user@realm1 to AFSID-nnn.  This is exactly how it works today, so I
don't see the issue.

> Will foreign users be allowed on ACLs? 
> Do you still have the AFS ID? Do these need to be UUIDs?

Again, I don't see how or why this needs to change at all.  All you
are doing is changing the authentication method.  The authorization
model is separable and, IMHO, need not change.

> How will AFS be different from DFS in these areas? 

I don't know.  Then again, part of DFS' failure was the fact that it
required the rest of DCE to actually work.  I happen to think that the
authentication/authorization model of DFS is close to what we want.
Luckily, AFS already has _most_ of the problem solved.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available