[OpenAFS] Some AFS Architectural Questions

Daniel Clark dclark@pobox.com
Fri, 27 Oct 2006 16:15:22 -0400

On 10/27/06, Leggett, Jeff <jeffrey.leggett@etrade.com> wrote:
> Hi, Sorry if these are covered somewhere, but my Architecture team is
> having issues with my proposal to evaluate AFS as part of an
> Environmental Segregation project.  We have an issue where we have four
> distinct environments, that are basically mirrors of each other.  From
> what I am reading, it seems AFS would provide some functionality to
> allow us to segregate application environments (in conjunction with
> other tools).  Our four environments are:
> Dev - Development
> SIT - System Integration Testing
> UAT - user Acceptance testing
> PRD - production
> We want to limit developers having access to say UAT and PRD, QA people
> from getting into DEV, etc.  Am I completely off-base in thinking that
> this is possible?  From what I read, a combination of authentication
> mechansisms with AFS ACL's would allow this.  I realize a big piece of
> this would be the network segregation part, but it seems like AFS would
> go along ways toward letting us maintain a mirrored application arena
> for each.  Does this make sense?

Yes; as long as you have one sys admin group who you trust with admin
rights to all of the data, then this can be trivially accomplished
with a single AFS cell, and a well-maintained set of groups and ACLs.
In this respect it is very similar to CIFS.

If you need to have separate servers with separate sets of admins,
then I'm pretty sure you would have to have multiple AFS cells (a
single AFS cell can have any number of servers, but I am pretty sure
that if you have root on any of those servers, then you can in theory
access data on any other server); however because of the AFS global
namespace, this is significantly less annoying than would be the case
with multiple NFS servers (and they could pretty much be exact images
of each other sans a few config files), and you could set up trust
relationships between the various Kerberos domains associated with
each AFS cell, or if there is a common trusted Active Directory
domain, you could use that for authentication.

> My team is rather adamantly opposed to this idea as AFS has a horrible
> reputation as a nightmare to integrate.  Has that improved?   I have not
> used AFS since my days at IBM in the early 90's (Damn that makes me feel
> old to type that).

I find AFS to be somewhat harder to set up than NFS, but significantly
easier to admin in the long run, from both the client and server
perspectives. Also I'm very afraid if E*TRADE is using NFSv3 in any
capacity due to the complete insecurity of that protocol; a good doc
on this is at http://www.usenix.org/publications/login/2005-02/pdfs/musings.pdf

Daniel Joseph Barnhart Clark