[OpenAFS] Re: "vos dump" authorization based on "bos adduser"?
Fri, 08 Jun 2007 00:27:45 -0700
Derrick J Brashear <email@example.com> writes:
>>>>> -localauth. (but aklog doesn't *require* ptserver; see afslog)
>>> bosserver can't depend on ptserver..
>> you indicate above that "-localauth" should be used in situations
>> where bosserver must be used without any running ptservers?
> That's bos. i said "bosserver can't depend on ptserver".
Ok, point taken. Still,
> How does the bosserver decide you're eligible if there's no ptserver?
Okay, take 2: first, bosserver checks the request to see if it was
directly signed with the KeyFile (ie you invoked bos with -localauth).
Since it has the KeyFile, it should be able to do this without the
help of ptserver. If this is the case, it permits your request. If
not, it tries to contact ptserver. If it is unable to contact the
ptserver, it rejects your request.
Is your concern that in the all-ptservers-are-down case, this leaves a
thread/lwp on the bosserver waiting for a reply from the ptserver? I
guess I can appreciate that that is sort of inelegant, but aren't
there lots of places where stuff like this happens in the server code?
Somewhat related: is it possible to run a dbserver+fileserver using
something like runit instead of bosserver?
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380