[OpenAFS] Re: "vos dump" authorization based on "bos adduser"?
Derrick J Brashear
shadow@dementia.org
Fri, 8 Jun 2007 11:06:50 -0400 (EDT)
On Fri, 8 Jun 2007, Adam Megacz wrote:
>
> Derrick J Brashear <shadow@dementia.org> writes:
>>>>>> -localauth. (but aklog doesn't *require* ptserver; see afslog)
>
>>>> bosserver can't depend on ptserver..
>
>>> you indicate above that "-localauth" should be used in situations
>>> where bosserver must be used without any running ptservers?
>
>> That's bos. i said "bosserver can't depend on ptserver".
>
> Ok, point taken. Still,
>
>> How does the bosserver decide you're eligible if there's no ptserver?
>
> Okay, take 2: first, bosserver checks the request to see if it was
> directly signed with the KeyFile (ie you invoked bos with -localauth).
> Since it has the KeyFile, it should be able to do this without the
> help of ptserver. If this is the case, it permits your request. If
> not, it tries to contact ptserver. If it is unable to contact the
> ptserver, it rejects your request.
>
> Is your concern that in the all-ptservers-are-down case, this leaves a
> thread/lwp on the bosserver waiting for a reply from the ptserver? I
> guess I can appreciate that that is sort of inelegant, but aren't
> there lots of places where stuff like this happens in the server code?
Sure. Why do we want to add more?