[OpenAFS] AES Support ?
John Hascall
john@iastate.edu
Thu, 27 Sep 2007 14:50:14 CDT
> On Thu, 27 Sep 2007, John Hascall wrote:
> > So they quickly upgrade their servers, then upgrade their clients
> > and then think "well we should shut off that unsafe old stuff".
> >
> > Now lets further suppose that Very Important Professor at ISU
> > accesses data in Stanford's cell via ACLs.
> >
> > If ISU hasn't yet completed their server upgraded, then we can't
> > upgrade clients. Now ISU VIP can't get at the data at Stanford.
> Why not? You didn't create k5-afs in your cell, so an upgraded client will
> work as before.
By "not yet completed" I meant started. If I'm understanding
the process as it was outlined many messages ago it was:
1) create afs-k5 or (or is it k5-afs?) key
2) upgrade all your servers
3) upgrade all your clients
4) remove the old afs key
If, like us, you have a lot of servers and you upgrade them
one-by-one by first vos moving all the data to other servers
until they are empty and then vos moving it back afterwards
then step 2 can take quite a long time. And it seems to me
that if you are in step 2, you can't talk (w/auth) to somebody
who has finished step 4.
John