[OpenAFS] File exchange with users out of AFS space

David Bear David.Bear@asu.edu
Thu, 29 Jan 2009 19:02:22 -0700 

--000e0cd47c6e7a7e3c0461a9983b
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

hm. interesting issues.

First to address will be authentication I think. If users do not have
principal accounts in your realm, you will need to some way to create a
cross realm trust with their kerberos realm. Then you can use cross realm
principals to for authorization.

Second, proper authorization and good path schemes will make it easy to mak=
e
sure nobody can read stuff they are not supposed to read. File drawers may
work well becuase if the user is only authorized to 'list' folder contents
and not read folder contents, they can navigate to where they are authorize=
d
to read folder contents.

Third, the openafs client is very stable and likely not much different to
use that sftp or something similar. It will present a consistent interface
for everyone so its advantages may outweigh having to install the client.

Finally, if the remote users don't have some kind of kerboros infrastructur=
e
(MIT, Hiemdal, Active Directory)-- you may be out of luck.

On Tue, Jan 27, 2009 at 5:53 AM, Lars Schimmer <l.schimmer@cgv.tugraz.at>wr=
ote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> The users of my department wants a "easy" way to exchange files with
> poeples not running a AFS client.
>
> Has anyone a idea of what works best for it?
>
> I first thaught about filedrawers - but it does not fit perfect.
> One point: I cannot limit filedrawers to a special path of the cell, or?
> E.G. filedrawers should only be able to reach all dirs under
> /afs/cgv.tugraz.at/filedrawers/ and no other paths of the cell.
> Another point: users without account at our cell, how do they get files
> and maybe upload files for a special user?
>
> Maybe I want a perfect solution and it is yet not available...
> FTP is already applied, but upload is a problem and "personal" files for
> users outside, to be secured by a password...
>
>
> MfG,
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut f=C3=BCr ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
> Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkl/A7cACgkQmWhuE0qbFyPjHACdGRO4P65ikf6eebgZFcpmOwH3
> oZgAoJEQ2qt29MgtLdMkUGgJjuJ7hw2T
> =3DwYDr
> -----END PGP SIGNATURE-----
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>



--=20
David Bear
College of Public Programs at ASU
602-464-0424

--000e0cd47c6e7a7e3c0461a9983b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p>hm. interesting issues.</p><p>First to address will be authentication I =
think. If users do not have principal accounts in your realm, you will need=
 to some way to create a cross realm trust with their kerberos realm. Then =
you can use cross realm principals to for authorization.<br>
</p><p>Second, proper authorization and good path schemes will make it easy=
 to make sure nobody can read stuff they are not supposed to read. File dra=
wers may work well becuase if the user is only authorized to &#39;list&#39;=
 folder contents and not read folder contents, they can navigate to where t=
hey are authorized to read folder contents.</p>
<p>Third, the openafs client is very stable and likely not much different t=
o use that sftp or something similar. It will present a consistent interfac=
e for everyone so its advantages may outweigh having to install the client.=
</p>
<p>Finally, if the remote users don&#39;t have some kind of kerboros infras=
tructure (MIT, Hiemdal, Active Directory)-- you may be out of luck.</p><br>=
<div class=3D"gmail_quote">On Tue, Jan 27, 2009 at 5:53 AM, Lars Schimmer <=
span dir=3D"ltr">&lt;<a href=3D"mailto:l.schimmer@cgv.tugraz.at">l.schimmer=
@cgv.tugraz.at</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Hi!<br>
<br>
The users of my department wants a &quot;easy&quot; way to exchange files w=
ith<br>
poeples not running a AFS client.<br>
<br>
Has anyone a idea of what works best for it?<br>
<br>
I first thaught about filedrawers - but it does not fit perfect.<br>
One point: I cannot limit filedrawers to a special path of the cell, or?<br=
>
E.G. filedrawers should only be able to reach all dirs under<br>
/afs/<a href=3D"http://cgv.tugraz.at/filedrawers/" target=3D"_blank">cgv.tu=
graz.at/filedrawers/</a> and no other paths of the cell.<br>
Another point: users without account at our cell, how do they get files<br>
and maybe upload files for a special user?<br>
<br>
Maybe I want a perfect solution and it is yet not available...<br>
FTP is already applied, but upload is a problem and &quot;personal&quot; fi=
les for<br>
users outside, to be secured by a password...<br>
<br>
<br>
MfG,<br>
Lars Schimmer<br>
- --<br>
- -------------------------------------------------------------<br>
TU Graz, Institut f=C3=BCr ComputerGraphik &amp; WissensVisualisierung<br>
Tel: +43 316 873-5405 &nbsp; &nbsp; &nbsp; E-Mail: <a href=3D"mailto:l.schi=
mmer@cgv.tugraz.at">l.schimmer@cgv.tugraz.at</a><br>
Fax: +43 316 873-5402 &nbsp; &nbsp; &nbsp; PGP-Key-ID: 0x4A9B1723<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.9 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a href=3D"http://enigmail.mozdev.org" =
target=3D"_blank">http://enigmail.mozdev.org</a><br>
<br>
iEYEARECAAYFAkl/A7cACgkQmWhuE0qbFyPjHACdGRO4P65ikf6eebgZFcpmOwH3<br>
oZgAoJEQ2qt29MgtLdMkUGgJjuJ7hw2T<br>
=3DwYDr<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
OpenAFS-info mailing list<br>
<a href=3D"mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</a><br=
>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" target=
=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-info</a><br>
</blockquote></div><br><br clear=3D"all"><br>-- <br>David Bear<br>College o=
f Public Programs at ASU<br>602-464-0424<br>

--000e0cd47c6e7a7e3c0461a9983b--