[OpenAFS] All limitations of OpenAFS

Harald Barth haba@kth.se
Tue, 26 Jan 2010 23:39:05 +0100 (CET)

> Our setup would look like:
> 1 cell EU wide, with 5-200+ local sites, each has at least one fileserver.

And when one server gets compromised/stolen you do what? Remember,
without software development, once cell is one security area.

You should design a multiple cell layout (under one or serveral
kerberos realms). As long as you are OK to copy instead of move
volumes between cells, you are fine.

> (setup is guided by the rule "data HAS to be kept local and only local
> groups and external persons with special rights should be able to read
> it. Local groups should be able to make only very small subpart of data
> available to one or more other (external) groups).

Sounds like a multiple cell approach to me. Then each group can have
their 3 db servers.