[OpenAFS] New Cell setup - ideas?

Derrick Brashear shadow@gmail.com
Thu, 28 Jan 2010 01:05:25 -0500

On Wed, Jan 27, 2010 at 11:17 PM, Tom Keiser <tkeiser@sinenomine.net> wrote=
> On Wed, Jan 27, 2010 at 3:22 AM, Lars Schimmer <l.schimmer@cgv.tugraz.at>=
>> - -no single user (person) should be identified accessing that data by
>> sharing organization (to see which department is fine, but not the
>> single persons of the accessing department)
> The AFS-3 security model _cannot_ satisfy this anonymization
> requirement. =A0With the current security model, each file server must
> know the identity of the caller in order to perform RPC authorization.
> I suppose you could give them file server binaries with auditing
> support disabled, call back table dump support disabled, and then hope
> that the satellite site admins don't know enough about AFS to dissect
> rxkad clear packets, file server cores, or use cmdebug to make
> educated inferences. =A0But then again, if they know enough to do any of
> that, then I suppose they also know that the KeyFile effectively gives
> them full control over the entire distributed infrastructure.

It could be done with a proxy; the only one I knew of was the old
UMich intermediate AFS proxy, which, well, the code's still around
somewhere, but you might as well consider it dead.

Of course, once you do this, you then can't protect to anything finer
than whatever the proxy runs as, *and* everyone gets whatever
permissions it has, unless you implement an ACL overlay in the proxy.
Good luck getting that right.