[OpenAFS] Re: [AFS3-std] Re: IBM will not re-license OpenAFS .xg files

chas williams - CONTRACTOR chas@cmf.nrl.navy.mil
Fri, 31 Aug 2012 17:44:21 -0400

On Fri, 31 Aug 2012 15:38:43 -0400
Dave Botsch <botsch@cnf.cornell.edu> wrote:

> When I am asked why we are continuing to use AFS in our local department
> here at Cornell (the Cornell NanoScale Facility), I only need mention a
> couple of features... "distributed file system, cross platform, security
> model, built in snapshots" before the questioners realize that AFS does
> stuff that when taken together, pretty much nothing else really does
> well.
> Unfortunately, at least for the time being, AFS lost the battle to be
> the new Cornell-wide file system. I was not part of that, so I don't
> know the specifics on why. The current file service provides CIFS for
> Windows and NFS for mac/unix (not NFSv4) and itself has a lot of
> shortcomings that AFS does not.

And this is one of the shortcomings and strong points of AFS.  AFS
provides (for the most part, with some exceptions related to caching)
end to end protection (the end here being the actual user) of the
user's data.  I suspect the reason for NFS and CIFS is that the admins
for those machines don't need to install any new software.  They don't
need to install some third-party client or setup some "complicated"
authentication mechanism. It just works out of the box (and I guess the
security is "good enough").

It might be nice to have some sort of proxy/translator interface to
allow "modern" API's to access AFS storage.  But generally, these
authentication and encryption used by these protocols doesn't match
well with AFS's.  Since I can't kinit on my cell phone, how do I prove
my identity?

I think there is some hope in this area though.  rx will eventually
support other authentication mechanisms and at one point there was an
"accelerated" web server for AFS.
> That said, we are hoping the auditors do not seek us out here any time
> soon. Single DES is high on their list of "red flags". And would
> probably force us off of AFS without a definitive road map and timeframe
> for single DES to go away.

This is very much an issue.  Single DES is a very hard sell in a
government setting.