On 6 Jun 2011, at 13:06, Leif Johansson wrote:
> On 06/06/2011 01:59 PM, Simon Wilkinson wrote:
>> On 6 Jun 2011, at 12:50, Daniel Kouril <[log in to unmask]> wrote:
>>
>>> I've receieved several requests about Moonshot being supported in NFSv4.
>>> Is there someone working on that?
>>
>> I can't speak for NFSv4, but Moonshot is one of the mechs that we're targeting with the rxgk security layer for AFS.
>
> wow, moonshot AFS. me like :-)
AFS has the definite advantage that you've already got a federated, distributed, file namespace. The challenge is how to deal with naming non-krb5 identities. We've got the mechanisms for this defined, but implementation is not yet completed. Once it is, it will work in exactly the same way as for krb5 cross-realms - a user will aklog against a particular cell, and (cell configuration permitting) be registered in that cell's protection database. At this point, the user can be added to ACLs, and groups, within that cell as if they were a local user. In theory, it will be really quite elegant.
We don't require anything beyond support for a standard GSSAPI handshake - in particular we're not sharing a security context between userspace and kernel, so context export is not on the critical path for us.
Cheers,
Simon.
|