Be nice to map arbitrary GSS attributes to PTS identities. Not Moonshot specific. Useful though.
I suggested this to Jeff a couple weeks back.
Sent from my iPhone
On 06/06/2011, at 13:19, Simon Wilkinson <[log in to unmask]> wrote:
> On 6 Jun 2011, at 13:06, Leif Johansson wrote:
>> On 06/06/2011 01:59 PM, Simon Wilkinson wrote:
>>> On 6 Jun 2011, at 12:50, Daniel Kouril <[log in to unmask]> wrote:
>>>
>>>> I've receieved several requests about Moonshot being supported in NFSv4.
>>>> Is there someone working on that?
>>>
>>> I can't speak for NFSv4, but Moonshot is one of the mechs that we're targeting with the rxgk security layer for AFS.
>>
>> wow, moonshot AFS. me like :-)
>
> AFS has the definite advantage that you've already got a federated, distributed, file namespace. The challenge is how to deal with naming non-krb5 identities. We've got the mechanisms for this defined, but implementation is not yet completed. Once it is, it will work in exactly the same way as for krb5 cross-realms - a user will aklog against a particular cell, and (cell configuration permitting) be registered in that cell's protection database. At this point, the user can be added to ACLs, and groups, within that cell as if they were a local user. In theory, it will be really quite elegant.
>
> We don't require anything beyond support for a standard GSSAPI handshake - in particular we're not sharing a security context between userspace and kernel, so context export is not on the critical path for us.
>
> Cheers,
>
> Simon.
|