All of lore.kernel.org
 help / color / mirror / Atom feed
From: "J. Bruce Fields" <bfields@fieldses.org>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: Simo Sorce <simo@redhat.com>,
	"bfields@redhat.com" <bfields@redhat.com>,
	"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 0/4] Add support for new RPCSEC_GSS upcall mechanism for nfsd
Date: Wed, 11 Jul 2012 13:27:14 -0400	[thread overview]
Message-ID: <20120711172714.GA13610@fieldses.org> (raw)
In-Reply-To: <20120711170331.GE11432@fieldses.org>

On Wed, Jul 11, 2012 at 01:03:32PM -0400, J. Bruce Fields wrote:
> On Tue, Jul 10, 2012 at 10:58:40PM +0000, Myklebust, Trond wrote:
> > All the documentation in the patches was appearing to imply that it
> > affected only nfsd with filenames such as
> > "Documentation/filesystems/nfs/knfsd-rpcgss.txt".and patch changelogs
> > with titles such as "SUNRPC: Use gssproxy upcall for nfsd's RPCGSS
> > authentication."
> 
> Fixed locally (and pushed out temporarily to for-3.6-incoming branch at
> git://linux-nfs.org/~bfields/linux-topics.git).  Thanks for catching
> that.
> 
> > > > > How will it behave if I don't run gss proxy?
> > > 
> > > It will work, but if the server's running on the same machine it will
> > > also use svcgssd, and hence won't (for example) be able to handle the
> > > larger init_sec_context packets.
> > 
> > An NFS client callback server is only trying to check that it is talking
> > to a machine credential with a name of the form nfs@hostname. It doesn't
> > care about PAGs, and anyone who tries to set the machine cred up with
> > one is clearly insane anyway...
> 
> Yes.  I don't know enough to say that a larger init_sec_context call
> could never be required for some other reason--but it sounds unlikely.
> 
> Anyway: I was hoping that the old upcall mechanism could be declared a
> legacy thing--no new features, bugfixes only for regressions, etc.--and
> possibly be removed after a long transition period.
> 
> If it's a requirement that the client never use the gssproxy mechanism,
> even on the 4.0 backchannel, then that requires committing to develop
> both.  I don't think that makes sense.

So, if the issue is: you want to be able to choose, in individual
containers, which mechanism to use: whatever, we can probably make that
work.

If you're instead saying: it's not acceptable to use the gssproxy
mechanism to authenticate v4.0 callbacks, the client must only ever use
the existing mechanism: then I'd rather drop this entirely.  I don't
want to merge an rpc server authentication upcall that's not acceptable
for one of the rpc servers.

--b.

  reply	other threads:[~2012-07-11 17:27 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-25 22:09 [PATCH 0/4] Add support for new RPCSEC_GSS upcall mechanism for nfsd Simo Sorce
2012-05-25 22:09 ` [PATCH 1/4] SUNRPC: conditionally return endtime from import_sec_context Simo Sorce
2012-05-25 22:09 ` [PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server Simo Sorce
2012-05-25 22:09 ` [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth Simo Sorce
2012-05-25 22:09 ` [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication Simo Sorce
2012-07-10 20:49 ` [PATCH 0/4] Add support for new RPCSEC_GSS upcall mechanism for nfsd J. Bruce Fields
2012-07-10 21:05   ` J. Bruce Fields
2012-07-12 12:39     ` J. Bruce Fields
2012-07-12 22:05       ` Simo Sorce
2012-07-12 22:42         ` J. Bruce Fields
2012-07-10 21:52   ` Myklebust, Trond
2012-07-10 21:56     ` J. Bruce Fields
2012-07-10 22:12       ` Myklebust, Trond
2012-07-10 22:25         ` Myklebust, Trond
2012-07-10 22:38           ` J. Bruce Fields
2012-07-10 22:58             ` Myklebust, Trond
2012-07-11 17:03               ` J. Bruce Fields
2012-07-11 17:27                 ` J. Bruce Fields [this message]
2012-07-11 17:49                   ` Myklebust, Trond
2012-07-12 22:10                     ` J. Bruce Fields
2012-07-13 15:43                       ` J. Bruce Fields
2012-08-08 19:36                         ` J. Bruce Fields
2012-08-08 19:43                           ` J. Bruce Fields
2012-08-08 20:12                             ` Stanislav Kinsbursky
2012-08-21 14:16                               ` J. Bruce Fields
2012-08-21 14:25                                 ` Myklebust, Trond
2012-08-21 14:29                                   ` J. Bruce Fields
2012-08-21 14:27                                 ` Stanislav Kinsbursky
2012-08-10 13:07                             ` Stanislav Kinsbursky
2012-07-11 11:15     ` Simo Sorce
2012-07-13 15:45 ` J. Bruce Fields
2012-07-13 15:55   ` Simo Sorce

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120711172714.GA13610@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=Trond.Myklebust@netapp.com \
    --cc=bfields@redhat.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=simo@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.