Re: [9fans] Multi-domain authentication? - Plan9

This is a discussion on Re: [9fans] Multi-domain authentication? - Plan9 ; On Mon Oct 20 20:41:38 EDT 2008, mirtchovski@gmail.com wrote: > > what kind of access would you give such users to the fileserver? > > in this specific example perhaps some minimal scratch space, but one > can quickly conceive ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Re: [9fans] Multi-domain authentication?

  1. Re: [9fans] Multi-domain authentication?

    On Mon Oct 20 20:41:38 EDT 2008, mirtchovski@gmail.com wrote:
    > > what kind of access would you give such users to the fileserver?

    >
    > in this specific example perhaps some minimal scratch space, but one
    > can quickly conceive cases where the complete file system semantics
    > are used, for example when you want to provide a data replication
    > service between sites without enforcing a global user namespace.
    >
    > was this what you were asking? some of those ideas came out of 9grid,
    > but i don't know whether anyone has pushed them further.


    i'm not sure. what does "complete filesystem semantics" mean? let me
    rephrase.

    the premise is that the local system, and thus i assume the local fs, has
    no knowledge of the user. this task has been delegated to a foreign auth
    server. so what are the mechanics of getting the local fs to treat an
    unknown user as something other than none?

    supposing this problem is solved, don't you need quotas or something
    if you don't know who exactly to yell at for filling up the worm?

    - erik


  2. Re: [9fans] Multi-domain authentication?

    > i'm not sure. what does "complete filesystem semantics" mean? let me
    > rephrase.


    honouring group and user permissions, instead of using a
    world-writable partition with everybody treated as "none".

    > the premise is that the local system, and thus i assume the local fs, has
    > no knowledge of the user. this task has been delegated to a foreign auth
    > server. so what are the mechanics of getting the local fs to treat an
    > unknown user as something other than none?


    i don't believe everything was thought-through very thoroughly before
    people became indifferent to the idea. one suggestion was to use
    "user@authdom" for figuring out "local" vs "remote" users (i.e.,
    become "user@authdom" instead of "none").

    > supposing this problem is solved, don't you need quotas or something
    > if you don't know who exactly to yell at for filling up the worm?


    access control lists? i'm afraid i don't know the answer and i'm
    certainly not prepared to dive into this any deeper. it's been quite a
    while

    i hope to have relayed the original idea: give "friendly users" some
    access to your resources.


  3. Re: [9fans] Multi-domain authentication?

    On Mon, Oct 20, 2008 at 6:05 PM, andrey mirtchovski
    wrote:

    > i hope to have relayed the original idea: give "friendly users" some
    > access to your resources.



    yes, there was a long running discussion of this with presotto,
    andrey, acki, me, who else? years ago.

    We never resolved the question of how to do it. We just know it's not done.

    ron


  4. Re: [9fans] Multi-domain authentication?

    On Mon, Oct 20, 2008 at 7:49 PM, erik quanstrom wrote:
    >
    > the premise is that the local system, and thus i assume the local fs, has
    > no knowledge of the user. this task has been delegated to a foreign auth
    > server. so what are the mechanics of getting the local fs to treat an
    > unknown user as something other than none?
    >


    Good general problem, I'd also like to add my personal pain point that
    only the file server knows about the relationship between groups and
    users. It'd be nice to have a more general service to take care of
    this, and include some ability to assign remote delegated user names
    to local groups.

    I also like the idea of having "user-context" groups where users can
    create their own groups and assign local and remote users to them for
    the purposes of accessing file servers they "own".

    >
    > supposing this problem is solved, don't you need quotas or something
    > if you don't know who exactly to yell at for filling up the worm?
    >


    There are lots of different solutions here -- could be as simple as
    only using ramfs or ramdisk, could just require the user to use
    /mnt/term as his space, or be nice and provide cfs style semantics on
    top of /mnt/term to make it a bit snappier. In any case, I don't see
    any of this as a major barrier to the desire for multi-domain
    authentication.

    -eric


  5. Re: [9fans] Multi-domain authentication?

    On Tue, Oct 21, 2008 at 4:29 AM, Eric Van Hensbergen wrote:
    > Good general problem, I'd also like to add my personal pain point that
    > only the file server knows about the relationship between groups and
    > users. It'd be nice to have a more general service to take care of
    > this, and include some ability to assign remote delegated user names
    > to local groups.


    this would indeed be nice.

    i believe some of the stuff that forsyth was working on at one time
    to put SPKI into inferno could have helped in this context.


  6. Re: [9fans] Multi-domain authentication?

    I wrote my own thoughts in a paper some time ago,
    though its a discussion document rather than a design spec.

    http://www.quintile.net/papers/xauth.pdf

    -Steve


  7. Re: [9fans] Multi-domain authentication?

    On Mon, Oct 20, 2008 at 10:29:17PM -0500, Eric Van Hensbergen wrote:
    > Good general problem, I'd also like to add my personal pain point that
    > only the file server knows about the relationship between groups and
    > users. It'd be nice to have a more general service to take care of
    > this, and include some ability to assign remote delegated user names
    > to local groups.
    >
    > I also like the idea of having "user-context" groups where users can
    > create their own groups and assign local and remote users to them for
    > the purposes of accessing file servers they "own".


    My internalized model of how this should work is AFS's ACL system (if that's
    not a dirty word...) and the associated PTS group system. Between them,
    they provide excellent ability to talk about users from remote cells and
    allow users to create and manage their own groups.

    --nwf;

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEARECAAYFAkj+FK4ACgkQTeQabvr9Tc9x4ACfdnW81APOdz 6fghC1NHQGcxep
    VLQAn0h3bbbLF9jGNREnCvxzVoA5btmc
    =sY6w
    -----END PGP SIGNATURE-----


+ Reply to Thread