I'm not sure why we really need a contrib area, as patches will
(hopefully) get applied to the OpenAFS CVS tree as they are submitted.

Also, I believe there are at least some plans to resurrect the
grand.central.org AFS Cell, though there are still some technical
issues in terms of distributing the cell.

-derek

Ah. Wasn't quite sure how open that process will be. Even still, I'd imagine
that there will still be preliminary patches, or patches not of interest to
everyone. For those, it would be nice to have a central area. (Hey, if
nothing else, it would probably be smart to have the source/copy of cvs in
afs for people to get at it that way.)

i.e. stuff like the people/ dir for the linux kernel.

-- Nathan

Because of a situation like ken's krb5 patch. Useful to plenty of people,
but the maintainers weren't interested in including more than a tiny
fraction of it, and because it wasn't available in a central location where
people could look for contributions/etc, there has been a LOT of duplication
of effort.

Granted, I'm being a bit pessimistic there, but I figure it's better to plan
ahead.

I'm also thinking things like MR-AFS, where it may not be suitable for
public consumption on the mainline, but could be very useful if you have the
infrastructure. Or for that matter "here's something I was playing with, it
doesn't work yet, but it could be useful if someone put a few hours of work
into getting it cleaned up"

If nothing else - set up a page where people can EASILY get links added to
point at contributed code/patches/etc. That way, there is one place to look
for stuff, even if it isn't added to the mainline code.

-- Nathan

it would be extremely useful if there was some way for external
developers to create branches in the central.org OpenAFS repository..

- Bill

All true. The first dbserver for the grand.central.org cell is sitting in
my machine room, waiting for me to add more memory to it and install a
fileserver. I have the memory (thanks, Derrick!), so there should be a
cell Real Soon Now(tm).

I expect the grand.central.org cell will contain copies of the releases of
major AFS implementations, documentation, and so on. It certainly seems
likely that there will be a contributed area of some sort. At the very
least, there is a need for someplace to collect contributed/third-party
tools and such.


ObOpenAFS: As Derek points out, there are some problems involved with
setting up a widely-distributed cell like grand.central.org or openafs.org
Mostly these are related to limitations in AFS's authentication model (all
servers share one key) and in the authorization model used by the
bosserver, volserver, and vlserver.

The model I envision is one where the Kerberos and pts databases are
maintained by a trusted set of individuals (presumably, members of the
system:administrators group), but fileservers can be run by anyone.
Clearly the database services need to run on machines that are trusted by
the cell's administrators. However, it is desirable that the operators of
database servers not be forced to trust _each other_.

This requires that each server machine have its own key, so that no server
operator knows the service key used by another server. This problem looks
hard, because all the clients "know" that every server uses the
***@cell.name key. However, I think that rxkad3 can enable that to change
in new clients, and a workaround for old clients, while ugly, would not be
impossible.

The authorization problem is considerably more interesting, I think. At
present, the bosserver, volserver, and vlserver each recognize a fixed set
of privileged users, identified by the contents of /usr/afs/etc/UserList.
In order to allow independent server operators to exist within one cell,
the volserver and vlserver must have more flexible authorization models.
As a first cut, I propose something like the following:


- Every server has a defined set of administrators. Presumably these
are represented by pts groups, with the vlserver storing the pts ID
of the administrator group for each server.

- Every volume has an administrator known to the vldb. This is different
from the concept of volume ownership -- volumes may be owned by users,
but a volume administrator is unlikely to be a user. This information
_may_ also have to be stored in the volume header, but I don't think so.

- The following operations are permitted to server/volume admins:

+ An admin may create a volume on any server he controls. Volume names
are presumably subject to restrictions defined by the cell admins.
A newly created volume has the same administrator as the server on
which it was created (_not_ the individual who created it)

+ An admin may move a volume he controls to a server he controls.
He need not be an administrator of the volume's old site.

+ An admin may remove any volume he controls, regardless of location.

+ An admin may rename any volume he controls, subject to the same
volume namespace restrictions as for creation.

+ An admin may add an RO site for a volume he controls to a server he
controls.

??? how to add RO sites when volume and server admin are not the same?

+ An admin may remove any RO site for a volume he controls.

+ An admin may remove any RO site on a server he controls.

+ An admin may perform a release of any volume he controls.

+ An admin may change the administrator of any volume or server he
controls.

??? Can server admins release volumes? When?


Cell admins can presumably do any of the usual operations, without
regard to who the volume and server administrators are. They also
have the ability to set volume namespace policy in some fashion.
Unfortunately, that is a complicated issue...

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA

it would be extremely useful if there was some way for external
developers to create branches in the central.org OpenAFS repository..

- Bill

hutz,
I like your ideas about the trust model in general, but I also had the
following simultaneous thoughts -- not all entirely compatible with each other
-- but they're the first things that come to mind:

- I think you're biting off too big a chunk for the first pass at something
like this. Start with splitting security:administrators off from
system:administrators, which is easy, and maybe add a couple of more flexible
options for volume ownership. The other bits of "user A can create volumes on
server S but not server P" can be handled simply as a matter of policy, in
most cases.

and.

- what does it mean to say "database server operators are not forced to trust
each other", when the fact is, there's no point in cooperatively sharing a
database with someone who you don't trust completely. Really, trust means
simply "trust to update the {volume,backup,xxx} database", right?

and.

- the problem of cooperating with regions under separate administration was
why cells were invented. (that, and the fact that inventing cells was Quick
And Dirty). Aesthetically, I'd like to see a new model hew as closely to the
old one as possible. Simplicity *is* a virtue.

and

- anyone who has admin permissions on the V.1.1 fid in a volume should be able
to release it. To anywhere. This is as good a definition of "volume admin" as
we need. It does mean that the volserver would have to be able to interpret
ACLs, which is new, but the code is very modular...

and

- the flexibility is useful, even if you can't get perfect subdivision of
authority. I'm willing to accept that Joe can frig with Bob's server
somewhat, for instance, by releasing volumes which are replicated in both
places. That's awfully minor, and if Bob doesn't like it, then he can put his
own resources in his own cell, or remove the local replica on his server, or
write a script to remove it every 5 minutes.

Ok, random ramblings, granted, but let's see who hates 'em.

Wouldn't it be easier to get the pseudo-root.afs volume support implemented?

-- Nathan

I don't understand what your 'security:administrators' group is supposed
to be for. All of the major Kerberos implementations, including the
kaserver, have their own ideas about who is an admin. And the volserver
and vlserver have never used system:administrators -- they use the
superuser list, which is the inflexible bit we're trying to change.
No. Under the current model, trust means "trust to be allowed to do
absolutely anything on the server machine as root". If I have privileged
access to a fileserver machine, I can use the AFS key file to forge
tickets that allow me to access UserList-using services as if I were on
that list. That's what the -localauth switch does. Combined with the
'exec', 'getfile', and 'install' commands in bos, I can run any program as
root, and read or write any file.


I'm envisioning a cell where the various machines on which the fileservers
and database servers run are operated by different people, who should not
be forced to allow each other privileged access to their machines. This
is useful for the kind of cell we're talking about, where fileservers
essentially serve as "mirrors" of each other. It's also useful for a cell
whose fileservers are individual user's machines in dorm rooms at a
university.
Unfortunately, it also has the problem that the _vlserver_ must be able to
interpret ACL's, and so must the volservers which don't yet have a copy of
the volume. That could get messy... Certainly, the right to perform a
release should depend only on the volume permissions, and not on what
fileservers the RW and RO sites happen to live on.
Absolutely. I thought my model addressed that - the only real question is
whether a particular server admin can force a release of volumes with RO
sites on his server, even though he does not have any special rights on
the volume involved.

-- Jeff

I concur with ***@speakeasy.org that the trust needed in the
maintainers of the db servers must be total. I also point out that
while the fileservers need to trust the db servers, the db servers
need not trust the fileservers (currently of course, they do).

Is it enough to change AFS so that the db servers don't need to trust
the fileservers?
No.

For a distributed cell to have integrity of data, the people with
physical access to the fileservers need to be trusted to maintain that
integrity. There is no way to ensure that (extreme case, picture a
fileserver hacked to provide bogus volume data, to only some selected
machines). Unfortunately, the integrity of the data is the primary
purpose of the envisioned distributed openafs/default cell.

So given that you can never know for sure when the trust in a
distributed fileserver is violated, i.e. some trust *has* to be
assumed, two questions come to mind.
How much trust should be assumed?
Can the security model of AFS be modified to accomodate the desired
level of assumed trust *without* breaking the more conventional model
for setting up a cell?

Once there is some concensus about the trust levels assumed, then a
discussion about how to redisign the AFS security model can continue.

--Ted

Jeff wrote:
Certainly, the right to perform a
release should depend only on the volume permissions, and not on what
fileservers the RW and RO sites happen to live on.

Incorrect. For example, the maintainer of the server with an RO site
may have constraints regarding the free space available which he could
not control if a volume admin could freely re-release any volume with
an RO already on that site.

--Ted

Mm. Interesting point. Can a server admin adjust the quotas of the volumes
that have replicas on his server? If not, he could be in some trouble.

Any thoughts about completing the "minquota" work? In other words, a
guaranteed reserved disk usage for a particular volume?

For the sake of the failover code, it helps that there are only ever two
versions of a volume in existence at any one point in time, and that state
really shouldn't exist for very long. Redundancy suffers quite a bit when
there are two versions extant, as failover must only be permitted going
forward in time, never backward.

Push ensures that the oldest version goes away ASAP.
Sounds like IFS. Or XFS. Dig around and see if you can find the papers.

This has been suggested before. I don't recall ever hearing any arguments
against, and it's pretty easy to do in afs_lookup() if you require that they
all start with '@'.


I concur with Russ that *what* the @sys values are is not all that important.
Also, remember not to confuse 'sys' and @sys. They are completely independent
of each other.

The default cell is root.afs, and a time source. AFSDB support or other dynamic configuration would obviate the need.

Even so, a distributed default cell needn't have distributed
administration.

And even then, the CM presently doesn't know how to choose a "best" VL server or root.afs server without trying them first -- the subnet mask proximity guesses just aren't going to help your Somali friend. So a few packets are likely to travel to Pittsburgh -- splitting up the administration isn't going to help with this problem.

Even so, it's hardly the end of the world to make a half-dozen RX RPCs from Somalia to Pittsburgh every time you boot a client-only instance of OpenAFS. Would it? It doesn't take much hardware to handle 200-300 calls/sec.

Booting a CM involves (IIRC) 2 VLDB RPCs (getvolumebyname(root.afs) and getvolumebyid(nnn), though the latter is redundant, it's just an implementation artifact) plus 2 FS RPCs (getattr and readdir). So one dinky beatup old server could handle 50 clients rebooting every second. Given average uptimes around, say, a week, that's 86400*7*50 client-only instances of OpenAFS. We should be so lucky. (yeah, there's time, and there's another stat and readlink needed to traverse each AFS cell mountpoint, but OTOH, 200 calls per second is a pretty slow server).

Sorry, I was being vague. Operationally, having administrative rights to any
of the servers has been sufficient to get administrative rights to any of the
others, including security, as you point out.

I'm just saying that the first thing to do is make sure that possession of the
vldb service key does not permit administrative access to the kadb.
right. We're agreeing here.
We may even be able to agree here. I thought you were saying that vldb server
1 and vldb server 2 might be operated by different people who don't trust each
other. I think that's silly.

Can we agree (in deference to a decade of misguided common practice, sigh) use
"server" to mean a piece of iron and "service" to mean a possibly-replicated
process with a single key?
VLservers can't interpret the ACLs, they don't have 'em, and they're not on
the same hardware. The source volserver would have to make the vldb update
calls.
It would also have to make the vol rpcs to the target sites. Vos is a nasty
tangle, with lots of annoying failure modes that are a veritable PITA to
recover from when it is interrupted. Trapping CTRL-C helps, but really,
*services* are long-running things, client utilities are not. This approach
doesn't get messy, it gets clean...
I don't think that's necessarily unreasonable, as long as there's some way to
prevent Bob from having a replica on his server if he starts being a pest
about forcing releases every five minutes.

OK; that seems reasonable.
That works for me.
Hm. That's an interesting approach, and possibly a good change for most
cases. But I don't think it addresses the issue of separating fileserver
admins.


Let me try to present the problem in a different way. Carrying over the
terminology we agreed on above...

(1) Each cell has a number of database services - authentication
(kaserver), authorization (ptserver), and volume location. These
services may be run by the same or separate groups, but they
presently share the same service key, and thus anyone which access
to that key has privileged access to all three services. As you
mention above, these services should use separate keys, to make them
separable. While this is a desirable feature, I don't think it is
required by the openafs cell.

(2) The database services must run on multiple machins, for redundancy.
In a cell like openafs.org, it is desirable that these machines be
widely geographically distributed. It is also desirable that they
be able to be operated by administrators at the sites at which they
are located. Thus, it is desirable (and, IMHO, required for the
openafs.org cell) that the operators of one dbserver machine need
not trust the operators of another. It is also desirable that the
operators of such machines need not trust the operators of the
services that run on them.

(3) It is desirable, but not required for openafs.org, that those who
have privileged access to the filesystem contents not automatically
get access to the authorization service. Presently, these two are
both tied to membership in the system:administrators group. Note
that it is practically impossible to prevent prdb admins from getting
access to any filesystem object they want, but it may be worthwhile
to make that not automatic.

(4) Each cell has a number of fileservers, which consist of a machine
running the viced and volume services. It is desirable that the
operators of these machines and services need not be trusted by
the cell admins, except with the content of volumes stored on them.
I see this property as being critical to a cell like openafs.org.

(5) It is desirable that the cell admins need not be trusted by the
operators of fileserver machines, though they must be trusted by
the operators of the services on those machines. Again, I think
this is important for openafs.org.


(1) can be accomplished by creating separate service principals for the
authorization and volume location services (something like afs-***@cell
and afs-***@cell). Clients which support this feature should try the
new keys first, and then the old ***@cell key. Supporting old clients
is a bit trickier. It is probably OK for the vldb service to require
new clients, since only admins need authenticated access. The prdb
service presumably must accept connections authenticated using the
old ***@cell principal.

The authentication service already uses separate service keys, so there
is no problem to be solved there.

(2) and (5) boil down to allowing only server administrators to have
privileged access to a machine. This can be solved by taking several
steps...
- Don't run database services as root
- Make the bosserver use a separate, per-machine key
- Allow the bos exec, install, and getfile commands, and all
forms of remote configuration, to be disabled at compile time
or by a command-line switch.

(3) is accomplished by splitting system:administrators into two groups.
Unfortunately, it is hard to allocate a new distinguished group ID, so
the system:ptadmins group should be looked up by name when the ptserver
starts. Similarly, it may be desirable for the set of vldb admins to
be represented by a pts group, which would also be looked up by name.
I see no reason why the volserver and vlserver can't use GetCPS.

(4) basically requires that each fileserver use a separate service
principal, instead of a common one. I would suggest that such principals
be named afs-fileserver.<fqdn>@cell, but it has been suggested to me
that this would require the cache manager to do DNS lookups, which is
not desirable. I remain open to other ideas.

Backwards compatibility for fileserver clients using the ***@cell
principal is a pain. The hackish approach I see is running a service
on the database server machines that will reveal the session key for
a particular ***@cell connection to authorized fileservers. Obviously,
clients who use the old principal will be subject to snooping by
operators of fileserver services, but there's little that can be done
about that.


It has been pointed out to me out-of-band that all of the complicated
volume-level permissions that we discussed can and should be handled
by a privilege-delegation service, instead of being wired into AFS
itself.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA

It doesn't seem like too much trouble.
@sys is presently handled in afs_lookup. I don't think there's anything
interesting done in readlink.

The tricky part is deciding when to treat @sys as symbolic and when
to treat it as literal...

Unfortunately, the openafs.org domain is not set up yet, and changing all
the places where that appears in the list configuration would be a pain.
So instead, I opted to add a paragraph to the bottom of the messages it
sends out, which tells you to replace "lists.openafs.org" with
"lists-openafs.central.org" until the openafs.org nameservers are set up.

Ditto. In the beginning, AFS *had* to ship an ntp, because it wasn't quite
ubiquitous. Not so any longer.

Yes and no... You can't change the value of 'sys'. That's only what the
compiled in version is.

-- Nathan

Maintaing references to viceinodes from native fs directories does not require
that the fileserver perform open-by-pathname, and I don't believe that the
linux server does so.
This is tricky, but it's not insurmountable. No harder than rewriting
fsck from scratch for several proprietary OSes without filesystem
source code.

I would suggest that the ideal approach would be - support a simple,
possibly slower, approach on ALL systems. Then, you can add the specialized
fsck/etc. as an option on any system that you have enough information to do
it.

I'd imagine that using the reiserfs specific features on linux would
probably result in an extremely fast implementation - particular for some of
the direct open stuff.

-- Nathan

Too bad IBM didn't release the java client.

But the NT client is a user-space implementation...

Oh, yeah. If rxkad v3 is going to encrypt the data with DES or 3DES then by
all means, get a new des. And since I'm not doing any of the work, it's not
really any of my business, but. I think it would make sense to use the new
AES instead.

Are there any plans for an openafs.org afs cell and contrib area similar to
that on transarc?

-- Nathan

------------------------------------------------------------
Nathan Neulinger EMail: ***@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216

I'm not sure why we really need a contrib area, as patches will
(hopefully) get applied to the OpenAFS CVS tree as they are submitted.

Also, I believe there are at least some plans to resurrect the
grand.central.org AFS Cell, though there are still some technical
issues in terms of distributing the cell.

-derek

Ah. Wasn't quite sure how open that process will be. Even still, I'd imagine
that there will still be preliminary patches, or patches not of interest to
everyone. For those, it would be nice to have a central area. (Hey, if
nothing else, it would probably be smart to have the source/copy of cvs in
afs for people to get at it that way.)

i.e. stuff like the people/ dir for the linux kernel.

-- Nathan

Because of a situation like ken's krb5 patch. Useful to plenty of people,
but the maintainers weren't interested in including more than a tiny
fraction of it, and because it wasn't available in a central location where
people could look for contributions/etc, there has been a LOT of duplication
of effort.

Granted, I'm being a bit pessimistic there, but I figure it's better to plan
ahead.

I'm also thinking things like MR-AFS, where it may not be suitable for
public consumption on the mainline, but could be very useful if you have the
infrastructure. Or for that matter "here's something I was playing with, it
doesn't work yet, but it could be useful if someone put a few hours of work
into getting it cleaned up"

If nothing else - set up a page where people can EASILY get links added to
point at contributed code/patches/etc. That way, there is one place to look
for stuff, even if it isn't added to the mainline code.

-- Nathan

it would be extremely useful if there was some way for external
developers to create branches in the central.org OpenAFS repository..

- Bill

All true. The first dbserver for the grand.central.org cell is sitting in
my machine room, waiting for me to add more memory to it and install a
fileserver. I have the memory (thanks, Derrick!), so there should be a
cell Real Soon Now(tm).

I expect the grand.central.org cell will contain copies of the releases of
major AFS implementations, documentation, and so on. It certainly seems
likely that there will be a contributed area of some sort. At the very
least, there is a need for someplace to collect contributed/third-party
tools and such.


ObOpenAFS: As Derek points out, there are some problems involved with
setting up a widely-distributed cell like grand.central.org or openafs.org
Mostly these are related to limitations in AFS's authentication model (all
servers share one key) and in the authorization model used by the
bosserver, volserver, and vlserver.

The model I envision is one where the Kerberos and pts databases are
maintained by a trusted set of individuals (presumably, members of the
system:administrators group), but fileservers can be run by anyone.
Clearly the database services need to run on machines that are trusted by
the cell's administrators. However, it is desirable that the operators of
database servers not be forced to trust _each other_.

This requires that each server machine have its own key, so that no server
operator knows the service key used by another server. This problem looks
hard, because all the clients "know" that every server uses the
***@cell.name key. However, I think that rxkad3 can enable that to change
in new clients, and a workaround for old clients, while ugly, would not be
impossible.

The authorization problem is considerably more interesting, I think. At
present, the bosserver, volserver, and vlserver each recognize a fixed set
of privileged users, identified by the contents of /usr/afs/etc/UserList.
In order to allow independent server operators to exist within one cell,
the volserver and vlserver must have more flexible authorization models.
As a first cut, I propose something like the following:


- Every server has a defined set of administrators. Presumably these
are represented by pts groups, with the vlserver storing the pts ID
of the administrator group for each server.

- Every volume has an administrator known to the vldb. This is different
from the concept of volume ownership -- volumes may be owned by users,
but a volume administrator is unlikely to be a user. This information
_may_ also have to be stored in the volume header, but I don't think so.

- The following operations are permitted to server/volume admins:

+ An admin may create a volume on any server he controls. Volume names
are presumably subject to restrictions defined by the cell admins.
A newly created volume has the same administrator as the server on
which it was created (_not_ the individual who created it)

+ An admin may move a volume he controls to a server he controls.
He need not be an administrator of the volume's old site.

+ An admin may remove any volume he controls, regardless of location.

+ An admin may rename any volume he controls, subject to the same
volume namespace restrictions as for creation.

+ An admin may add an RO site for a volume he controls to a server he
controls.

??? how to add RO sites when volume and server admin are not the same?

+ An admin may remove any RO site for a volume he controls.

+ An admin may remove any RO site on a server he controls.

+ An admin may perform a release of any volume he controls.

+ An admin may change the administrator of any volume or server he
controls.

??? Can server admins release volumes? When?


Cell admins can presumably do any of the usual operations, without
regard to who the volume and server administrators are. They also
have the ability to set volume namespace policy in some fashion.
Unfortunately, that is a complicated issue...

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA

it would be extremely useful if there was some way for external
developers to create branches in the central.org OpenAFS repository..

- Bill

hutz,
I like your ideas about the trust model in general, but I also had the
following simultaneous thoughts -- not all entirely compatible with each other
-- but they're the first things that come to mind:

- I think you're biting off too big a chunk for the first pass at something
like this. Start with splitting security:administrators off from
system:administrators, which is easy, and maybe add a couple of more flexible
options for volume ownership. The other bits of "user A can create volumes on
server S but not server P" can be handled simply as a matter of policy, in
most cases.

and.

- what does it mean to say "database server operators are not forced to trust
each other", when the fact is, there's no point in cooperatively sharing a
database with someone who you don't trust completely. Really, trust means
simply "trust to update the {volume,backup,xxx} database", right?

and.

- the problem of cooperating with regions under separate administration was
why cells were invented. (that, and the fact that inventing cells was Quick
And Dirty). Aesthetically, I'd like to see a new model hew as closely to the
old one as possible. Simplicity *is* a virtue.

and

- anyone who has admin permissions on the V.1.1 fid in a volume should be able
to release it. To anywhere. This is as good a definition of "volume admin" as
we need. It does mean that the volserver would have to be able to interpret
ACLs, which is new, but the code is very modular...

and

- the flexibility is useful, even if you can't get perfect subdivision of
authority. I'm willing to accept that Joe can frig with Bob's server
somewhat, for instance, by releasing volumes which are replicated in both
places. That's awfully minor, and if Bob doesn't like it, then he can put his
own resources in his own cell, or remove the local replica on his server, or
write a script to remove it every 5 minutes.

Ok, random ramblings, granted, but let's see who hates 'em.

Wouldn't it be easier to get the pseudo-root.afs volume support implemented?

-- Nathan

I don't understand what your 'security:administrators' group is supposed
to be for. All of the major Kerberos implementations, including the
kaserver, have their own ideas about who is an admin. And the volserver
and vlserver have never used system:administrators -- they use the
superuser list, which is the inflexible bit we're trying to change.
No. Under the current model, trust means "trust to be allowed to do
absolutely anything on the server machine as root". If I have privileged
access to a fileserver machine, I can use the AFS key file to forge
tickets that allow me to access UserList-using services as if I were on
that list. That's what the -localauth switch does. Combined with the
'exec', 'getfile', and 'install' commands in bos, I can run any program as
root, and read or write any file.


I'm envisioning a cell where the various machines on which the fileservers
and database servers run are operated by different people, who should not
be forced to allow each other privileged access to their machines. This
is useful for the kind of cell we're talking about, where fileservers
essentially serve as "mirrors" of each other. It's also useful for a cell
whose fileservers are individual user's machines in dorm rooms at a
university.
Unfortunately, it also has the problem that the _vlserver_ must be able to
interpret ACL's, and so must the volservers which don't yet have a copy of
the volume. That could get messy... Certainly, the right to perform a
release should depend only on the volume permissions, and not on what
fileservers the RW and RO sites happen to live on.
Absolutely. I thought my model addressed that - the only real question is
whether a particular server admin can force a release of volumes with RO
sites on his server, even though he does not have any special rights on
the volume involved.

-- Jeff

I concur with ***@speakeasy.org that the trust needed in the
maintainers of the db servers must be total. I also point out that
while the fileservers need to trust the db servers, the db servers
need not trust the fileservers (currently of course, they do).

Is it enough to change AFS so that the db servers don't need to trust
the fileservers?
No.

For a distributed cell to have integrity of data, the people with
physical access to the fileservers need to be trusted to maintain that
integrity. There is no way to ensure that (extreme case, picture a
fileserver hacked to provide bogus volume data, to only some selected
machines). Unfortunately, the integrity of the data is the primary
purpose of the envisioned distributed openafs/default cell.

So given that you can never know for sure when the trust in a
distributed fileserver is violated, i.e. some trust *has* to be
assumed, two questions come to mind.
How much trust should be assumed?
Can the security model of AFS be modified to accomodate the desired
level of assumed trust *without* breaking the more conventional model
for setting up a cell?

Once there is some concensus about the trust levels assumed, then a
discussion about how to redisign the AFS security model can continue.

--Ted

Jeff wrote:
Certainly, the right to perform a
release should depend only on the volume permissions, and not on what
fileservers the RW and RO sites happen to live on.

Incorrect. For example, the maintainer of the server with an RO site
may have constraints regarding the free space available which he could
not control if a volume admin could freely re-release any volume with
an RO already on that site.

--Ted

Mm. Interesting point. Can a server admin adjust the quotas of the volumes
that have replicas on his server? If not, he could be in some trouble.

Any thoughts about completing the "minquota" work? In other words, a
guaranteed reserved disk usage for a particular volume?

For the sake of the failover code, it helps that there are only ever two
versions of a volume in existence at any one point in time, and that state
really shouldn't exist for very long. Redundancy suffers quite a bit when
there are two versions extant, as failover must only be permitted going
forward in time, never backward.

Push ensures that the oldest version goes away ASAP.
Sounds like IFS. Or XFS. Dig around and see if you can find the papers.

This has been suggested before. I don't recall ever hearing any arguments
against, and it's pretty easy to do in afs_lookup() if you require that they
all start with '@'.


I concur with Russ that *what* the @sys values are is not all that important.
Also, remember not to confuse 'sys' and @sys. They are completely independent
of each other.

This has been suggested before. I don't recall ever hearing any arguments
against, and it's pretty easy to do in afs_lookup() if you require that they
all start with '@'.


I concur with Russ that *what* the @sys values are is not all that important.
Also, remember not to confuse 'sys' and @sys. They are completely independent
of each other.

The default cell is root.afs, and a time source. AFSDB support or other dynamic configuration would obviate the need.

Even so, a distributed default cell needn't have distributed
administration.

And even then, the CM presently doesn't know how to choose a "best" VL server or root.afs server without trying them first -- the subnet mask proximity guesses just aren't going to help your Somali friend. So a few packets are likely to travel to Pittsburgh -- splitting up the administration isn't going to help with this problem.

Even so, it's hardly the end of the world to make a half-dozen RX RPCs from Somalia to Pittsburgh every time you boot a client-only instance of OpenAFS. Would it? It doesn't take much hardware to handle 200-300 calls/sec.

Booting a CM involves (IIRC) 2 VLDB RPCs (getvolumebyname(root.afs) and getvolumebyid(nnn), though the latter is redundant, it's just an implementation artifact) plus 2 FS RPCs (getattr and readdir). So one dinky beatup old server could handle 50 clients rebooting every second. Given average uptimes around, say, a week, that's 86400*7*50 client-only instances of OpenAFS. We should be so lucky. (yeah, there's time, and there's another stat and readlink needed to traverse each AFS cell mountpoint, but OTOH, 200 calls per second is a pretty slow server).

Sorry, I was being vague. Operationally, having administrative rights to any
of the servers has been sufficient to get administrative rights to any of the
others, including security, as you point out.

I'm just saying that the first thing to do is make sure that possession of the
vldb service key does not permit administrative access to the kadb.
right. We're agreeing here.
We may even be able to agree here. I thought you were saying that vldb server
1 and vldb server 2 might be operated by different people who don't trust each
other. I think that's silly.

Can we agree (in deference to a decade of misguided common practice, sigh) use
"server" to mean a piece of iron and "service" to mean a possibly-replicated
process with a single key?
VLservers can't interpret the ACLs, they don't have 'em, and they're not on
the same hardware. The source volserver would have to make the vldb update
calls.
It would also have to make the vol rpcs to the target sites. Vos is a nasty
tangle, with lots of annoying failure modes that are a veritable PITA to
recover from when it is interrupted. Trapping CTRL-C helps, but really,
*services* are long-running things, client utilities are not. This approach
doesn't get messy, it gets clean...
I don't think that's necessarily unreasonable, as long as there's some way to
prevent Bob from having a replica on his server if he starts being a pest
about forcing releases every five minutes.

OK; that seems reasonable.
That works for me.
Hm. That's an interesting approach, and possibly a good change for most
cases. But I don't think it addresses the issue of separating fileserver
admins.


Let me try to present the problem in a different way. Carrying over the
terminology we agreed on above...

(1) Each cell has a number of database services - authentication
(kaserver), authorization (ptserver), and volume location. These
services may be run by the same or separate groups, but they
presently share the same service key, and thus anyone which access
to that key has privileged access to all three services. As you
mention above, these services should use separate keys, to make them
separable. While this is a desirable feature, I don't think it is
required by the openafs cell.

(2) The database services must run on multiple machins, for redundancy.
In a cell like openafs.org, it is desirable that these machines be
widely geographically distributed. It is also desirable that they
be able to be operated by administrators at the sites at which they
are located. Thus, it is desirable (and, IMHO, required for the
openafs.org cell) that the operators of one dbserver machine need
not trust the operators of another. It is also desirable that the
operators of such machines need not trust the operators of the
services that run on them.

(3) It is desirable, but not required for openafs.org, that those who
have privileged access to the filesystem contents not automatically
get access to the authorization service. Presently, these two are
both tied to membership in the system:administrators group. Note
that it is practically impossible to prevent prdb admins from getting
access to any filesystem object they want, but it may be worthwhile
to make that not automatic.

(4) Each cell has a number of fileservers, which consist of a machine
running the viced and volume services. It is desirable that the
operators of these machines and services need not be trusted by
the cell admins, except with the content of volumes stored on them.
I see this property as being critical to a cell like openafs.org.

(5) It is desirable that the cell admins need not be trusted by the
operators of fileserver machines, though they must be trusted by
the operators of the services on those machines. Again, I think
this is important for openafs.org.


(1) can be accomplished by creating separate service principals for the
authorization and volume location services (something like afs-***@cell
and afs-***@cell). Clients which support this feature should try the
new keys first, and then the old ***@cell key. Supporting old clients
is a bit trickier. It is probably OK for the vldb service to require
new clients, since only admins need authenticated access. The prdb
service presumably must accept connections authenticated using the
old ***@cell principal.

The authentication service already uses separate service keys, so there
is no problem to be solved there.

(2) and (5) boil down to allowing only server administrators to have
privileged access to a machine. This can be solved by taking several
steps...
- Don't run database services as root
- Make the bosserver use a separate, per-machine key
- Allow the bos exec, install, and getfile commands, and all
forms of remote configuration, to be disabled at compile time
or by a command-line switch.

(3) is accomplished by splitting system:administrators into two groups.
Unfortunately, it is hard to allocate a new distinguished group ID, so
the system:ptadmins group should be looked up by name when the ptserver
starts. Similarly, it may be desirable for the set of vldb admins to
be represented by a pts group, which would also be looked up by name.
I see no reason why the volserver and vlserver can't use GetCPS.

(4) basically requires that each fileserver use a separate service
principal, instead of a common one. I would suggest that such principals
be named afs-fileserver.<fqdn>@cell, but it has been suggested to me
that this would require the cache manager to do DNS lookups, which is
not desirable. I remain open to other ideas.

Backwards compatibility for fileserver clients using the ***@cell
principal is a pain. The hackish approach I see is running a service
on the database server machines that will reveal the session key for
a particular ***@cell connection to authorized fileservers. Obviously,
clients who use the old principal will be subject to snooping by
operators of fileserver services, but there's little that can be done
about that.


It has been pointed out to me out-of-band that all of the complicated
volume-level permissions that we discussed can and should be handled
by a privilege-delegation service, instead of being wired into AFS
itself.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA

see ftp://ftp.cmf.nrl.navy.mil/pub/chas/openafs/solaris8.diffs
for a set of patches that will allow openafs to compile and run on a
solaris 8 system.

i havent extensively tested these patches but since the changes were
pretty minimal so i am hoping it will be fairly stable. its been
running about a week w/o any trouble on a desktop machine.

some notes:

ntp isnt built (solaris8 comes w/ this as part of the o/s?)
syscall number is 101 (might need to change to agree with transarc afs)
no testing of afs server functionality
there are a couple warnings during compile that should be 'fixed' (mostly
related to struct timeval)

It doesn't seem like too much trouble.
@sys is presently handled in afs_lookup. I don't think there's anything
interesting done in readlink.

The tricky part is deciding when to treat @sys as symbolic and when
to treat it as literal...

Unfortunately, the openafs.org domain is not set up yet, and changing all
the places where that appears in the list configuration would be a pain.
So instead, I opted to add a paragraph to the bottom of the messages it
sends out, which tells you to replace "lists.openafs.org" with
"lists-openafs.central.org" until the openafs.org nameservers are set up.

Ditto. In the beginning, AFS *had* to ship an ntp, because it wasn't quite
ubiquitous. Not so any longer.

I'm currently working on porting openafs to NetBSD. [I'm most of the
way through getting the userland code to build at the moment..]

Have the gatekeepers come up with any coding conventions, standards,
baseline assumptions, etc?

It appears that a bunch of the accreted layers of ifdefs would be
significantly cleaned up if we could just assume a baseline of ANSI C
and POSIX.1 .. i.e., use <termios.h> for terminal manipuation,
strerror() instead of sys_errlist[], assume vfprintf exists rather
than defining it in terms of _doprnt(), etc., etc., etc.

Are the gatekeepers likely to accept changes which assume an ANSI
compiler and a POSIX.1 environment in userland?

Is anyone interested in testing some of these changes on other
platforms prior to submission to the gatekeepers?

Oh, and is anyone working on replacing the archaic Steve Miller DES
implementation with something better/faster/smaller/easier to build?

- Bill

Maintaing references to viceinodes from native fs directories does not require
that the fileserver perform open-by-pathname, and I don't believe that the
linux server does so.
This is tricky, but it's not insurmountable. No harder than rewriting
fsck from scratch for several proprietary OSes without filesystem
source code.

Too bad IBM didn't release the java client.

But the NT client is a user-space implementation...

Oh, yeah. If rxkad v3 is going to encrypt the data with DES or 3DES then by
all means, get a new des. And since I'm not doing any of the work, it's not
really any of my business, but. I think it would make sense to use the new
AES instead.

I'd support an alternate interface between afsd and the cache manager
which used NFS-style file handles rather than inode numbers to
identify cache files. This would also allow a cache to be split
across multiple partitions.

(NetBSD 1.5 supports fhopen(), fhstat() and fhstatfs() system calls to
allow use of file handles by applications other than NFS)

- Bill

And it's persistent. Is the squid cache persistent across reboots?

This doesn't let you easily create shortcuts.. For example, I like
being able to access /afs/athena, /afs/sipb, /afs/dev, and other MIT
shorthands.

I don't like these shortcuts. They defeat the universal namespace, which is
one of the best things about afs.

Through a mount point somewhere in root.cell?

I'd support an alternate interface between afsd and the cache manager
which used NFS-style file handles rather than inode numbers to
identify cache files. This would also allow a cache to be split
across multiple partitions.

(NetBSD 1.5 supports fhopen(), fhstat() and fhstatfs() system calls to
allow use of file handles by applications other than NFS)

- Bill

And it's persistent. Is the squid cache persistent across reboots?

This doesn't let you easily create shortcuts.. For example, I like
being able to access /afs/athena, /afs/sipb, /afs/dev, and other MIT
shorthands.

I don't like these shortcuts. They defeat the universal namespace, which is
one of the best things about afs.

Through a mount point somewhere in root.cell?