[Labeled-nfs] Current status

Joshua Brindle method at manicmethod.com
Thu Jul 26 14:54:58 EDT 2007 

Karl MacMillan wrote:
> Joshua Brindle wrote:
>> James Morris wrote:
>>  
>>> On Wed, 25 Jul 2007, Joe Nall wrote:
>>>
>>>      
>>>> Looks good. I'm a little concerned about the potential complexity 
>>>> of the DOI
>>>> negotiation and mapping. It is not clear to me that the complexity is
>>>> warranted by real world requirements.
>>>>           
>>> What we intend to do is to at least identify where DOI needs to be 
>>> considered, to ensure that it is part of the underlying design and 
>>> not something which has to be added later as an afterthought.
>>>
>>>       
>>
>> One thing I think needs to be part of the plan from the beginning is 
>> doing context translation regardless of the DOI being the same or 
>> not, it isn't reasonable to assume every machine within a single 
>> adminstrative domain will be running the exact same policy (even if 
>> its the same policy "type"). For example, just because my MySQL 
>> server has mysql types for databases doesn't mean my backup server 
>> will, it needs to be able to translate the file types to something 
>> that makes sense to the backup server to back them up. This is the 
>> same idea we had behind doing translation in racoon (which patches 
>> still haven't been upstreamed unfortunately).
>>
>> IMO a sufficiently complex administrative domain would have a common 
>> intermediary representation of contexts that can be translated by any 
>> machine accessing the files without having the exact same policies 
>> domain-wide.
>>
>>   
>
> I don't think I agree that context translation within a DOI should 
> automatically be a requirement - it is just one way to solve the 
> problem. It seems much simpler to me for a DOI to be a single 
> namespace and force people to use additional DOIs to represent the 
> scenario you describe above.
>
I didn't say it should automatically be required, only that it should 
automatically be available. DOI's are *not* a good way to solve the 
scenerio I described as every machine would have to know about every DOI 
and every machine exposing different contexts would have to have a 
different DOI. The common intermediate language instead represents the 
DOI and lets each machine decide how to translate out of the common 
language to local contexts.

More information about the Labeled-nfs mailing list