secinfo and so on
J. Bruce Fields
bfields at fieldses.org
Mon Jun 18 11:50:06 EDT 2007
On Tue, May 22, 2007 at 12:54:00PM -0400, J. Bruce Fields wrote:
> On Tue, May 22, 2007 at 05:10:09PM +1000, Neil Brown wrote:
> > However I'd like to see the nfs-utils side before giving a stamp of
> > approval. It's always best to make sure one has to full picture
> > before committing to something.
>
> Sure. I should probably give it a quick review first. Not sure
> when--I'm on vacation in Toronto now, but I'm not much of a sight-seer,
> so I may be doing a little more work in the mornings. But in the worst
> case I'll get back to this next week.
So much for my predictions. Anyway, here you go. I think the main
missing piece is documentation. The basic idea:
We add support for options of the form "sec=krb5:krb5i:krb5p" in the
/etc/exports file. The order flavors are listed in is order they will
be returned to the client in on secinfo calls, so preferred flavors
should be listed first.
The order of the "sec=" option with respect to other export options
doesn't matter, unless you want some option (such as "ro") to vary
according to the security flavor used, in which case you can use
multiple "sec=" options, with other options applying to the flavors in
the most recently listed "sec=" option. so, for example:
/export *(sec=krb5,ro,sec=kr5i,rw)
grants access to /exports to krb5 and krb5i users, but gives write
access only to krb5i users.
I'm also sending a long a couple minor unrelated nfs-utils patches.
--b.
More information about the NFSv4
mailing list