AFS Per-File ACLs Marc Dionne TechnoConseil. Outline Introduction History Issues -Protocol and semantics Issue - Implementation Issues - Compatibility.

Slides:

Advertisements

Similar presentations

Configuration management

Advertisements

File-System Interface

Andrew File System CSS534 ZACH MA. History  Originated in October 1982, by the Information Technology Center (ITC) formed with Carnegie Mellon and IBM.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

1. What is Subversion? Why do we need CM? Basic concepts Repositories Options Setup Clients Options Setup Operation Troubleshooting Slide 2.

HEP Data Sharing … … and Web Storage services Alberto Pace Information Technology Division.

The Zebra Striped Network Filesystem. Approach Increase throughput, reliability by striping file data across multiple servers Data from each client is.

File Systems Examples.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

File System Implementation

1 Hash-Based Indexes Chapter Introduction  Hash-based indexes are best for equality selections. Cannot support range searches.  Static and dynamic.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Guide To UNIX Using Linux Third Edition

1 Copyright © 2014 Tata Consultancy Services Limited Source Code Management using Rational Team Concert IBM Rational, Alliance & Technology Unit 2 July.

NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.

Lecture 7 Access Control

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Network File System (NFS) in AIX System COSC513 Operation Systems Instructor: Prof. Anvari Yuan Ma SID:

Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Operating System Concepts with Java – 7 th Edition, Nov 15, 2006 Silberschatz, Galvin and Gagne ©2007 Chapter 10: File-System Interface.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Networked File System CS Introduction to Operating Systems.

Introduction to Version Control

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

OpenAFS on Windows: A Status Report Jeffrey Altman The OpenAFS Project 16 October 2012.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Developing a Web Site. Web Site Navigational Structures A storyboard is a diagram of a Web site’s structure, showing all the pages in the site and indicating.

Prepared by: Steve Teo Contributors: Tong Huu Khiem.

Chapter Nine NetWare-Based Networking. Introduction to NetWare In 1983, Novell introduced its NetWare network operating system Versions 3.1 and 3.1—collectively.

Information Systems and Network Engineering Laboratory II DR. KEN COSH WEEK 1.

Object-Oriented Analysis & Design Subversion. Contents  Configuration management  The repository  Versioning  Tags  Branches  Subversion 2.

Chapter 10: File-System Interface Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 1, 2005 Chapter 10: File-System.

DireXions – Your Tool Box just got Bigger PxPlus Version Control System Using TortoiseSVN Presented by: Jane Raymond.

OSes: 11. FS Impl. 1 Operating Systems v Objectives –discuss file storage and access on secondary storage (a hard disk) Certificate Program in Software.

SPECULATIVE EXECUTION IN A DISTRIBUTED FILE SYSTEM E. B. Nightingale P. M. Chen J. Flint University of Michigan.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

File Systems Security File Systems Implementation.

Prepared by: Steve Teo Contributors: Tong Huu Khiem.

A Low-bandwidth Network File System Athicha Muthitacharoen et al. Presented by Matt Miller September 12, 2002.

Chapter 6 Introduction to Defining Classes. Objectives: Design and implement a simple class from user requirements. Organize a program in terms of a view.

CS425 / CSE424 / ECE428 — Distributed Systems — Fall 2011 Some material derived from slides by Prashant Shenoy (Umass) & courses.washington.edu/css434/students/Coda.ppt.

Chapter 11: File System Implementation Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 11: File System Implementation Chapter.

Andrew Allen Communication Service Identifier.

1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition File System Implementation.

OpenAFS Status Report Cartel 2008 Stanford University.

I MPLEMENTING FILES. Contiguous Allocation:  The simplest allocation scheme is to store each file as a contiguous run of disk blocks (a 50-KB file would.

L.T.E :: Learning Through Experimenting Using google-svn for MtM Docs Development Denis Thibault Version 3.2 Mar 12 th, 2009.

NTFS 5.0 By Jeffrey Richter and Luis Felipe Cabrera From the Microsoft Systems Journal Presented by Stylianos Paparizos.

M1G Introduction to Programming 2 3. Creating Classes: Room and Item.

Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.

Project 5: Using Pop-Up Windows Essentials for Design JavaScript Level One Michael Brooks.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Introduction to AFS IMSA Intersession 2003 An Overview of AFS Brian Sebby, IMSA ’96 Copyright 2003 by Brian Sebby, Copies of these slides.

Distributed File Systems Questions answered in this lecture: Why are distributed file systems useful? What is difficult about distributed file systems?

TEAM FOUNDATION VERSION CONTROL AN OVERVIEW AND WALKTHROUGH By: Michael Mallar.

Information Systems and Network Engineering Laboratory I DR. KEN COSH WEEK 1.

Module 11: File Structure

File System Implementation

CNIT 131 HTML5 – Anchor/Link.

Objective Understand the concepts of modern operating systems by investigating the most popular operating system in the current and future market Provide.

Chapter 15: File System Internals

Today: Distributed File Systems

Objective Understand the concepts of modern operating systems by investigating the most popular operating system in the current and future market Provide.

CS222/CS122C: Principles of Data Management UCI, Fall 2018 Notes #03 Row/Column Stores, Heap Files, Buffer Manager, Catalogs Instructor: Chen Li.

Presentation transcript:

AFS Per-File ACLs Marc Dionne TechnoConseil

Outline Introduction History Issues -Protocol and semantics Issue - Implementation Issues - Compatibility Current status What's next

Introduction AFS user/administrator/developer for 15 years Mainly involved in development over the past few years –Linux client kernel updates, bugs, some improvements –Code cleanup efforts Looking for a more substantial and challenging contribution

Introduction AFS only allows ACLs to be set at the directory level –All files share this ACL Disadvantage compared to other local or network filesystems Users new to AFS expect ACLs to work on files Need workarounds for common situations: dot files,.mailrc, etc – Some files need to be in a common location, but need different rights Some demand for this feature in the community

History Had questions about the feasibility – in particular the impact on the client side Coded an initial prototype – june 2009 – over a weekend –Simplest implementation possible New special file for file ACLs, parallels small vnode index – 1 slot per file Existing ACL RPCs Encouraging - surprisingly stable and functional –Very few changes needed on the Unix client... but some issues lurking Discussions on afs3-std and other venues Several revisions since then

Issues - Protocol and semantics Current AFS protocol does not specify ACL operations on files –Requires new RPCs: fetchACL and storeACL Inheritance semantics need to be defined –Are ACLs inherited, when, how Inherit until set Inherit always –How does an ACL change on a directory affect files Aim for least surprise for current AFS users Behaviour of client tools –fs setacl, listacl –vos move, restore, etc.

Issues - Compatibility General –All combinations of current and new clients and servers should interoperate reasonably –OK to restrict new functionality – limit access to files that have an ACL with broader access than the parent –But not OK to expose files that file ACLs should make unreadable Servers and clients need to be aware of the other side’s status –Use client and file server capability bits in OpenAFS –Capabilities exchange for Unix client recently merged

Issues - Compatibility Current clients can leak cached data –They assume directory rights apply to all files, but rights may now vary per file –Scenario Users A and B can read directory D File F has a file ACL that allows A to read, but not B A reads F, data is brought into the cache B tries to read F, cache manager assumes rights to D apply, and happily returns data –Possible solution: artificially restrict rights Fiddle with the returned user rights on the server side, or the file mode bits Compute most restrictive rights for that user for all files within a directory – return the same rights for all files

Issues - Compatibility Windows –Tests showed the Windows client reacted badly with files more restricted than the parent directory Mainly lengthy hangs in explorer –Commit 9e8ae43b introduced a registry key to correct this behaviour Should be activated based on server capabilities Same solution should apply – return most restrictive rights in the directory Volume moves and restores –Prevent data (ACLs) loss while moving volumes to an older server –Allow forced moves

Issues - Implementation Changes are required to the existing on-disk structures On-disk Vnode structure is full –RXOSD already repurposes some elements (vnode “magic”) –Really need a pointer in the Vnode – alternatives are much more complex (hashing, etc.) –Current scheme requires a power of 2 size Small vnode size would have to double May be a concern for sites with large numbers of files Volume header is nearly full –RXOSD repurposes an existing file pointer New volume data (file ACLs) need to be preserved across volume clone, dump, restore and move operations –New dump tags

Current status Prototype implentation –Published as a github clone: New per volume special file for file ACLs –Reference counted entries, although 1 entry per file currently –Linked entries to track available slots Reuse “magic” field in on-disk vnode structure as an ACL pointer –known conflict with RXOSD In memory, file ACL follows the on-disk vnode structure (similar to directories) –ACL is stored and read along with the Vnode (VnLoad, VnStore) –ACL modification triggers vnode writeback

Current Status New fetchACL and storeACL RPCs defined and used –Identical signature to current RPCs –New clearACL RPC needed Client capability identifies file ACL support –Used to determine whether fileserver should restrict rights Rights restrictions not implemented yet Some security concerns whether it's acceptable to rely on capabilities to trigger this Server capability –Clients know not to assume that directory rights apply to all files –Clients use new ACL RPCs

Current Status Inherit until set semantics –Once a file ACL is set, it is “detached” from the parent - ACL changes to the parent will no longer affect it –New files have no file ACL – parent ACL applies –fetchACL returns a special value to indicate no ACL –New clearACL RPC to re-attach to parent ACL listacl – Show file ACL, or an indication that there is none – Option to show effective ACL Volume dumps –New tag identifies a file ACL –ACL retrieved from special file and added to dump if needed –On restore, insert ACL into target volume special file

What's Next Getting consensus and document protocol changes and semantics (afs3-std) RPC refresh – new ACL RPCs Consensus on on-disk structures and implementation, particularly the possible Vnode expansion Unimplemented features –Restrict rights for legacy clients –Windows client changes –Volume manipulation safeguards –Documentation changes Goal: keep the scope under control – Better chances of getting it done and integrated in a reasonable timeframe

Parting thoughts Code is easy - getting consensus is harder –Small number of key people –Few opinions, some disagreement File server code is more intuitive than cache manager code –And userspace code is easier to debug than a kernel module –But bugs can be more painful... Dependencies and links with other pending work don't help –RPC refresh, out of tree projects (RXOSD) –Other ongoing or potential projects: alternate data streams, extended attributes, etc.

Thank you Questions or comments ?