[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Henry B. Hotz hotz at jpl.nasa.gov
Mon Mar 27 21:32:45 EST 2006 

On Mar 27, 2006, at 4:48 PM, Jeffrey Hutzelman wrote:

> On Monday, March 20, 2006 01:19:08 AM -0800 "Henry B. Hotz"  
> <hotz at jpl.nasa.gov> wrote:
>
>> Just to be clear my desire is that OpenAFS provide a documented
>> interface (like Heimdal kafs) that can be used by different people on
>> different OS's to provide whatever hooks are appropriate to that OS.
>
> OpenAFS provides a stable, documented API for examining and  
> manipulating tokens and PAG's, in the form of the 'pioctl' and  
> 'setpag' calls in libsys (if you'd rather not have Rx dependencies,  
> you can use 'lpioctl' and 'lsetpag' instead, but then you sacrifice  
> the ability for your application to work correctly with an NFS  
> translator).

Man page?  (At least the aklog program has a man page.)

>> With all respect to Jeffrey, I think it is "not Mac" to have one part
>> of the system showing you something that's inconsistent with another
>> part.
>
> Nonsense.  It is entirely appropriate to show you something you  
> think is inconsistent if that is in fact the state of the system.

Only if it isn't possible to cause the discrepancy to go away.  If  
you can keep the two stores consistent then you have done your users  
a big favor by reducing the complexity of their interface.

In this case it isn't possible because MIT has defined, but not  
implemented, the interface needed to keep the two stores in sync  
(krb5_cc_remove_cred()).  There may be other reasons why it's  
difficult, maybe even impossible.

I think the status quo stinks.  I think this is a problem.  (I don't  
deny that AFS has other, bigger problems.)  It's been a problem for  
so long that everyone takes it for granted and writes FAQ entries  
instead of tying to find ways to fix it.  While you may disagree, I  
would hope that you don't prevent others from trying.

> The only think "inconsistent" about having an AFS service ticket  
> and no token is that you make the (false) assumption that you  
> always have either both or neither. There are a wide variety of  
> possible reasons for this to be untrue:
>
> - failure to set tokens
Then delete the service ticket, like I said in the beginning.

> - pagsh (i.e. changing PAG's without changing ccache's)
> - changing ccache's without changing PAG's

These two only become relevant when we have PAG's.  Currently we  
don't on MacOS.

If I ruled the universe I would require an Apple PAG mechanism that  
was identical to a ccache and had an "inspector"-like UI so you could  
look at what tickets/tokens a given window had.  Also would give you  
a "newPAG" button you could apply.  I doubt I can get this, even if I  
put the time into defining it properly, but it would be cool.

I have a request in with MIT to provide ccache functionality closer  
to PAG's.

> - explicit klog
Obsolete, no longer supported.  ;-)  At least use klog.krb (which  
should create ccache entries and keep things in sync, but probably  
doesn't.)
> - explicit unlog (without kdestroy)
Should do a kdestroy.
> - explicit kdestroy (without unlog)
Should do an unlog.

Need I go on?  If you start from the existing UI, and take the  
position that any additional UI complexity is to be avoided where  
technically possible, then I think my arguments may make more sense.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list