per thread credentials
Conrad Meyer
cem at freebsd.org
Fri Dec 7 16:53:26 UTC 2018
On Fri, Dec 7, 2018 at 2:37 AM Jack Halford <jack at gandi.net> wrote:
>
> hello,
>
> Gandi.net has need of per-thread credentials for a file server. There
> have been prior discussions in a thread[1] in 2009 and also a design[2]
> has been written out on the wiki in 2011. I'm in the process of
> implementing this design.
>...
>
> [1] https://lists.freebsd.org/pipermail/freebsd-arch/2009-May/009300.html
> [2] https://wiki.freebsd.org/Per-Thread%20Credentials
Both of these came out of Isilon. I think we ended up with special
credential file descriptors, rather than using uid_t's and gid_t's
directly, because of a need for compatibility with arbitrary Windows
LDAP users ("SID"s?) not present in the local id database.
I can't speak to why it didn't land before — I wasn't really around
for that, and there's a 50-50 chance we just didn't want to put in the
effort — but we still use something similar now. Zach Loafman left
the company long ago and hasn't been an active FreeBSD committer in
quite some time, and ditto mdf at . Committers at Isilon now are me,
bdrewery@, vangyzen@, dab@, rstone@, and pho@, but none of us are
really involved with what Isilon calls "AIMA" (Authentication,
Identity Management, Authorization).
The APIs we use today look like:
663 AUE_NULL STD { int modifytcred2(int fd, \
struct native_token *token, \
int flags); }
664 AUE_NULL STD { int modifytcred(int fd1, int fd2, \
int flags); }
665 AUE_NULL STD { int accesstcred(char *path, int flags, \
int fd); }
666 AUE_NULL STD { int buildtcred(struct native_token *token, \
int current); }
667 AUE_NULL STD { int gettcred(char *user, int thread); }
668 AUE_NULL STD { int settcred(int fd, int flags, \
struct native_token *token); }
669 AUE_NULL STD { int reverttcred(void); }
670 AUE_NULL STD { int restricttcred(int fd, struct
native_token *token); }
Best,
Conrad
More information about the freebsd-arch
mailing list