Re: [PATCH Version 5 3/5] SUNRPC new rpc_credops to test credential expiry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2013-08-14 at 11:59 -0400, andros@xxxxxxxxxx wrote:
> From: Andy Adamson <andros@xxxxxxxxxx>
> 
> This patch provides the RPC layer helper functions to allow NFS to manage
> data in the face of expired credentials - such as avoiding buffered WRITEs
> and COMMITs when the gss context will expire before the WRITEs are flushed
> and COMMITs are sent.
> 
> These helper functions enable checking the expiration of an underlying
> credential key for a generic rpc credential, e.g. the gss_cred gss context
> gc_expiry which for Kerberos is set to the remaining TGT lifetime.
> 
> A new rpc_authops key_timeout is only defined for the generic auth.
> A new rpc_credops crkey_to_expire is only defined for the generic cred.
> A new rpc_credops crkey_timeout is only defined for the gss cred.
> 
> Set a credential key expiry watermark, RPC_KEY_EXPIRE_TIMEO set to 240 seconds
> as a default and can be set via a module parameter as we need to ensure there
> is time for any dirty data to be flushed.
> 
> If key_timeout is called on a credential with an underlying credential key that
> will expire within watermark seconds, we set the RPC_CRED_KEY_EXPIRE_SOON
> flag in the generic_cred acred so that the NFS layer can clean up prior to
> key expiration.
> 
> Checking a generic credential's underlying credential involves a cred lookup.
> To avoid this lookup in the normal case when the underlying credential has
> a key that is valid (before the watermark), a notify flag is set in
> the generic credential the first time the key_timeout is called. The
> generic credential then stops checking the underlying credential key expiry, and
> the underlying credential (gss_cred) match routine then checks the key
> expiration upon each normal use and sets a flag in the associated generic
> credential only when the key expiration is within the watermark.
> This in turn signals the generic credential key_timeout to perform the extra
> credential lookup thereafter.
> 
> Signed-off-by: Andy Adamson <andros@xxxxxxxxxx>
> ---

Applied.

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@xxxxxxxxxx
www.netapp.com
��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux