-dros On Oct 16, 2013, at 4:36 PM, "Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx> wrote: > On Fri, 2013-10-11 at 14:44 -0400, Weston Andros Adamson wrote: >> This patch adds support for multiple security options which can be >> specified using a colon-delimited list of security flavors (the same >> syntax as nfsd's exports file). >> >> This is useful, for instance, when NFSv4.x mounts cross SECINFO >> boundaries. With this patch a user can use "sec=krb5i,krb5p" >> to mount a remote filesystem using krb5i, but can still cross >> into krb5p-only exports. >> >> New mounts will try all security options before failing. NFSv4.x >> SECINFO results will be compared against the sec= flavors to >> find the first flavor in both lists or if no match is found will >> return EPERM. >> >> This patch cleans up some of the auth flavor logic by separating >> the parsed mount options from the currently selected flavor and >> sharing more code between the 'no sec= specified' and 'sec= specified' >> code paths. >> >> Along with this patch I'm posting a patch to nfs-util's nfs.man to >> reflect these changes. >> >> I wrote a script to verify that I haven't broken anything, it tests >> all vers= and sec= combinations against a server with the exports: >> >> /export/sys *(sec=sys,rw,no_root_squash) >> /export/krb5a *(sec=krb5,rw,no_root_squash) >> /export/krb5i *(sec=krb5i,rw,no_root_squash) >> /export/krb5p *(sec=krb5p,rw,no_root_squash) >> /export/krb5ip *(sec=krb5i:krb5p,rw,no_root_squash) >> /export/krb5aip *(sec=krb5:krb5i:krb5p,rw,no_root_squash) >> >> The script runs these tests against all exports, and the versions NFSv3, >> v4.0, v4.1: >> - no sec= options >> - all single sec= options >> - all combinations of multiple sec= options >> - no sec= SECINFO (mount / then ls export dir, v4.x only) >> - single sec= SECINFO (mount / then ls export dir, v4.x only) >> - all combinations of multiple sec= SECINFO (mount / then ls export dir, >> v4.x only) >> >> Signed-off-by: Weston Andros Adamson <dros@xxxxxxxxxx> > > Can you please split this up? It seems to me that there are at least 3 > patches here: > > 1. Refactor code to introduce struct nfs_auth_info > 2. Cache struct nfs_auth_info in struct nfs_server > 3. Extend the mount code to allow multiple auth flavours in the > 'sec=' mount options Sounds good. -dros > > Thanks > Trond > > -- > Trond Myklebust > Linux NFS client maintainer > > NetApp > Trond.Myklebust@xxxxxxxxxx > www.netapp.com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
