Bug 1180056
| Summary: | Implement AUTH_SHORT to improve credential/group caching on the bricks | ||
|---|---|---|---|
| Product: | [Community] GlusterFS | Reporter: | Niels de Vos <ndevos> |
| Component: | rpc | Assignee: | Milind Changire <mchangir> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | mainline | CC: | bugs, nbalacha, rgowdapp |
| Target Milestone: | --- | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | https://lists.fedorahosted.org/pipermail/sssd-devel/2014-November/022293.html | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-11-20 09:09:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Migrated to github: https://github.com/gluster/glusterfs/issues/591 Please follow the github issue for further updates on this bug. |
When the brick process is instructed to fetch the groups of the user executing a procedure ("server.manage-gids" volume option), the cache is only kept for a short period ("server.gid-timeout" volume option). It would be much nicer to have the cache associated with an AUTH_SHORT (see http://tools.ietf.org/html/rfc5531#page-25) reference. GlusterFS clients will then be able to receive a AUTH_SHORT reference (per user/uid) after the first procedure, and subsequent procedures would then pass the AUTH_SHORT reference as RPC-credential. On the server-side, the AUTH_SHORT reference should be validated/looked-up and the frame->root->uid/gid/groups would be set as cached. This makes is possible to set the gid-timeout much higher than the default 5 seconds. A refresh of the AUTH_SHORT reference (and therefore gid-cache) would happen automatically on a remount, or possibly also by a user-settable xattr. You could call this a user-managed-credential-cache, or something. See also: https://lists.fedorahosted.org/pipermail/sssd-devel/2014-November/022293.html That email mentions keeping the AUTH_SHORT credentials in sync on all the bricks, but I do not think that is needed. But, I also do not know yet what the best structure would be to keep this per user and per connection token.