module Nn_datanode_ctrl:Manage tickets and push ticket secrets to the datanodessig..end
val reset : unit -> unittype
|
tv_safetrans_id : |
|
tv_safetrans_tmo : |
|
tv_safetrans_sec : |
|
tv_datanodes : |
|
mutable tv_enabled : |
Nn_alloc_types.transacted_datastoresval new_ticket_verifier : unit -> ticket_verifierval enable_ticket_verifier_e : ticket_verifier -> unit Uq_engines.engineval disable_ticket_verifier : ticket_verifier -> (unit -> unit) -> unitdisable_ticket_verifier tv f_post: Schedules that tv will be
disabled soon. After this has happened the function f_post is called
back.val disconnect : int -> unitval post_start_hook : Netmcore.res_id -> Pfs_auth.client_auth -> unitpost_start_hook pool cauthdisable_ticket_verifier does not disable the verifier
immediately, but delays this to the next round of housekeeping -
which usually happens once every second.
There is a security risk here: The verifier remains valid even after the transaction is closed. Although this is only for a very short period of time, this can be abused by a malicious user.
This problem is handled in this way: The verifier can be used to access blocks. There is no problem when only the blocks are accessed for which the ticket was originally valid, i.e. the blocks of the accessed files. The security hole exists only when these blocks are reused for other files - the verifier would then grant access to these other files although there is actually no permission.
So the idea is to prevent that blocks are reused for other files
until the verifier is really cancelled. We already have a mechanism -
the blocks need to be pinned in the blockmaps (method pin).
Such blocks are not freed as long as the pinning remains.
The Nn_blockmap module has been changed so that the pinning remains
intact even when a commit or rollback occurs. First when the special
release method is called the pinning is revoked. We do this now right
after the cancellation of the ticket, using the f_post callback
of Nn_datanode_ctrl.disable_ticket_verifier.
