Coda File System

Re: auth + offline

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Fri, 23 Mar 2007 22:21:22 -0400
On Tue, Mar 20, 2007 at 02:26:15PM -0400, Greg Troxel wrote:
> Jan Harkes <jaharkes_at_cs.cmu.edu> writes:
> > On Tue, Mar 20, 2007 at 10:33:11AM +0100, Enrico Weigelt wrote:
> >> how can I get write access to my coda files in disconnected mode ?
> >> 
> >> If I authenticated while online and then disconnected, it seems to
> >> work somehow, but the client must not have been rebooted for that.
> >
> > This is an argument that has been ongoing for a while. Only a server can
> > really validate if a user has write permission, the client caches some
> > of this information to avoid having to pass every request to the server
> > and to survive during disconnections.
> 
> I think it's useful to really think about the requirements and use
> cases for a system like coda, and to question whether the current
> approach really serves the needs.
> 
> Regardless of single/multiuser, I think disconnection should be as
> transparent as possible.  Of course some things won't be in the cache,
> either files or acls.
> 
> In my use case, I would like:
> 
>   tokens are not needed for local operations
> 
>   mapping of unix uid to authenticated user is retained unless I do
>   cunlog explicitly, even across system reboots and venus restarts

Technically all decisions in venus should be based on the local uid and
tokens are not really necessary. The only 'trick' is that if a user does
not have a tokens his identity is currently mapped to an internal
system_anyuser identity (in Realm::GetUser in venus/user.cc).

Removing this remapping for unauthenticated users should in principle
fix both of these issues.

>   a brief reconnect/disconnect does not really change anything, unless
>   we find out from the server that an acl has changed, in which case
>   sure we can follow the new rules

I still haven't really figured out the demotion rules but from what I
can see in the source we currently only demote system:anyuser rights
after a reconnection. The access rights for a specific user are only
dropped when a token is invalidated by the server as a result of
connecting with an expired token. Or when the user obtains a new token,
venus doesn't know if the new token would have the same permissions.
Both of these cases seem valid to me.

...

Got it, DemoteAcRights(ANYUSER_ID) does not just drop the anyuser rights
but all rights. A successful result from validateattrs re-establishes
them. It shouldn't be too hard to turn that around, I guess we really
only have to drop the rights for objects that didn't pass validation.

> A larger plan for a richer "what's changed" summary from servers on
> client reconnection would help; right now the client seems to assume
> that files might be different and revalidates on access if connected.
> In addition to sending a "here is the list of cache invalidations
> since we last spoke", a similar list of acl invalidations could be
> sent.

There already is a proof of concept implementation of this and I'm
slowly getting it ready for inclusion. The goal here is to optionally
not establish the callback connection and let the client be in a
continous semi-disconnected state where it periodically polls the server
for updates.

Currently we have to ping the servers to make sure any masquerading
firewalls don't forget about us, if we ping too often we waste
bandwidth, if we are too slow we end up having to reconnect and
revalidate (which is even worse). Also a server has to keep a lot of
state to track all those active callbacks and when clients disconnect
frequently because they are restarted, moving between different
networks, or when firewall mappings change, the callbacks to dead
clients can cause long delays when a client wants to update a file.

Callbacks provide better consistency for reads, but with 6.9.0 we
already delay writes by always reintegrating, so maybe adding another
slight delay until those writes are visible won't be that bad. Another
tradeoff is that if a client only has a single object in a volume
cached, there is no way to avoid getting notified about updates to all
uncached and thus uninteresting objects as well.

Jan
Received on 2007-03-23 22:22:59