OpenAFS, Network Identity Manager and Google Summer of Code
The OpenAFS community participates in Google Summer of Code by sponsoring
students working on OpenAFS and related open source projects such as kAFS and
Network Identity Manager
Skip to the list of accepted projects for 2010
What is OpenAFS?
OpenAFS is a 100% open source globally distributed file system derived from
IBM AFS commercial offering as of 1 November 2000. Since IBM released the
source code OpenAFS has thrived adding support for new platforms while enhancing
its overall performance, scalability and usability.
OpenAFS has a large, mature codebase of over 800,000 lines of code. It is
used by large enterprises, universities, and research establishments
worldwide, and plays a part in fields from finance through space exploration
to quantum physics. Developing code for OpenAFS gives you the opportunity to
make a significant difference to a product that is in real-world large scale
production use, and to learn key development skills. We have a large,
supportive, community of developers who are keen to see new developers
enter our project, and happy to help out as you get up to speed.
What is Network Identity Manager?
Network Identity Manager is a client-side
tool designed to simplify the acquisition and management of network
identities and the credentials used to provide
secure identification to network services on Microsoft Windows. In 2010,
students, faculty, and
researchers among others must be able to access services distributed around the world,
managed by different organizations, and deploying different network
As an example, a scientist at the U.S. Department of
Energy’s Fermi National Labs must be able to access systems that require three
different forms of network credentials:
- Kerberos v5 ticket granting and service tickets
- Andrew File System (AFS)
- Short Lived Credential Services X.509 Public Key Certificates
Traditionally, the acquisition and renewal of each
credential type would be performed using distinct tools. The Kerberos v5 ticket granting ticket would be obtained and managed by a
Kerberos v5 Ticket Manager (MIT’s Leash on Windows or Kerberos.app on MacOS X).
The AFS Tokens would be obtained by a tool provided by OpenAFS (aklog or
afscreds). The short lived X.509
certificate would be obtained by a tool designed to work with either a
Kerberized Certificate Authority (KCA) or the Globus MyProxy Credential
Management Service. With each new
credential source, the complexity for the end user is increased.
Network Identity Manager reduces this complexity by
implementing a Single Sign-On (SSO) framework that permits an initial
authentication to retrieve not just a single credential but all of the
derivative credentials necessary for the user to perform their task.
There have been many organization specific tools that have been developed
over the years to obtain mixed credentials
Unlike previous tools what makes NetIdMgr special is its modularity.
Its pluggable framework model does not require all of the technologies to
be integrated by the same organization.
Nor do all users have to be given access to the same combination of
identity and credential provider modules.
As always, the
GSoC 2010 FAQ is a worthwhile reading for anyone involved or considering involvement in the Google Summer of Code program.
OpenAFS is a challenging project to develop for. It is a large and complex
project that has developed over nearly 3 decades. The code must work across a
wide variety of different operating systems, and is heavily multi-threaded in
places. On Unix, the OpenAFS client runs within the machine's kernel, which
can significantly complicate the development process. As an enterprise
product, OpenAFS relies upon significant underlying infrastructure, which a
developer needs to get running before they can test any OpenAFS code. In
addition, OpenAFS is primarily written in C, with all of the attendant issues
of memory management and pointer manipulation.
These challenges mean that students who successfully complete a Summer of
Code are likely to leave with significant new skills. Real world experience of
developing for distributed systems, kernel programming, building test
infrastructures and developing thread safe code are key skills to develop, and
we're happy to help you to learn them. Please join us on #openafs on freenode,
in the Jabber conference email@example.com, or on the
firstname.lastname@example.org mailing list.
If you are interested in working on OpenAFS this
Summer (and perhaps for the rest of your life) here are some things that we
recommend you do:
- If you are unfamiliar with programming in C, see if your
University has any resources available for assisting their students
who want to learn C. If that is not possible, get yourself a
good book and try your hand at it. "The "C Programming Language,
2nd edition" by Kernighan and Ritchie is widely considered to be
an excellent reference text.
- If you have no idea what multi-threading is or what mutexes,
read/write locks, or critical sections are, go to the library and
find yourself a book. Preferably one that does not specialize
in Java, Win32 or Posix threads, but a good general multi-threading
- Read the
IBM AFS documentation/. We are in
the process of rewriting this documentation to reflect the
functionality that is now available in OpenAFS - we
apologise that some of it is still out of date.
- Try your hand at building your own DNS, Kerberos and AFS
"Distributed Services with OpenAFS"
is an excellent cookbook that walks though all of the steps necessary
to get all of the pieces up and running.
If you apply to OpenAFS please be aware of the following:
- You may not have a second job when working on OpenAFS GSoC. We
expect a minimum of 30 hours a week of dedicated work on your project.
It is likely that you will need to spend more time than that
when you include the time spent communicating with your
mentor(s), and on developing new skills necessary to complete your
- You must have excellent network connectivity on a regular basis.
It is extremely hard to develop for a distributed network file
system without access to the Internet. In particular, you need
to be able to access source code repositories, Kerberos KDCs for
authentication, and OpenAFS services. This will require that a
broad range of both tcp and udp ports be open for access to the
external world. If you are dependent upon your University's
network and they firewall access to the outside world, it may be very
difficult for you to work on OpenAFS.
Access to Jabber conference rooms and IRC for communication with your
mentors and the community are critical.
- You must know how to compile a C program and use a debugger at a
rudimentary level. For Linux, gcc and gdb. For Windows, Visual
- The time that our mentors spend working with you on a GSoC project
is extremely valuable. The majority of our mentors are undertaking
that role in addition to full time employment. Please make the most
of their time. If you are having a problem, tell us about it as soon
as possible so that it can be addressed. If you
promise to deliver something, do so or warn your mentor as soon as
you know that you will miss the promised delivery date. If your
mentor is not available, ask on the IRC channel or the Jabber
conference room, and other members of the community will be happy to
help. We will do all we can to make GSoC a success for you, if
you put in the effort at the work and the communication, but we will
fail you if you're not putting that effort in.
Communicating with the OpenAFS Community regarding GSoC
You can speak to members of the OpenAFS Community using three forums:
- Jabber Conference Room: email@example.com
- Internet Relay Chat: freenode.net #openafs channel
- Mailing list: firstname.lastname@example.org
The following are a list of projects accepted for Summer of Code 2010 for
An alternate implementation of a userspace helper interface for Linux kafs
Student: Weylan (Wang) Lei
During last year's Google Summer of Code, an interface for allowing use of OpenAFS userspace programs with kafs was developed. This was found to not be acceptable to the Linux kernel core due to the pioctl ultiplexor system call. An alternate approach using [gs]etxattr(), add_key() and keyctl() and /proc with O_NODE was done; This year's project aims to extend upon that work.
A port of OpenAFS to NetBSD
Student: Matt Smith
Around the same time the original Linux port of AFS was done, a port to NetBSD was also available. While NetBSD has evolved, the original AFS port did not keep pace. Since then, a port to NetBSD has been highly desired. This project will port the OpenAFS client to run on NetBSD.
Student: Sanket Agarwal
The AFS protocol offers encryption for data transport from client to server.
However, that data is stored on the server in cleartext, where it can
potentially be read by the administrators of that server. This poses a real
world problem for organisations who wish to outsource the provision of their
file storage, whilst keeping their data confidential. This project would
augment the existing AFS client to support encrypting data blocks before
sending them to the file server. Additional enhancements would manage user and
data keys in such a way that a user can share encrypted files with other AFS
users of their choosing, and protect the names of files, in addition to their
contents. This is a challenging project, during which the student will gain
an in depth knowledge of kernel programming, distributed systems, and
Unix or Windows Cache Manager support for Apple Doublefiles (Extended /
Student: Kelli Ireland
In order to store arbitrary metadata (aka attributes) with files or
directories in file systems that do not have the necessary native support Apple
Apple DoubleFile format. AFS does not support arbitrary metadata
and on Apple MacOS X systems, the operating system will create DoubleFiles
without additional support from the AFS Cache Manager. This project is to
implement native support for Apple DoubleFiles in one or more of the AFS Cache
Managers exporting Posix Attributes on Unix/Linux platforms and Extended
Attributes on Microsoft Windows. This will permit arbitrary metadata (for
example, icons, thumbnail images, author, copyright info, gps tags, etc.) to be
stored in AFS and shared across multiple operating systems without requiring
changes to the AFS file servers.
Implementing Microsoft's Safe String (StrSafe.h) Library for UNIX/Linux
Student: Jonas Sundberg
Microsoft has developed a safe C String manipulation library (StrSafe.h).
The advantages of the
Strsafe functions include:
- The size of the destination buffer is always provided to the function to
ensure that the function does not write past the end of the buffer.
- Buffers are guaranteed to be null-terminated, even if the operation
truncates the intended result.
- All functions return an HRESULT, with only one possible success code
- Each function is available in a corresponding character count (cch) or
byte count (cb) version.
- Most functions have an extended ("Ex") version available for advanced
It is the opinion of the OpenAFS Gatekeepers that the StrSafe.h functions are
superior to anything currently available in all of the UNIX/Linux and Windows
environments supported by OpenAFS. OpenAFS would like to be able to make
use of the StrSafe.h functions on UNIX/Linux to improve the code quality of
OpenAFS and further enhance the code sharing across Windows and UNIX/Linux.
This project is to implement from scratch a new implementation of the
StrSafe.h functionality for use on non-Windows platforms based entirely upon the
documentation provided by Microsoft:
OpenAFS previously participated in the 2008
and 2009Summers of Code.