[OpenAFS] PAGs and group ids

Christopher Allen Wing wingc@umich.edu
Tue, 5 Jun 2007 11:42:19 -0400 (EDT) 

There is no good, portable way to do this.  The traditional way that 
OpenAFS kept track of PAGs was to assign a 24-bit identifier; this is then 
extended to a 32-bit integer by setting the first 8 bits to the ASCII 
value 'A' (for "AFS"), and letting the last 24 bits be the PAG ID.

This number is then encoded into the two special group IDs to make it less 
likely that someone might accidentally end up with group IDs that happen 
to map to a PAG.  See: (inside the OpenAFS source)

 	src/afs/afs_osi_pag.c::afs_get_groups_from_pag(),
 				afs_get_pag_from_groups()

for the method used.  The afs_get_pag_from_groups() function can be used 
to test if your group IDs are a valid PAG identifier.


In recent openafs, on linux 2.6, the PAG may be stored in an opaque kernel 
data structure called the 'keyring'; here, you cannot rely upon the group 
IDs being present.  If you have the 'keyctl' program installed, the output 
will look like this when your (shell) process is a member of a PAG:

 	% keyctl show
 	Session Keyring
 	       -3 --alswrv      0     0  keyring: _ses.XXXXX
 	XXXXXXXXX ----s--v      0     0   \_ afs_pag: _pag

(the output will contain 'afs_pag' to show that the process is a member of 
a PAG; if 'afs_pag' is not present then the process is not in a PAG)

Some linux systems may not use the keyring; in that case, recent openafs 
uses only a single group ID instead of two group IDs to represent the PAG. 
Here, the single group ID is equal to the 32-bit PAG identifier.  (i.e., 
the first 8 bits are equal to ASCII 'A' as mentioned previously)



So I'm afraid to say that if you are running OpenAFS on Linux, there is no 
simple way to tell if you are in a PAG, because the mechanism has changed 
over time (and varies according to the version of the kernel you have). 
Moreover, it is likely that this may change again in the future.

I suppose that it might be an option to add a utility program to OpenAFS 
at some point to determine this information.  Out of curiosity, what are 
you trying to do that requires this?


Thanks,

Chris Wing
wingc@umich.edu



On Tue, 5 Jun 2007, FB wrote:

> Hi,
>
> a while ago I wrote a small utility which would tell, if it runs in a PAG or
> not. The PAG was represented by 2 special gids back then. My utility doesn't
> work anymore for some weeks now because PAGs seem to be represented
> differently.
>
> What is the "official" way of telling, if a process is in a PAG or not?
> I would prefer some posix operation over a library function because
> my utility is written in perl.
>
> Thanks for any help,
>
> Frank
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>