Decentralized user authentication in a global file system

Michael Kaminsky, George Savvides, David Mazieres, M. Frans Kaashoek
2003 Proceedings of the nineteenth ACM symposium on Operating systems principles - SOSP '03  
The challenge for user authentication in a global file system is allowing people to grant access to specific users and groups in remote administrative domains, without assuming any kind of pre-existing administrative relationship. The traditional approach to user authentication across administrative domains is for users to prove their identities through a chain of certificates. Certificates allow for general forms of delegation, but they often require more infrastructure than is necessary to
more » ... port a network file system. This paper introduces an approach without certificates. Local authentication servers pre-fetch and cache remote user and group definitions from remote authentication servers. During a file access, an authentication server can establish identities for users based just on local information. This approach is particularly well-suited to file systems, and it provides a simple and intuitive interface that is similar to those found in local access control mechanisms. An implementation of the authentication server and a file server supporting access control lists demonstrate the viability of this design in the context of the Self-certifying File System (SFS). Experiments demonstrate that the authentication server can scale to groups with tens of thousands of members.
doi:10.1145/945445.945452 dblp:conf/sosp/KaminskySMK03 fatcat:xkyioack5jcgpae2kyld2sdm7m