nfsv4-3----Page:16
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
|
Object Security (2) Capability Request (client to metadata manager) CapRequest = object ID, operation, data range Capability signed with device key known by metadata manager CapSignature = {CapRequest, Expires, CapVersion} KeyDevice CapSignature used as a signing key (!) OSD Command (client to OSD) Request contains {CapRequest, Expires, CapVersion} + other details + nonce to prevent replay attacks RequestSignature = {Request} CapSignature OSD can compute CapSignature by signing CapRequest with its own key OSD can then verify RequestSignature Caches and other tricks used to make this go fast |