Glossary - PASS and Related Technology & Services

Commonly used words defined.

Authentication:   The process by which an identity assertion is verified, or proved "authentic." This is often abbreviated as authN .
    Examples of this include:

  • Supplying a password that matches a given username.
  • Supplying a signed X.509 digital certificate.
  • Displaying a photo. ID card.

Authorization:   The process by which an identity is granted the privilege to access a resource. This is often abbreviated as authZ .
    Examples of this include:

  • Adding a username to a file's Access Control List (ACL) permission setting.
  • Adding a username to a group.
  • Hard-coding a username into a list of users allowed to use a custom application.

CIFS: Common Internet File System; essentially the new name for the Server Message Block ( SMB ) protocol.  With there being various uses (and abuses?) of the term SMB, there is a lot of room for comment on the subtle differences between the two terms.  The short of it is this (these) protocol(s) are used as the native file sharing protocol in Microsoft Windows, Samba, the "cifs://" and "smb://" protocol identifiers on Apple Macintosh OS X, etc.  The protocol(s) ha(s/ve) also evolved over the years between implementations of Windows and related products as well as non-Microsoft implementations such as Samba.  Some have even made IETF standard or are in draft stage.

DCE/DFS: Distributed Computing Environment / Distributed File System: The previous computing infrastructure (Kerberos V based authentication, Cell Directory Service, bundled network time service, secure RPC) and file service used to provide PASS. Penn State makes use of the IBM implementation of DCE/DFS based on the Open Software Foundation's (OSF) specification.  DCE's Kerberos based authentication service will be replaced by the stand-alone Kerberos V realm "dce.psu.edu" already in production. The Cell Directory Service (CDS) will be replaced by the LDAP based Penn State Directory service. The DCE Time Service (DTS) will be replaced by the popular open standard Network Time Protocol service (NTP). DFS will be replaced by GPFS.

dce.psu.edu:   The name of our DCE cell as well as the name of our stand-alone Kerberos V realm. While the former will be decommissioned in 2008, the latter will continue to run. For example, Penn State Access Account authentication in the ACCESS.PSU.EDU and other Microsoft Windows Active Directory domains will continue to use the "dce.psu.edu" Kerberos realm after the DCE cell is decommissioned.  Please note that realm names can be case sensitive in certain circumstances, so systems or software pointing to "DCE.PSU.EDU" may not function correctly, or at all.

Directory Quotas:   A temporary feature of GPFS that combines GID based quotas along with a setting that mandates GID inheritance.

Dfs:   Microsoft has a "Distributed File-Service" technology called Dfs (often lower-case f and s).  It is similar to the OSF DCE/DFS in that Dfs also provides a unified file namespace across multiple servers, integrates into a Kerberos V + Directory Service (e.g. CDS or LDAP) environment (Microsoft Active Directory (AD)), etc.  Other than design and name similarities, it is a distinct, non-interoperable technology with DCE/DFS.

fileset:   In both DFS and GPFS, a fileset is a collection of related files and folders.  For example each user's home folder, departmental Web space, etc. is stored in their own fileset in DFS.  A fileset may have its own quota and in DFS may be moved between servers transparently; GPFS doesn't need to move filesets between servers as multiple GPFS servers may have simultaneous access to the same disks.  UNIX folks may note that each fileset has its own unique i-node number (file serial number) space and hard links can be made between files within a fileset but not across fileset boundaries.  In AFS (formerly the Andrew File System), the predecessor to DFS, filesets are called volumes.  While Penn State uses filesets exclusively for file storage in DFS, they probably will not be utilized in GPFS at the outset.  Quotas in GPFS will be enforced by GID (numeric Group IDentifier).

filesystem:   The term filesystem can mean a few different things depending on the context, including:

  1. the entire collection of files available for access by programs on a computer, including local and remote files, e.g. the Linux Virtual File System (VFS)
  2. a coherent system of file storage for access by remote computers, e.g. PASS (DFS or GPFS)
  3. in GPFS, a filesystem is a collection of files stored on a specific set of disks, e.g. /pass/users, /pass/home/0, /pass/os, etc. are each a distinct GPFS filesystem; in DFS, this is called an aggregate
  4. a collection of files and folders linked together in a tree with a unique i-node number space; in DFS and GPFS, this is called a fileset (by default, each GPFS filesystem starts with a root fileset with this property); filesystem trees in UNIX can be linked together to form a larger tree by a process known as mounting
  5. the technology or protocol that provides a filesystem service, e.g. (local disk) ext3, JFS, HFS, NTFS, UFS, (network protocol) AFP, NFS, CIFS, (distributed system) AFS, DFS, Dfs, GPFS, etc
  6. usually a local filesystem is thought to hold the properties of #3 and #4, such as in the case of ext3, NTFS, HFS, UFS and JFS formatted disks and disk partitions

 

GID: Group IDentifier - In UNIX filesystems such as DFS and GPFS, all files have a basic attribute called the GID, which is a numeric identifier indicating the file

owning-group .  Both DFS and GPFS use 32-bit integers for the GID, which may be treated as signed or unsigned depending on the context.  An account system database such as LDAP would store the relationships between numeric identifiers and account group names.  See also UID .

GPFS: General Parallel File System . The technology we will use to replace DFS. Penn State WebMail switched from DFS to GPFS as one of the significant improvements in the WebMail 2 launch (Fall 2006).

i-node:   In UNIX filesystems such as DFS and GPFS, an i-node is an object that describes or links to all of a file's or folder's metadata and location of data blocks with the exception of the file's name(s) and location(s) on the filesystem tree.  An i-node may be hard linked from one or more places in the filesystem tree; files may be linked an arbitrary number of times from various places in the tree but folders must only/always be linked once as a child of one other folder (except for the root folder), once by themselves (using the special name ".") and once by each child folder (using the special name "..").  Removal of the last hard link of a file is equivalent to deletion of the file.  i-nodes are referenced by number.

Kerberos: Kerberos is an authentication system based on "shared secrets" e.g. passwords (using secret-key cryptography), and short lived "tickets" for granting access to various computing systems using a central authentication system.  By presenting tickets to each service, rather than the long term shared secret (password), Kerberos establishes a higher level of security over conventional systems (e.g. password files, LDAP based authentication, etc.). Penn State makes wide use of Kerberos version 5 (version 5 is usually expressed as the roman numeral "V") in a stand alone MIT Kerberos realm, and various Microsoft Active Directory domains.

LDAP (Lightweight Directory Access Protocol):   A protocol for providing online directory services. The Penn State Directory service currently uses this protocol. A directory service can be useful to people who wish to look up faculty, staff and student public information; it can also be useful to email systems for storing mail address aliases and mail delivery options; it can also be useful to Web-based and other types of applications which need to authorize users based on group membership. Some 3rd party applications may use LDAP for authentication (e.g. validating passwords), however, Kerberos tends to be a superior authentication alternative when available.  GPFS will use LDAP for user and group information for ACLs and quotas.

PASS:  Penn State Access Account Storage Space.

Penn State WebAccess:  Penn State WebAccess, based on CoSign technology, provides cookie based authentication service to Web sites using the Penn State Access Account and Friends of Penn State account Kerberos authentication services. Some sites may have used a Kerberos check of the CGI form transmitted password (e.g. in Apache httpd Web server via mod_auth_kerb) and may do better by switching to WebAccess. CoSign's use of temporary session identifiers (cookies) and a back-end secure check to limit exposure of the longer term password to only the central cosign server and Kerberos backend makes this Web Single Sign-On (SSO) system analogous to the Kerberos ticket-based security model.

SMB: Server Message Block protocol.  See CIFS .

Symbolic link:   A symbolic link , soft link or symlink , is a special file in UNIX filesystems such as DFS and GPFS that refers to or "links" to another file.  Symbolic links are similar to Windows shortcut files or Macintosh alias files .  As opposed to a hard link , symlinks link to the other file by name, rather than i-node number (file serial number).  This allows symlinks to refer to files across filesystem boundaries.  They can refer to folders as well as files (hard links can only be created between files) and they can also point to non-existent filenames (which is called a dangling or broken symlink ).  Samba presents symlinks as the target file.  Should the target file not exist, the link will appear invisible over samba.

UID:   User IDentifier - In UNIX filesystems such as DFS and GPFS, all files have a basic attribute called the UID, which is a numeric identifier indicating the file owner. Both DFS and GPFS use 32-bit integers for the UID, which may be treated as signed or unsigned depending on the context.  For example, https://nfs.pass.psu.edu/ treats the UID as a signed number, and would accept a UID value of -2 to mean user "nobody", whereas /etc/passwd on AIX treats the UID as unsigned and would accept 4294967294 to mean the same value for user "nobody".  An account system database such as LDAP would store the relationships between numeric identifiers and account names.  See also GID .

Was this helpful?: 

No