Index: trunk/packages/invirt-base/python/invirt/authz/locker.py =================================================================== --- trunk/packages/invirt-base/python/invirt/authz/locker.py (revision 2570) +++ trunk/packages/invirt-base/python/invirt/authz/locker.py (revision 2571) @@ -70,25 +70,18 @@ def _authenticate(cell): - """Acquire credentials if possible for a particular cell. + """Acquire AFS tokens for a cell if encryption is required by config. - This function returns True if an authenticated connection to the - cell should be established; False otherwise. + If the Invirt configuration requires connections to this cell to + be encrypted, acquires tokens and returns True. Otherwise, returns + False. Consumers of this function must still be sure to encrypt + their own connections if necessary. - If a cell isn't explicitly listed in the configuration file, - _authenticate will assume that it /should/ authenticate to the - cell. + Cells not listed in the Invirt configuration default to requiring + encryption in order to maintain security by default. - The assumption is that choosing to authenticate to a cell will - fail in two cases: (a) the cell authenticates against the - machine's home realm and there is no PTS ID in the cell, or (b) - the cell doesn't authenticate against the machine's home realm and - doesn't have cross-realm authentication setup. - - In the former case, it should be possible for the sysadmins to - list all cells that authenticate against the home realm (including - those where attempting authentication would be problematic). In - the latter case, such a cell would be at best distantly connected - to the home cell, and we probably don't want to give it quota - anyway. + Due to AFS's cross-realm auto-PTS-creation mechanism, using + authenticated connections by default should only fail for cells + which authenticate directly against the machine's home realm and + cells distantly related to the machine's home realm. """ for c in config.authz.cells: