From: Eric Barton <eeb@sun.com>
To: lustre-devel@lists.lustre.org
Subject: [Lustre-devel] security: MGS connection
Date: Fri, 06 Jun 2008 01:36:28 +0100 [thread overview]
Message-ID: <057101c8c76d$5c31a820$0281a8c0@ebpc> (raw)
In-Reply-To: <48481A5E.4050200@sun.com>
> Here is an updated user interface proposal, please review:
>
> - MGS can be configured to "only allow RPC with certain level of
> security from certain node". The default is 'allow any'.
Fine.
> - Each node choose what security flavor to use to connect MGS when
> mounting target device or client, by mount option "mgssec=flavor". By
> default 'null' (no protection) is chosen.
Fine.
> - For MDT/OST, the option "mgssec=flavor" could also be written on disk,
> like other parameters, but will be override if mount option supplied.
How can "mgssec=flavor" apply to MDT/OST connections? What mount option
will override saved MDT/OST parameters?
IMHO we have to make an extremely clear separation between MGS connection
security (which can only be specified in the mount command) and lustre server
connection security (which can be stored on the MGS). Anything that blurs the
distinction will be error prone.
> - If flavor of GSS/Kerberos is specified, some pre-configured machine
> credential will be used, so no need to supply password or whatsoever.
Fine.
> - The flavor of MGS connection won't change until umount, no matter how
> rest of connection flavors change at runtime.
Fine.
> - If there's multiple mounts on one node, they must specify the same
> security flavor. For example, if we do:
> # mount -t lustre -o mgssec=krb5p /dev/sda1 /mnt/ost1
> # mount -t lustre -o mgssec=null /dev/sda1 /mnt/ost2
> then the second mount will fail immediately.
Fine.
Cheers,
Eric
next prev parent reply other threads:[~2008-06-06 0:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <C46C26CE.574E%peter.braam@sun.com>
[not found] ` <4846C394.1020801@sun.com>
2008-06-04 17:47 ` [Lustre-devel] security: MGS connection Eric Barton
2008-06-04 18:07 ` Spencer Shepler
2008-06-04 19:07 ` Eric Mei
2008-06-04 18:38 ` Eric Mei
2008-06-04 18:49 ` Peter Braam
2008-06-04 19:24 ` Eric Barton
2008-06-05 16:19 ` Eric Mei
2008-06-06 0:20 ` Eric Barton
2008-06-05 16:54 ` Eric Mei
2008-06-06 0:36 ` Eric Barton [this message]
2008-06-06 1:39 ` Eric Mei
2008-06-06 3:16 ` Peter Braam
2008-06-06 15:16 ` Eric Mei
2008-06-06 3:30 ` Peter Braam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='057101c8c76d$5c31a820$0281a8c0@ebpc' \
--to=eeb@sun.com \
--cc=lustre-devel@lists.lustre.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.