[Lustre-devel] GSS cross-realm on MDT -> OST

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Benjamin Bennett <ben@psc.edu>
To: lustre-devel@lists.lustre.org
Subject: [Lustre-devel] GSS cross-realm on MDT -> OST
Date: Tue, 08 Jul 2008 14:41:39 -0400	[thread overview]
Message-ID: <4873B4E3.2010609@psc.edu> (raw)
In-Reply-To: <C499036B.4E46%peter.braam@sun.com>

Peter Braam wrote:
> Yes, it will be very important that we can separate OST's/MDT's widely.
> 
> But placing them in different realms, I'm not sure about.  Can PSC explain
> what administrative model warrants that?  Why can a remote OST not be part
> of the realm of the MDS that controls it?

The OSTs will be distributed among several resource provider 
organizations, each with their own existing domain name space and 
kerberos realm.  There is also a centrally managed teragrid realm which 
could be used to provide cross-realm transit between the resource 
provider realms.  With this kerberos authentication infrastructure 
already in place the issue comes down to that of authorizing a principal 
as an MDS, the logic of which I believe should be reconsidered 
regardless of cross-realm issues.

Currently an OSS's authz of an MDS is inherent in the name of the 
principal (lustre_mds/host) so AFAICT one cannot safely run two distinct 
lustre clusters within a single kerberos realm.  Moreover, this makes 
the assumption that all kerberos admins are knowledgeable enough about 
lustre to only issue lustre_mds/host principals to entities that should 
have MDS privileges throughout the entire realm.  Please do correct me 
if I'm wrong here.

--ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.lustre.org/pipermail/lustre-devel-lustre.org/attachments/20080708/a5cd273e/attachment.pgp>

next prev parent reply	other threads:[~2008-07-08 18:41 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <48728D97.1020704@psc.edu>
2008-07-08 17:27 ` [Lustre-devel] GSS cross-realm on MDT -> OST Eric Mei
2008-07-08 17:43   ` Peter Braam
2008-07-08 18:41     ` Benjamin Bennett [this message]
2008-07-08 19:39       ` Peter Braam
2008-07-08 20:38         ` Benjamin Bennett
2008-07-09 14:31           ` Peter Braam
2008-07-09 17:25             ` Eric Mei
2008-07-09 20:07               ` Benjamin Bennett
2008-07-10 16:45                 ` Eric Mei
2008-07-09 20:29               ` Andreas Dilger
2008-07-09 21:10                 ` Bernd Schubert
2008-07-11 21:32                   ` Andreas Dilger
2008-07-08 19:21   ` Josephine Palencia
2008-07-08 20:38   ` Andreas Dilger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4873B4E3.2010609@psc.edu \
    --to=ben@psc.edu \
    --cc=lustre-devel@lists.lustre.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.