* [Lustre-devel] Security configuration
@ 2009-02-17 20:37 Eric Barton
2009-02-18 23:19 ` Nicolas Williams
2009-03-05 18:05 ` Nathaniel Rutman
0 siblings, 2 replies; 3+ messages in thread
From: Eric Barton @ 2009-02-17 20:37 UTC (permalink / raw)
To: lustre-devel
Nathan,
We'd like to be able to describe a set of nodes and say that
as far as security is concerned, they are all equivalent - i.e. if
an MDT authorizes eeb at node1 to perform a certain action, then
eeb at nodex is implicitly authorized provided node1 and nodex are in
the same set.
Leaving aside for now, the question of how the sets are described
(they could be whole LNETs or whole Kerberos realms, or NID lists),
is the MGS the right place to stash this config?
Cheers,
Eric
^ permalink raw reply [flat|nested] 3+ messages in thread* [Lustre-devel] Security configuration
2009-02-17 20:37 [Lustre-devel] Security configuration Eric Barton
@ 2009-02-18 23:19 ` Nicolas Williams
2009-03-05 18:05 ` Nathaniel Rutman
1 sibling, 0 replies; 3+ messages in thread
From: Nicolas Williams @ 2009-02-18 23:19 UTC (permalink / raw)
To: lustre-devel
On Tue, Feb 17, 2009 at 08:37:42PM +0000, Eric Barton wrote:
> We'd like to be able to describe a set of nodes and say that
> as far as security is concerned, they are all equivalent - i.e. if
> an MDT authorizes eeb at node1 to perform a certain action, then
> eeb at nodex is implicitly authorized provided node1 and nodex are in
> the same set.
>
> Leaving aside for now, the question of how the sets are described
> (they could be whole LNETs or whole Kerberos realms, or NID lists),
> is the MGS the right place to stash this config?
As far as Kerberos V principal names go, then the name will be eeb at REALM
throughout.
As for what happens with identities on the wire (for GET/SETATTR), this
is where ID mapping comes in. Here the configuration that matters will
be local to each client (what domain name to assert) and to the MDS
(what clients to trust).
Nico
--
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Lustre-devel] Security configuration
2009-02-17 20:37 [Lustre-devel] Security configuration Eric Barton
2009-02-18 23:19 ` Nicolas Williams
@ 2009-03-05 18:05 ` Nathaniel Rutman
1 sibling, 0 replies; 3+ messages in thread
From: Nathaniel Rutman @ 2009-03-05 18:05 UTC (permalink / raw)
To: lustre-devel
Eric Barton wrote:
> Nathan,
>
> We'd like to be able to describe a set of nodes and say that
> as far as security is concerned, they are all equivalent - i.e. if
> an MDT authorizes eeb at node1 to perform a certain action, then
> eeb at nodex is implicitly authorized provided node1 and nodex are in
> the same set.
>
> Leaving aside for now, the question of how the sets are described
> (they could be whole LNETs or whole Kerberos realms, or NID lists),
> is the MGS the right place to stash this config?
>
Yes, I think the MGS is the right place to stash any config.
FWIW we're pretty seriously thinking about removing all the distributed
configuration we can (mkfs/tunefs.lustre settings and module parameters)
and concentrating it all on the MGS node in a text-based config file.
Exceptions would have to be made for the network setup, so that everyone
could talk to the MGS -- so lnet networks and MGS nids would still have
to be stored locally.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-03-05 18:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-17 20:37 [Lustre-devel] Security configuration Eric Barton
2009-02-18 23:19 ` Nicolas Williams
2009-03-05 18:05 ` Nathaniel Rutman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.