From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Braam Date: Thu, 05 Jun 2008 20:16:03 -0700 Subject: [Lustre-devel] security: MGS connection In-Reply-To: <48489540.80808@sun.com> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lustre-devel@lists.lustre.org Out of curiosity - do we secure OSC - OST connections with GSS? We send capabilities over them that are encrypted so perhaps it is not necessary. Peter On 6/5/08 6:39 PM, "Eric Mei" wrote: > Eric Barton wrote: >>> Here is an updated user interface proposal, please review: >>> >>> - MGS can be configured to "only allow RPC with certain level of >>> security from certain node". The default is 'allow any'. >> >> Fine. >> >>> - Each node choose what security flavor to use to connect MGS when >>> mounting target device or client, by mount option "mgssec=flavor". By >>> default 'null' (no protection) is chosen. >> >> Fine. >> >>> - For MDT/OST, the option "mgssec=flavor" could also be written on disk, >>> like other parameters, but will be override if mount option supplied. >> >> How can "mgssec=flavor" apply to MDT/OST connections? What mount option >> will override saved MDT/OST parameters? > > Sorry I was not clear enough. I meant connection from MDT or OST to MGS. > The "mgssec=flavor" could be specified as mount parameter, or stored on > disk by mkfs.lustre or tune2fs. If both present, mount option wins. > Anyway it's just some details. > >> IMHO we have to make an extremely clear separation between MGS connection >> security (which can only be specified in the mount command) and lustre server >> connection security (which can be stored on the MGS). Anything that blurs >> the >> distinction will be error prone. > > Yes exactly, they're completely separated. > >> >>> - If flavor of GSS/Kerberos is specified, some pre-configured machine >>> credential will be used, so no need to supply password or whatsoever. >> >> Fine. >> >>> - The flavor of MGS connection won't change until umount, no matter how >>> rest of connection flavors change at runtime. >> >> Fine. >> >>> - If there's multiple mounts on one node, they must specify the same >>> security flavor. For example, if we do: >>> # mount -t lustre -o mgssec=krb5p /dev/sda1 /mnt/ost1 >>> # mount -t lustre -o mgssec=null /dev/sda1 /mnt/ost2 >>> then the second mount will fail immediately. >> >> Fine.