From: Peter Braam <Peter.Braam@Sun.COM>
To: lustre-devel@lists.lustre.org
Subject: [Lustre-devel] Moving forward on Quotas
Date: Tue, 10 Jun 2008 10:51:55 -0600 [thread overview]
Message-ID: <C4740D4B.5A20%peter.braam@sun.com> (raw)
In-Reply-To: <484E877B.50500@sun.com>
I did not read the entire long message, but clearly the importance of
authorizing operations on the OSS far exceeds that of exposing a uid to a
client.
Moreover, it doesn't have to be exposed. If the capability contains the uid
it can be encrypted with a key so that only the OSS can see it.
This seems the preferred solution.
Peter
On 6/10/08 7:54 AM, "Yong Fan" <Yong.Fan@Sun.COM> wrote:
> Peter Braam ??:
>>
>> On 6/6/08 1:33 AM, "Johann Lombardi" <johann@sun.com> wrote:
>>
>>
>>> On Thu, Jun 05, 2008 at 06:45:36AM -0700, Peter Braam wrote:
>>>
>>>> Well, this protocol hasn't been published yet; why not include the server
>>>> side uid / gid then?
>>>>
>>> I understood from Fanyong that according to the remote client design
>>> requirements, we should not allow the remote client to access the
>>> server-side
>>> uid/gid mapping.
>>>
>>
>> You have two choices: break that rule OR let the MDS server do the ownership
>> changes. It's not complicated, just make a choice.
>>
> 1) MDS changes file owner for objects on OSS when create.
> It introduces one additional RPC between MDS and OSS
> for each objects, which causes the per-create meaningless.
> Maybe we can not accept the creation performance undre
> such case.
> An improvement for that is that we can initialize all
> the pre-create objects on OSS with the same uid/gid as
> the current created file. And the succedent creations
> check the per-created object's uid/gid, if they match
> the owner's uid/gid, then the additional setattr to OSS
> is unnecessary, otherwise, chown to OSS will be sent.
> The best case is equal to the current implementation;
> the worst case is equal to no such improvement.
> Under creation performance sensitivity case, maybe HPC
> or some benchmark test. There are few uid/gid context
> switch. So I think such improvement can match most
> creation performance requirement.
> 2) Pack file owner into OSS capability when write to OSS.
> According to our UID mapping rules, we do not want the
> client (especially the untrusted client, maybe remote
> client) to know which the server-side uid/gid are mapped.
> For that, dynamic UID mapping are used, and some complex
> remote acl operations are implemented.
> So if file real owner (server-side uid/gid) need to be
> packed in OSS capability back to client, bad better to
> encrypt them to match our UID mapping rules. Otherwise,
> most of our effort for that before are broken. On the
> other hand, MDS/OSS capabilities use HMAC-SHA1 to prevent
> from being modified or fabricated. Signing MAC is somewhat
> time-consuming, and uid/gid encryption are similar, so the
> performance will become worse. To implement server-side
> uid/gid encryption and decryption, need to design some
> key-update mechanism also.
> So I do not think it is a good choice.
> 3) Establish UID mapping on OSS also, just like MDS does.
> It has the same principle as done on MDS which needs
> lower layer GSS support. Many codes can be shared
> between MDS and OSS for UID mapping. It is the most
> complete solution, little affect on creation performance
> and UID mapping rules. The shortcoming is much changes
> on OSS, how much GSS effort for that is not well estimated
> yet.
>>
>>>> But more seriously, how is this encoded in such a way that the OST can
>>>> trust
>>>> the information - it must be in the capability too?
>>>>
>>> hmm, I don't see any capability associated with this.
>>>
>>
>> We had better find it, otherwise there is a security hole.
>>
>>
> Root user's super permission should be considered for OSS
> capability. On client-side, the opened file descriptor can
> be shared by different threads, and the different threads
> maybe have different "uid". Consider the following case:
> Root user writes a file through other normal user (Tom)
> opened file descriptor. The root user can breaks through
> Tom's quota limitation, he should tell OSS that he is a
> root user, but how can the OSS believe him? Such information
> should be contained in the OSS capability.
> (Note: on lustre 1.6, llite set "OBD_BRW_NOQUOTA" directly
> for that, which can be fabricated by baleful client)
>
> Best Regards!
> --
> Fan Yong
>>
>>> Johann
>>> _______________________________________________
>>> Lustre-devel mailing list
>>> Lustre-devel at lists.lustre.org
>>> http://lists.lustre.org/mailman/listinfo/lustre-devel
>>>
>>
>>
>>
>
> _______________________________________________
> Lustre-devel mailing list
> Lustre-devel at lists.lustre.org
> http://lists.lustre.org/mailman/listinfo/lustre-devel
next prev parent reply other threads:[~2008-06-10 16:51 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080605083957.GQ6283@lore>
2008-06-05 11:09 ` [Lustre-devel] Moving forward on Quotas Peter Braam
2008-06-05 12:27 ` Johann Lombardi
2008-06-05 13:45 ` Peter Braam
2008-06-06 7:33 ` Johann Lombardi
2008-06-06 12:21 ` Peter Braam
2008-06-09 8:52 ` Yong Fan
2008-06-09 15:37 ` Peter Braam
2008-06-09 16:09 ` Yong Fan
2008-06-10 13:54 ` Yong Fan
2008-06-10 16:51 ` Peter Braam [this message]
[not found] <92825021-D566-4805-9297-5EFBD3260D73@Sun.COM>
2008-06-01 2:44 ` Peter Braam
[not found] <18490.63940.619731.992500@gargle.gargle.HOWL>
2008-05-26 23:28 ` Peter Braam
2008-05-28 8:06 ` Johann Lombardi
2008-06-01 2:32 ` Peter Braam
2008-06-02 12:22 ` Johann Lombardi
2008-06-02 23:24 ` Andreas Dilger
2008-06-03 8:49 ` Landen tian
2008-06-04 1:24 ` Peter Braam
2008-06-04 7:05 ` Landen tian
2008-06-04 8:26 ` Johann Lombardi
2008-05-28 14:29 ` Ricardo M. Correia
2008-05-28 14:54 ` Nikita Danilov
2008-05-28 15:14 ` Ricardo M. Correia
2008-05-28 16:22 ` Nikita Danilov
2008-05-28 17:05 ` Ricardo M. Correia
2008-05-28 20:06 ` Nikita Danilov
2008-05-28 21:07 ` Ricardo M. Correia
2008-05-28 21:11 ` Nikita Danilov
2008-05-28 21:33 ` Ricardo M. Correia
2008-05-29 8:39 ` Nikita Danilov
[not found] ` <18496.11672.844774.815457@gargle.gargle.HOWL>
2008-05-31 15:31 ` Ricardo M. Correia
2008-05-31 15:49 ` Ricardo M. Correia
[not found] ` <1212247447.21348.70.camel@localhost>
2008-05-31 16:19 ` Nikita Danilov
2008-05-31 17:19 ` Ricardo M. Correia
2008-05-31 19:11 ` Nikita Danilov
2008-06-01 2:36 ` Peter Braam
2008-06-01 3:17 ` Mike Shapiro
2008-06-01 2:26 ` Peter Braam
2008-06-01 4:53 ` Jeff Bonwick
2008-06-01 13:58 ` Nikita Danilov
2008-06-03 0:50 ` Matthew Ahrens
2008-06-03 7:49 ` Nikita Danilov
2008-06-04 23:50 ` Matthew Ahrens
2008-05-28 15:24 ` Nikita Danilov
2008-05-31 10:25 ` Peter Braam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C4740D4B.5A20%peter.braam@sun.com \
--to=peter.braam@sun.com \
--cc=lustre-devel@lists.lustre.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.