[Lustre-devel] Security issues

Peter Braam Peter.Braam at Sun.COM
Fri Aug 8 10:12:38 PDT 2008 



On 8/8/08 11:03 AM, "Eric Barton" <eeb at sun.com> wrote:

> 1. Securing bulk data.
>  
> It seems to me that it is appropriate to use the GSSAPI to secure the
> transfer of bulk data between client and server since it's effectively just
> another message.  I can see (at least naively) that it would be good to
> avoid double encryption in the case where file contents are actually stored
> encrypted on disk.

You are not telling me that we are going through a lot of re-design, that we
are encrypting data and that then we are not storing it encrypted on disk?
Come on, adding an EA with a key to decrypt is not so hard and one gets lots
of value from it.
> 
> But even in this case, don't we still have to sign the
> (encrypted) bulk so that the receiver can be sure it arrived intact?
> 
Well, yes, but as I indicated you can sign the hash that is stored on (ZFS)
disk for this.  That avoids generating the hash twice.  So I am really not
convinced yet.
> 
The issue is not the message mechanism, but is what identity to use for GSS
to authenticate and how to manage and revoke that etc.
>  
> 2. Securing Capabilities.
>  
> If we want to be sure that a Capability given to client A cannot be
> snooped and used by client B we either (a) have to make the Capability
> secret (i.e. never passed in cleartext) or (b) have to make the Capability
> identify which client it is valid for.
>  
> It seems to me that (b) is preferrable since it ensures that a malicious
> client cannot leak Capabilities to a 3rd party.  The downside is that this
> multiplies the number of unique Capabilities by the number of clients,
> potentially increasing CPU load when 1000s of clients all open the same
> shared file and each require unique Capabilities to access the stripe objects.
> Do we have a feel for how bad this could be?
> 
Yes, very bad, and it is absolutely necessary to have an option that avoids
this (also 1000s is out of date ­ it could be 100x worse).  That option
could be to simply not have security on the compute cluster if customers
agree with this.

We also need to discuss your proposals with a review committee from LLNL and
Sandia, as we did during the PF discussions.

Peter
> 
>  
>     Cheers, 
>                    Eric
> 
>  
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-devel-lustre.org/attachments/20080808/45c1a7ad/attachment.htm>

More information about the lustre-devel mailing list