[Lustre-devel] GSS cross-realm on MDT -> OST
Benjamin Bennett
ben at psc.edu
Tue Jul 8 11:41:39 PDT 2008
Peter Braam wrote:
> Yes, it will be very important that we can separate OST's/MDT's widely.
>
> But placing them in different realms, I'm not sure about. Can PSC explain
> what administrative model warrants that? Why can a remote OST not be part
> of the realm of the MDS that controls it?
The OSTs will be distributed among several resource provider
organizations, each with their own existing domain name space and
kerberos realm. There is also a centrally managed teragrid realm which
could be used to provide cross-realm transit between the resource
provider realms. With this kerberos authentication infrastructure
already in place the issue comes down to that of authorizing a principal
as an MDS, the logic of which I believe should be reconsidered
regardless of cross-realm issues.
Currently an OSS's authz of an MDS is inherent in the name of the
principal (lustre_mds/host) so AFAICT one cannot safely run two distinct
lustre clusters within a single kerberos realm. Moreover, this makes
the assumption that all kerberos admins are knowledgeable enough about
lustre to only issue lustre_mds/host principals to entities that should
have MDS privileges throughout the entire realm. Please do correct me
if I'm wrong here.
--ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.lustre.org/pipermail/lustre-devel-lustre.org/attachments/20080708/a5cd273e/attachment.pgp>
More information about the lustre-devel
mailing list