[Lustre-devel] security: MGS connection

Eric Barton eeb at sun.com
Wed Jun 4 10:47:28 PDT 2008


> Here is the user interface change according to previous discussion, 
> please review:
> - The security flavor of MGS connection is determined by each node, not 
>   controllable by MGS.

Is this an unavoidable fact of life or a design decision?  See below "XXX"

> - By default there's no protection.

See below "XXX"

> - Given the GSS/Kerberos env is ready, mount option "mgssec=flavor" 
> could be supplied. Pre-configured machine credential will be used, so no 
> need to supply password or whatsoever.
> - For MDT/OST, the option "mgssec=flavor" could also be written on disk, 
> like other parameters, but will be override if mount option supplied.
> - The flavor of MGS connection won't change until umount, no matter how 
> rest of connection flavors change at runtime.

> - MGC->MGS connection is one per node, so only one flavor could be used. 
> For example, suppose 2 OSTs live in a single node, we do:
>    # mount -t lustre -o mgssec=krb5p /dev/sda1 /mnt/ost1
>    # mount -t lustre -o mgssec=null /dev/sda1 /mnt/ost2
> then only 'mgssec=krb5p' will take effect, the second 'mgssec=null' will 
> be ignored.

I don't think it's acceptable to allow a previous mount to compromise
the security of a later mount.


This raises the interesting question of whether servers (MGS included) can
demand a minimim level of security from clients connecting to them.  Is this
normally part of configuring security on a given node (e.g. to set the
machine credentials you mentioned above)?

> Are these (especially the last one) reasonable? Thanks.
> -- 
> Eric

More information about the lustre-devel mailing list