[Lustre-devel] security: MGS connection

Eric Barton eeb at sun.com
Thu Jun 5 17:36:28 PDT 2008

> Here is an updated user interface proposal, please review:
> - MGS can be configured to "only allow RPC with certain level of 
> security from certain node". The default is 'allow any'.


> - Each node choose what security flavor to use to connect MGS when 
> mounting target device or client, by mount option "mgssec=flavor". By 
> default 'null' (no protection) is chosen.


> - For MDT/OST, the option "mgssec=flavor" could also be written on disk, 
> like other parameters, but will be override if mount option supplied.

How can "mgssec=flavor" apply to MDT/OST connections?  What mount option
will override saved MDT/OST parameters?

IMHO we have to make an extremely clear separation between MGS connection
security (which can only be specified in the mount command) and lustre server
connection security (which can be stored on the MGS).  Anything that blurs the
distinction will be error prone.

> - If flavor of GSS/Kerberos is specified, some pre-configured machine 
> credential will be used, so no need to supply password or whatsoever.


> - The flavor of MGS connection won't change until umount, no matter how 
> rest of connection flavors change at runtime.


> - If there's multiple mounts on one node, they must specify the same 
> security flavor. For example, if we do:
>    # mount -t lustre -o mgssec=krb5p /dev/sda1 /mnt/ost1
>    # mount -t lustre -o mgssec=null /dev/sda1 /mnt/ost2
> then the second mount will fail immediately.



More information about the lustre-devel mailing list