[Lustre-devel] security: MGS connection
Peter.Braam at Sun.COM
Thu Jun 5 20:16:03 PDT 2008
Out of curiosity - do we secure OSC - OST connections with GSS? We send
capabilities over them that are encrypted so perhaps it is not necessary.
On 6/5/08 6:39 PM, "Eric Mei" <Eric.Mei at Sun.COM> wrote:
> Eric Barton wrote:
>>> Here is an updated user interface proposal, please review:
>>> - MGS can be configured to "only allow RPC with certain level of
>>> security from certain node". The default is 'allow any'.
>>> - Each node choose what security flavor to use to connect MGS when
>>> mounting target device or client, by mount option "mgssec=flavor". By
>>> default 'null' (no protection) is chosen.
>>> - For MDT/OST, the option "mgssec=flavor" could also be written on disk,
>>> like other parameters, but will be override if mount option supplied.
>> How can "mgssec=flavor" apply to MDT/OST connections? What mount option
>> will override saved MDT/OST parameters?
> Sorry I was not clear enough. I meant connection from MDT or OST to MGS.
> The "mgssec=flavor" could be specified as mount parameter, or stored on
> disk by mkfs.lustre or tune2fs. If both present, mount option wins.
> Anyway it's just some details.
>> IMHO we have to make an extremely clear separation between MGS connection
>> security (which can only be specified in the mount command) and lustre server
>> connection security (which can be stored on the MGS). Anything that blurs
>> distinction will be error prone.
> Yes exactly, they're completely separated.
>>> - If flavor of GSS/Kerberos is specified, some pre-configured machine
>>> credential will be used, so no need to supply password or whatsoever.
>>> - The flavor of MGS connection won't change until umount, no matter how
>>> rest of connection flavors change at runtime.
>>> - If there's multiple mounts on one node, they must specify the same
>>> security flavor. For example, if we do:
>>> # mount -t lustre -o mgssec=krb5p /dev/sda1 /mnt/ost1
>>> # mount -t lustre -o mgssec=null /dev/sda1 /mnt/ost2
>>> then the second mount will fail immediately.
More information about the lustre-devel