[Lustre-discuss] Block clients from mounting a Lustre filesystem
Nicolas Williams
Nicolas.Williams at sun.com
Mon Jul 27 13:08:36 PDT 2009
On Mon, Jul 27, 2009 at 01:53:02PM -0600, Andreas Dilger wrote:
> On Jul 27, 2009 12:01 +0200, Arne Wiebalck wrote:
> > with versions <= 1.8.0.1 is there a more elegant way of blocking
> > clients from mounting a Lustre fs than configuring IP tables accordingly?
>
> I don't think there is any other easy way to do this. I believe LLNL
> had a patch to essentially implement xinetd-like allow/deny inside the
> LNET code, but I don't think it was merged.
It'd be nice to have a way to evict clients at any time and stop them
from re-connecting. Client addresses don't mean much; some time after a
client is banned some other client may replace it and use the same
address. This argues for a UI (and API) that allows one to ban/un-ban
addresses.
> > Is it correct that with versions >= 2.0 Kerberos will deliver this
> > 'functionality' as I can enforce the client to authenticate (which
> > it can't if I refused to give it keytab in the first place)?
>
> Right, though Kerberos will not yet be a supported feature in 2.0.
Client principal names are a lot more meaningful than client addresses,
so being able to blacklist clients by principal name is a lot more
useful than blacklisting them by address. But you'd still want this to
be a function of the Lustre servers, not a function of denying Kerberos
credentials to clients.
Nico
--
More information about the lustre-discuss
mailing list