[lustre-discuss] Nodemap and multi-tenancy

[Andreas Dilger]

On Jan 26, 2020, at 15:15, Hans Henrik Happe <happe at nbi.dk<mailto:happe at nbi.dk>> wrote:

Hi,

When looking into the documentation (28.2.1) and also while testing, it
seems that it is not possible to give a tenant access to a fileset like
it was a regular lustre fs.

I would like to map IDs to a separate range including root (0). This
works when admin=0 for the nodemap, but then root will not be able to
modify other user's files. In admin=1 mode, root is not mapped and will
become id 0 on the underlying fs.

Have I missed a way to accomplish this? If not it would be on my
wishlist. Mapping ranges is also on that list.

My understanding is that if root is mapped, and admin=0, then the "root"
user on the client node could still use client-side access to impersonate
other users (e.g. "su - user -c command", assuming that "user" is part of
the nodemap for that client), and perform other commands locally.

This does not extend to the filesystem operations themselves, because
that would make containers insecure as "root" within the container image
could perform any action they wanted.

I could also see a lot of quota control scenarios for this kind of
setup. I.e. allow to control quotas for mapped UIDs and GIDs, but not
others.

That likely needs some other kind of permission granting, which does not
exist today.  Otherwise, again "root" users in a container could assign any
quota they like, which is probably not what most sysadmins want.

You _might_ be able to use project quotas to handle this within the nodemap,
but it isn't clear what you want to do in the end.

Cheers, Andreas
--
Andreas Dilger
Principal Lustre Architect
Whamcloud






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20200130/f807e43a/attachment.html>