[lustre-discuss] Using Nodemap for security

Sebastien Buisson sbuisson at ddn.com
Mon Jul 27 06:33:00 PDT 2020


Hi,

Yes it is possible to use nodemaps to just restrict the IP ranges from which clients can connect. To achieve this you can create 2 nodemap entries for your clients (in addition to the always recommended entry for servers):
- the first one, with the IP ranges you want to allow connection from, will have all properties set so that access is unmapped (no UID/GID mapping) and unrestricted;
- the second one, with the IP ranges you want to forbid connection from, will simply have the fileset property set to something like ‘/NULL’. Then, assuming that NULL is a directory that does *not* exist at the root of your Lustre file system, this will make clients pertaining to this IP range fail mounting Lustre.
Depending on your address schema, you might need multiple entries of each kind, in order to cover all desired IP addresses.


Generally speaking, UID/GID mapping and SSK features are serving different purposes. You do not need one to benefit from the other, if that is the concern.

Cheers,
Sebastien.


> Le 23 juil. 2020 à 18:30, Kolacz, John Gilbert <jgkolacz at lanl.gov> a écrit :
> 
> Hi, 
>  
> I’m going to try to make this as TLDR minimal as possible.
>  
> I’m working on a project to provide better security for our lustre storage.
>  
> What I’ve found is plenty of info on nodemap with ssk, but I have a few questions-
>  
> Can I set up nodemap so it allows full access and simply restricts the IP ranges from which clients can connect?
>  
> Running lctl nodemap_info all looks like it has an option for squash_gid and squash_uid.  Does that mean I can turn those off?
>  
> If I use ssk, do I still have to set up uid and gid translations?
>  
>  
> My test environment:
>  
> Client at 192.168.57.100 at tcp1  lnet router to tcp0  mgs at 192.168.10.10 at tcp0  (with mds and 2 oss)
>  
> Lnet routing works, and I can give and take access using Nodemap_activate 0/1
>  
>  
>  
>  
>  
> Thanks,
>  
> John Kolacz
> HPCSYS FS 
>  
> _______________________________________________
> lustre-discuss mailing list
> lustre-discuss at lists.lustre.org
> http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org



More information about the lustre-discuss mailing list