[lustre-discuss] Restricting sub directory mounts/access

Tue Mar 30 20:24:44 PST 2021

Hi David,

Thank you for your reply. Yes I would like to use the isolation mentioned in the link you shared, but a bit differently. I did a bit of reading but it appears to me, that Isolation provided by filesets feature allows me to mount sub-directory in isolation of the root directory, and using nodemap allows me to squash or map uid/gid on a set of clients. Based on my understanding this would not help me, I hope I am wrong. 

Here is what I am trying: I still want the entire namespace mounted on all clients, but exclude access to one of the sub-directory from the namespace on a handful of clients. Rational: we have some datasets that resides in a sub-directory, and given lustre namespace is mounted on login servers which are not setup behind a 2FA authentication system, the entity providing us the data set has raised concerns and hence we are trying to look for options around this. We do have a place to put the data elsewhere at the moment, but I would like to explore options not all our file systems are as large as Lustre and it could benefit when the need arises. 

Best Regards,
Amit

-----Original Message-----
From: lustre-discuss <lustre-discuss-bounces at lists.lustre.org> On Behalf Of David Schanzenbach
Sent: Thursday, March 25, 2021 4:18 PM
To: lustre-discuss at lists.lustre.org
Subject: Re: [lustre-discuss] Restricting sub directory mounts/access

[EXTERNAL SENDER]

Hi Amit,

Unless I am misunderstanding what you are trying to do, it sounds like what you are looking for is the sub-directory tree isolation feature described in the Lustre manual. 
https://doc.lustre.org/lustre_manual.xhtml#managingSecurity.isolation

Of course, with the example your gave, using the sub-directory of /scratch/group would not do what you want, but if the directory tree was something like /scratch/group/private/data_dir and /scratch/group/public/<other_dirs> you could set the fileset
(sub-directory) on a nodemap to /group/public  and limit visibility for a set of clients.  You could then use another nodemap to granting full access from a different set of clients.

Thanks,
David

> One way I was thinking of doing this was using nodemap to map the UID/GID of the user to root or nobody so access to the compliance data is limited a root alone. Although this could work, I was looking for alternate ways to mount or access is restricted by IP if it was possible.
>
> Thank you,
> Amit
>
> From: lustre-discuss <lustre-discuss-bounces at lists.lustre.org> On 
> Behalf Of Kumar, Amit
> Sent: Wednesday, March 24, 2021 3:52 PM
> To: lustre-discuss at lists.lustre.org
> Subject: [lustre-discuss] Restricting sub directory mounts/access
>
>
> [EXTERNAL SENDER]
> Dear All,
>
> Wondering if I could restrict access to a specific directory from within my lustre file system, for example /scratch/group/data_dir "on a set of nodes"?
> I would still want to have full read-write access to other directories( /scratch/group/<other_dirs>).
>
> Can this be achieved in some creative way using overlayFS?
>
> Thank you,
> Amit
>
> -------------- next part -------------- An HTML attachment was 
> scrubbed...
> URL: 
> <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachmen
> ts/20210324/80c6f10b/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> lustre-discuss mailing list
> lustre-discuss at lists.lustre.org
> http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
>
>
> ------------------------------

_______________________________________________
lustre-discuss mailing list
lustre-discuss at lists.lustre.org
http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org

----IF CLASSIFICATION START----

----IF CLASSIFICATION END----