[lustre-discuss] Restrict who can assign OST pools to directories

Passerini Marco marco.passerini at cscs.ch
Fri Nov 18 05:17:18 PST 2022 

>so that it becomes difficult(not impossible though) for users
to use :). Users don't have access to MDS to get the entire lists of
pools defined.


Users can see what pools have been assigned to existing directories with "lfs getstripe" though.. so it's it's not very secure!


Regards,

Marco Passerini

________________________________
From: Raj <rajgautam at gmail.com>
Sent: Monday, November 7, 2022 6:23:48 PM
To: Andreas Dilger
Cc: Passerini Marco; lustre-discuss at lists.lustre.org
Subject: Re: [lustre-discuss] Restrict who can assign OST pools to directories

Marco, One other idea is to give an unfriendly pool name that users
can't guess. Like "myfs.mkpilaxluia"  instead of myfs.flash or
myfs.ssd so that it becomes difficult(not impossible though) for users
to use :). Users don't have access to MDS to get the entire lists of
pools defined.
Thanks,
Raj

On Mon, Nov 7, 2022 at 4:28 AM Andreas Dilger via lustre-discuss
<lustre-discuss at lists.lustre.org> wrote:
>
> Unfortunately, this is not possible today, though I don't think it would be too hard for someone to implement this by copying "enable_remote_dir_gid" and similar checks on the MDS.
>
> In Lustre 2.14 and later, it is possible to set an OST pool quota that can restrict users from creating too many files in a pool.  This doesn't directly prevent them from setting the pool on a directory (though I guess this _could_ be checked), but they would get an EDQUOT error when trying to create in that directory, and quickly tire of trying to use it.
>
> Cheers, Andreas
>
> On Nov 4, 2022, at 05:57, Passerini Marco <marco.passerini at cscs.ch> wrote:
>
> Hi,
>
> Is there a way in Lustre to restrict who can assign OST pools to directories? In specific, can we limit the following command so that it can be run by root only?
>
> lfs setstripe --pool myfs.mypool test_dir
>
> I would need something similar to what can be done for remote directories:
> lctl set_param mdt.*.enable_remote_dir_gid=1
>
> Regards,
> Marco Passerini
>
>
> Cheers, Andreas
> --
> Andreas Dilger
> Lustre Principal Architect
> Whamcloud
>
>
>
>
>
>
>
> _______________________________________________
> lustre-discuss mailing list
> lustre-discuss at lists.lustre.org
> http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20221118/12e7bea0/attachment.htm>

More information about the lustre-discuss mailing list