Andrew Leung, Stephanie Jones, and I designed a protocol to do this in 2007. You should look at the paper we wrote: <http://www.ssrc.ucsc.edu/pub/leung07-sc.html>
The protocol we designed used the MDS to hand out keys, and supported group authentication as well as expiring keys with group renewals. It also supported delegation: a user could generate a public/private key pair and delegate access to only specific files to anyone with the private key that was generated. The result was a highly scalable security system with less than 5% overhead (sometimes much less) on the benchmarks we ran. The code was implemented in Ceph, and Andrew likely has it around somewhere. It probably needs to be updated to work with the current version of Ceph, and will need bulletproofing, but it's a good start. > We're currently working on an authentication module for ceph. This > will allow us both keeping the cluster secured internally, as no bad > servers will be able to join the cluster, and both externally. E.g., > only permitted clients will be able to do certain specified > operations. This is just a rough description of what we consider right > now, but here it is: > > The following are the basic requirements: > * Robust, scalable, keeps up with the cluster's consistency. > * Identify the different cluster modules (e.g., mon, mds and osd) and > allow only the permitted entities to participate in the cluster > * Identify the clients, and set up a mechanism to authenticate them. > Establish a session between the client and the cluster > * The created session will allow the client to communicate with the > different cluster entities > * It will be possible to sign (and possibly encrypt) all protocol > operations > I'd love to hear any comment, idea or request that you might have as > we're about to start implementing this stuff. ( Ethan L. Miller Email: e...@cs.ucsc.edu ) ( Professor, Computer Science Web: http://www.cs.ucsc.edu/~elm/ ) ( University of California Phone: +1 831 459-1222 ) ( Santa Cruz, CA 95064 USA Fax: +1 831 459-1041 ) ( PGP keyprint: 76C7 D699 1FF6 A1A4 B7A1 9629 2EBF 1273 A6ED 6A09 ) ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Ceph-devel mailing list Ceph-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ceph-devel
