Re: [gpfsug-discuss] Multicluster UID Mapping

Mon, 14 Jul 2014 07:13:04 -0700 


On 14/07/14 08:26, Luke Raimbach wrote:

Dear GPFS Experts,

I have two clusters, A and B where cluster A owns file system GPFS and cluster 
B owns no file systems.

Cluster A is mixed Linux/Windows and has IMU keeping consistent UID/GID maps 
between Windows and Linux environment resulting in a very high ID range 
(typically both UID/GID starting at 850000000)

Cluster B remote mounts file system GPFS with UID/GID=0 remapped to 99. This is fine for 
preventing remote root access to file system GPFS. However, cluster B may have untrusted 
users who have root privileges on that cluster from time-to-time. Cluster B is 
"part-managed" by the admin on cluster A, who only provides tools for 
maintaining a consistent UID space with cluster A.

In this scenario, what can be done to prevent untrusted root-privileged users 
on cluster B from creating local users with a UID matching one in cluster A and 
thus reading their data?

Ideally, I want to remap all remote UIDs *except* a small subset which I might 
trust. Any thoughts?




I'm not aware of any easy way to accommodate this. GPFS has 
machine-based authentication and authorisation, but not user-based. A 
bit like NFSv3, but with "proper" machine auth at least. This has 
stopped us exporting GPFS file systems outside a management domain - 
except where the file system is built solely for that purpose.



You could look at gpfs native encryption, which should allow you to 
share keys between the clusters for specific areas - but that'd be a 
heavyweight fix.



Failing that - you could drop GPFS and use something else to cross 
export specific areas (NFS, etc). You could possibly look at pNFS to 
make that slightly less disappointing...




Cheers,
Luke.

--

Luke Raimbach
IT Manager
Oxford e-Research Centre
7 Keble Road,
Oxford,
OX1 3QG

+44(0)1865 610639

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss



--
            --
       Dr Orlando Richards
Research Facilities (ECDF) Systems Leader
       Information Services
   IT Infrastructure Division
       Tel: 0131 650 4994
     skype: orlando.richards


The University of Edinburgh is a charitable body, registered in 
Scotland, with registration number SC005336.

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss






















					Reply via email to