Luke, Without fully knowing your use case... If your data partitions so that what cluster B users only need a subset of the file system, such that it doesn't matter if they read anything on it, and the remainder can be kept completely away from them, then a possibility is to have two file systems on cluster A, only one of which is exported to B. (For example, we have a general user file system going to all clusters, as well as a smaller file system of VM images restricted to hypervisors only.)
The lack of user authentication (such as found in AFS) has handicapped our use of GPFS. With not completely trusted users (we provide general HPC compute services), someone with a privilege escalation exploit can own the file system, and GPFS provides no defense against this. I am hoping that maybe native encryption can be bent to provide better protection, but I haven't had opportunity to explore this yet. /Lindsay On Mon, Jul 14, 2014 at 3:26 AM, Luke Raimbach <[email protected]> wrote: > Dear GPFS Experts, > > I have two clusters, A and B where cluster A owns file system GPFS and > cluster B owns no file systems. > > Cluster A is mixed Linux/Windows and has IMU keeping consistent UID/GID > maps between Windows and Linux environment resulting in a very high ID > range (typically both UID/GID starting at 850000000) > > Cluster B remote mounts file system GPFS with UID/GID=0 remapped to 99. > This is fine for preventing remote root access to file system GPFS. > However, cluster B may have untrusted users who have root privileges on > that cluster from time-to-time. Cluster B is "part-managed" by the admin on > cluster A, who only provides tools for maintaining a consistent UID space > with cluster A. > > In this scenario, what can be done to prevent untrusted root-privileged > users on cluster B from creating local users with a UID matching one in > cluster A and thus reading their data? > > Ideally, I want to remap all remote UIDs *except* a small subset which I > might trust. Any thoughts? > > Cheers, > Luke. > > -- > > Luke Raimbach > IT Manager > Oxford e-Research Centre > 7 Keble Road, > Oxford, > OX1 3QG > > +44(0)1865 610639 > > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at gpfsug.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss >
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
