Hi Ulf, Thanks for the email, as suggested, I'm copying this to the GPFS UG mailing list as well as I'm sure the discussion is of interest to others.
I guess what we're looking to do is to have arbitrary VMs running provided by users (I.e. Completely untrusted), but to provide them a way to get secure access to only their data. Right now we can't give them a GPFS client as this is too trusting, I was wondering how easy it would be for us to implement something like: User has a VM User runs 'kinit user@DOMAIN' to gain kerberos ticket and can then securely gain access to only their files from my NFS server. I also mentioned Janet ASSENT, which is a relatively recent project: https://jisc.ac.uk/assent (It was piloted as Janet Moonshot). Which builds on top of SAML to provide other software access to federation. My understanding is that site-specific UID mapping is needed (e.g. On the NFS/GPFS server). Simon >I have some experience with the following questions: > >> NFS just isnĀ¹t built for security really. I guess NFSv4 with KRB5 is >> one option to look at, with user based credentials. That might just >> about be feasible if the user were do authenticate with kinit before >> being able to access NFSv4 mounted files. I.e. Its done at the user >> level rather than the instance level. That might be an interesting >> project as a feasibility study to look at, will it work? How would >> we integrate into a federated access management system (something >> like UK Federation and ABFAB/Moonshot/Assent maybe?). Could we >> provide easy steps for a user in a VM to follow? Can we even make it >> work with Ganesha in such an environment? > > >Kerberized NFSv3 and Kerberized NFSv4 provide nearly the same level of >security. Kerberos makes the difference and not the NFS version. I have >posted some background information to the GPFS forum: >http://ibm.co/1VFLUR4 > >Kerberized NFSv4 has the advantage that it allows different UID/GID ranges >on NFS server and NFS client. I have led a proof-of-concept where we have >used this feature to provide secure data access to personalized patient >data for multiple tenants where the tenants had conflicting UID/GID >ranges. >I have some material which I will share via the GPFS forum. > >UK Federation seems to be based on SAML/Shibboleth. Unfortunately there is >no easy integration of network file protocols such as NFS and SMB and >SAML/Shibboleth, because file protocols require attributes which are >typically not stored in SAML/Shibboleth. Fortunately I provided technical >guidance to a customer who exactly implemented this integration in order >to >provide secure file service to multiple universities, again with >conflicting UID/GID ranges. I need some time to write it up and publish >it. _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
