[gpfsug-discuss] GPFS and Community Scientific Cloud
Simon Thompson (Research Computing - IT Services)
S.J.Thompson at bham.ac.uk
Mon Jul 27 22:24:11 BST 2015
Hi Ulf,
Thanks for the email, as suggested, I'm copying this to the GPFS UG
mailing list as well as I'm sure the discussion is of interest to others.
I guess what we're looking to do is to have arbitrary VMs running provided
by users (I.e. Completely untrusted), but to provide them a way to get
secure access to only their data.
Right now we can't give them a GPFS client as this is too trusting, I was
wondering how easy it would be for us to implement something like:
User has a VM
User runs 'kinit user at DOMAIN' to gain kerberos ticket and can then
securely gain access to only their files from my NFS server.
I also mentioned Janet ASSENT, which is a relatively recent project:
https://jisc.ac.uk/assent
(It was piloted as Janet Moonshot).
Which builds on top of SAML to provide other software access to
federation. My understanding is that site-specific UID mapping is needed
(e.g. On the NFS/GPFS server).
Simon
>I have some experience with the following questions:
>
>> NFS just isn¹t built for security really. I guess NFSv4 with KRB5 is
>> one option to look at, with user based credentials. That might just
>> about be feasible if the user were do authenticate with kinit before
>> being able to access NFSv4 mounted files. I.e. Its done at the user
>> level rather than the instance level. That might be an interesting
>> project as a feasibility study to look at, will it work? How would
>> we integrate into a federated access management system (something
>> like UK Federation and ABFAB/Moonshot/Assent maybe?). Could we
>> provide easy steps for a user in a VM to follow? Can we even make it
>> work with Ganesha in such an environment?
>
>
>Kerberized NFSv3 and Kerberized NFSv4 provide nearly the same level of
>security. Kerberos makes the difference and not the NFS version. I have
>posted some background information to the GPFS forum:
>http://ibm.co/1VFLUR4
>
>Kerberized NFSv4 has the advantage that it allows different UID/GID ranges
>on NFS server and NFS client. I have led a proof-of-concept where we have
>used this feature to provide secure data access to personalized patient
>data for multiple tenants where the tenants had conflicting UID/GID
>ranges.
>I have some material which I will share via the GPFS forum.
>
>UK Federation seems to be based on SAML/Shibboleth. Unfortunately there is
>no easy integration of network file protocols such as NFS and SMB and
>SAML/Shibboleth, because file protocols require attributes which are
>typically not stored in SAML/Shibboleth. Fortunately I provided technical
>guidance to a customer who exactly implemented this integration in order
>to
>provide secure file service to multiple universities, again with
>conflicting UID/GID ranges. I need some time to write it up and publish
>it.
More information about the gpfsug-discuss
mailing list