[gpfsug-discuss] multicluster security

Aaron Knister aaron.s.knister at nasa.gov
Fri Sep 8 22:14:04 BST 2017 

Interesting! Thank you for the explanation.

This makes me wish GPFS had a client access model that more closely
mimicked parallel NAS, specifically for this reason. That then got me
wondering about pNFS support. I've not been able to find much about that
but in theory Ganesha supports pNFS. Does anyone know of successful pNFS
testing with GPFS and if so how one would set up such a thing?

-Aaron

On 08/25/2017 06:41 PM, IBM Spectrum Scale wrote:
>
> Hi Aaron,
>
> If cluster A uses the mmauth command to grant a file system read-only
> access to a remote cluster B, nodes on cluster B can only mount that
> file system with read-only access. But the only checking being done at
> the RPC level is the TLS authentication. This should prevent non-root
> users from initiating RPCs, since TLS authentication requires access
> to the local cluster's private key. However, a root user on cluster B,
> having access to cluster B's private key, might be able to craft RPCs
> that may allow one to work around the checks which are implemented at
> the file system level.
>
> Regards, The Spectrum Scale (GPFS) team
>
> ------------------------------------------------------------------------------------------------------------------
> If you feel that your question can benefit other users of Spectrum
> Scale (GPFS), then please post it to the public IBM developerWroks
> Forum at
> https://www.ibm.com/developerworks/community/forums/html/forum?id=11111111-0000-0000-0000-000000000479.
>
>
> If your query concerns a potential software error in Spectrum Scale
> (GPFS) and you have an IBM software maintenance contract please
> contact 1-800-237-5511 in the United States or your local IBM Service
> Center in other countries.
>
> The forum is informally monitored as time permits and should not be
> used for priority messages to the Spectrum Scale (GPFS) team.
>
> Inactive hide details for Aaron Knister ---08/21/2017 11:04:06 PM---Hi
> Everyone, I have a theoretical question about GPFS multiAaron Knister
> ---08/21/2017 11:04:06 PM---Hi Everyone, I have a theoretical question
> about GPFS multiclusters and security.
>
> From: Aaron Knister <aaron.s.knister at nasa.gov>
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Date: 08/21/2017 11:04 PM
> Subject: [gpfsug-discuss] multicluster security
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
>
> ------------------------------------------------------------------------
>
>
>
> Hi Everyone,
>
> I have a theoretical question about GPFS multiclusters and security.
> Let's say I have clusters A and B. Cluster A is exporting a filesystem
> as read-only to cluster B.
>
> Where does the authorization burden lay? Meaning, does the security rely
> on mmfsd in cluster B to behave itself and enforce the conditions of the
> multi-cluster export? Could someone using the credentials on a
> compromised node in cluster B just start sending arbitrary nsd
> read/write commands to the nsds from cluster A (or something along those
> lines)? Do the NSD servers in cluster A do any sort of sanity or
> security checking on the I/O requests coming from cluster B to the NSDs
> they're serving to exported filesystems?
>
> I imagine any enforcement would go out the window with shared disks in a
> multi-cluster environment since a compromised node could just "dd" over
> the LUNs.
>
> Thanks!
>
> -Aaron
>
> -- 
> Aaron Knister
> NASA Center for Climate Simulation (Code 606.2)
> Goddard Space Flight Center
> (301) 286-2776
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=IbxtjdkPAM2Sbon4Lbbi4w&m=oK_bEPbjuD7j6qLTHbe7HM4ujUlpcNYtX3tMW2QC7_w&s=BliMQ0pToLIIiO1jfyUp2Q3icewcONrcmHpsIj_hMtY&e= 
>
>
>
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170908/1910cd49/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170908/1910cd49/attachment-0001.gif>

More information about the gpfsug-discuss mailing list