1 #LyX 1.3 created this file. For more info see http://www.lyx.org/
15 \use_numerical_citations 0
16 \paperorientation portrait
19 \paragraph_separation skip
21 \quotes_language english
25 \paperpagestyle default
29 High Level Design of Cient-OSS Connection
41 Establish gss connections between clients and OSS.
44 Establish gss connections between servers.
47 Functional Specification
50 In Lustre system, there are several kinds of connections and security options
51 can be chosen separately:
54 between client and MDS's
57 between client and OSS's
63 between MDS's and OSS's
66 Currently we are able to establish secure connections between the client
67 and MDS's, simply by adding a mount parameter 'sec=sec_flavor', here sec_flavor
68 could be 'krb5i' or 'krb5p' for this moment.
69 Now we also need the secure connections between client and OSS's also be
70 an option, to prepare for the coming object security features.
71 So the original mount option 'sec' will be break into 2 options: 'mds_sec'
75 mount.lustre should be able to recognize options 'mds_sec=sec_flavor' and
79 lmt should be able to add 'mds_sec' and 'oss_sec' into xml file and recognizable
81 And lconf should be able to write this info into config log with option
85 Usually we consider MDS and OSS are trusted nodes, but networks are normally
87 So connections of MDS <=> MDS and MDS <=> OSS must be secure in most cases.
88 We should also provide security on connections between servers.
91 For inter MDS's and MDS's to OSS's, We provide options for lconf and lmt,
92 just like client <=> OSS's case:
95 lconf should be able to recognize options '--inter_mds_sec=sec_flavor' and
96 '--mds_oss_sec=sec_flavor'.
99 lmt should be able to add 'inter_mds_sec' and 'mds_oss_sec' into xml file
100 and recognizable by lconf.
103 Servers will have options to accept only certain types of connections.
104 When setup OSS/MDS via lconf, option '--deny_sec=sec_flavor[,sec_flavor...]'
105 should be recognized and notify OSS/MDS kernel.
106 Currently sec_flavor could be 'null', 'krb5i', or 'krb5p'.
109 Maybe privacy connections to the OSS servers are only needed from the MDS,
110 since there will be no secret transfer between OSS and client.
111 And if we in the future support mixed security type in single security
112 context, then integrity type might be enough for most cases.
113 But anyway we provide the flexibility here.
119 Mount lustre at client
122 Sysadmin add options into config: lmt --mds_sec krb5p --oss_sec krb5i config.xml.
123 And setup OSS/MDS ready.
126 User mount lustre by 'mount -t lustre server:/mds1/client /mnt/lustre'
129 Connections to MDS's are privacy protected, connections to OSS's are integrity
136 User mount lustre by 'mount -t lustre -o mds_sec=krb5i,oss_sec=krb5p server:/mds
137 1/client /mnt/lustre'
140 Connections to MDS's are integrity protected, connections to OSS's are privacy
147 User mount lustre by 'mount -t lustre -o mds_sec=krb5p,oss_sec=krb5p server:/mds
151 Connections to all MDS's and OSS's are privacy protected.
157 Sysadmin add options into config: lmt --inter_mds_sec krb5p --mds_oss_sec
161 Sysadmin start mds by: lconf --node mds config.xml.
164 Connections between MDS's and MDS's to OSS's are privacy protected.
170 Sysadmin start mds again by: lconf --node mds --inter_mds_sec=krb5i --mds_oss_se
174 Connections between MDS's are integrity protected, while MDS's to OSS's
175 are privacy protected.
178 Deny certain type of connection
181 Sysadmin start OSS's by 'lconf --node ost1 --deny_sec=null config.xml'
184 Sysadmin start MDS's by 'lconf --node mds1 --mds_oss_sec=null config.xml',
185 setup will fail because OST reject connection from MDS's.
188 Sysadmin start MDS's by 'lconf --node mds1 --deny_sec=null --mds_oss_sec=krb5i
189 config.xml', will succeed.
192 Client mount by 'mount -t lustre -o mds_sec=null server:/mds1/client /mnt/lustre
193 ' or 'mount -t lustre -o oss_sec=null server:/mds1/client /mnt/lustre' will
194 fail because either MDS's or OSS's will reject connection.
197 Client mount by 'mount -t lustre -o mds_sec=krb5i,oss_sec=krb5i server:/mds1/cli
198 ent /mnt/lustre' will succeed.
204 With Kerberos, each service provider needs a service principal, and a correspond
205 ing service key installed.
206 Usually the principal is bound to certain host for security.
207 For example, currently lustre service principal is 'lustre/hostname@REALM'.
208 While in clustered MDS case, we should use single principal for all MDS's,
209 to minimize the administrator burden.
210 It should be 'lustre@REALM' for all MDS's.
211 Now we should break 'lustre@REALM' into 2 principals: 'mds@REALM' for MDS
212 and 'oss@REALM' for OSS.
213 All MDS's will be installed service key of 'mds@REALM', while all OSS's
214 will be installed service key of 'oss@REALM'.
217 If MDS <=> MDS or MDS <=> OSS security is used, we also need start client
218 gss daemon (lgssd) on MDS's at proper time.
219 This needs to be incorporated into test scripts.
222 The interaction between kernel gss module and lgssd need some modification,
223 which need to be notified the target service type (i.e.
224 mds or oss) to issue the correct gss request.
227 Integrating security flavor setting into MDS's startup procedure and client's
228 mount procedure needs to be integrated into the MDS startup configuration
233 Additionally the MDS and OSS should have configuration options that provide
234 information on what kind of connections to accept.
241 MDS nodes need run lgssd if gss is active on any inter-server connections.
244 No disk format change.
245 No special recovery consideration.
257 Are there more clean design/divide on those new options?