[gpfsug-discuss] Multicluster UID Mapping

Orlando Richards orlando.richards at ed.ac.uk
Mon Jul 14 15:11:48 BST 2014



On 14/07/14 08:26, Luke Raimbach wrote:
> Dear GPFS Experts,
>
> I have two clusters, A and B where cluster A owns file system GPFS and cluster B owns no file systems.
>
> Cluster A is mixed Linux/Windows and has IMU keeping consistent UID/GID maps between Windows and Linux environment resulting in a very high ID range (typically both UID/GID starting at 850000000)
>
> Cluster B remote mounts file system GPFS with UID/GID=0 remapped to 99. This is fine for preventing remote root access to file system GPFS. However, cluster B may have untrusted users who have root privileges on that cluster from time-to-time. Cluster B is "part-managed" by the admin on cluster A, who only provides tools for maintaining a consistent UID space with cluster A.
>
> In this scenario, what can be done to prevent untrusted root-privileged users on cluster B from creating local users with a UID matching one in cluster A and thus reading their data?
>
> Ideally, I want to remap all remote UIDs *except* a small subset which I might trust. Any thoughts?
>

I'm not aware of any easy way to accommodate this. GPFS has 
machine-based authentication and authorisation, but not user-based. A 
bit like NFSv3, but with "proper" machine auth at least. This has 
stopped us exporting GPFS file systems outside a management domain - 
except where the file system is built solely for that purpose.

You could look at gpfs native encryption, which should allow you to 
share keys between the clusters for specific areas - but that'd be a 
heavyweight fix.

Failing that - you could drop GPFS and use something else to cross 
export specific areas (NFS, etc). You could possibly look at pNFS to 
make that slightly less disappointing...


> Cheers,
> Luke.
>
> --
>
> Luke Raimbach
> IT Manager
> Oxford e-Research Centre
> 7 Keble Road,
> Oxford,
> OX1 3QG
>
> +44(0)1865 610639
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>

-- 
             --
        Dr Orlando Richards
Research Facilities (ECDF) Systems Leader
        Information Services
    IT Infrastructure Division
        Tel: 0131 650 4994
      skype: orlando.richards

The University of Edinburgh is a charitable body, registered in 
Scotland, with registration number SC005336.



More information about the gpfsug-discuss mailing list