[gpfsug-discuss] Multicluster UID Mapping

Lindsay Todd rltodd.ml1 at gmail.com
Mon Jul 14 19:45:22 BST 2014


Luke,

Without fully knowing your use case...  If your data partitions so that
what cluster B users only need a subset of the file system, such that it
doesn't matter if they read anything on it, and the remainder can be kept
completely away from them, then a possibility is to have two file systems
on cluster A, only one of which is exported to B.  (For example, we have a
general user file system going to all clusters, as well as a smaller file
system of VM images restricted to hypervisors only.)

The lack of user authentication (such as found in AFS) has handicapped our
use of GPFS.  With not completely trusted users (we provide general HPC
compute services), someone with a privilege escalation exploit can own the
file system, and GPFS provides no defense against this.  I am hoping that
maybe native encryption can be bent to provide better protection, but I
haven't had opportunity to explore this yet.

/Lindsay


On Mon, Jul 14, 2014 at 3:26 AM, Luke Raimbach <luke.raimbach at oerc.ox.ac.uk>
wrote:

> Dear GPFS Experts,
>
> I have two clusters, A and B where cluster A owns file system GPFS and
> cluster B owns no file systems.
>
> Cluster A is mixed Linux/Windows and has IMU keeping consistent UID/GID
> maps between Windows and Linux environment resulting in a very high ID
> range (typically both UID/GID starting at 850000000)
>
> Cluster B remote mounts file system GPFS with UID/GID=0 remapped to 99.
> This is fine for preventing remote root access to file system GPFS.
> However, cluster B may have untrusted users who have root privileges on
> that cluster from time-to-time. Cluster B is "part-managed" by the admin on
> cluster A, who only provides tools for maintaining a consistent UID space
> with cluster A.
>
> In this scenario, what can be done to prevent untrusted root-privileged
> users on cluster B from creating local users with a UID matching one in
> cluster A and thus reading their data?
>
> Ideally, I want to remap all remote UIDs *except* a small subset which I
> might trust. Any thoughts?
>
> Cheers,
> Luke.
>
> --
>
> Luke Raimbach
> IT Manager
> Oxford e-Research Centre
> 7 Keble Road,
> Oxford,
> OX1 3QG
>
> +44(0)1865 610639
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20140714/67a8b0e6/attachment.htm>


More information about the gpfsug-discuss mailing list