[gpfsug-discuss] GPFS and Community Scientific Cloud

Ulf Troppens TROPPENS at de.ibm.com
Wed Jul 29 09:02:59 BST 2015 

Hi Simon,

I have started to draft a response, but it gets longer and longer. I need
some more time to respond.

Best regards,
Ulf.

--
IBM Spectrum Scale Development - Client Engagements & Solutions Delivery
Consulting IT Specialist
Author "Storage Networks Explained"

IBM Deutschland Research & Development GmbH
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294




From:	"Simon Thompson (Research Computing - IT Services)"
            <S.J.Thompson at bham.ac.uk>
To:	gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Date:	27.07.2015 23:24
Subject:	Re: [gpfsug-discuss] GPFS and Community Scientific Cloud
Sent by:	gpfsug-discuss-bounces at gpfsug.org



Hi Ulf,

Thanks for the email, as suggested, I'm copying this to the GPFS UG
mailing list as well as I'm sure the discussion is of interest to others.

I guess what we're looking to do is to have arbitrary VMs running provided
by users (I.e. Completely untrusted), but to provide them a way to get
secure access to only their data.

Right now we can't give them a GPFS client as this is too trusting, I was
wondering how easy it would be for us to implement something like:

User has a VM
User runs 'kinit user at DOMAIN' to gain kerberos ticket and can then
securely gain access to only their files from my NFS server.

I also mentioned Janet ASSENT, which is a relatively recent project:
https://jisc.ac.uk/assent

(It was piloted as Janet Moonshot).

Which builds on top of SAML to provide other software access to
federation. My understanding is that site-specific UID mapping is needed
(e.g. On the NFS/GPFS server).

Simon


>I have some experience with the following questions:
>
>> NFS just isn¹t built for security really. I guess NFSv4 with KRB5 is
>> one option to look at, with user based credentials. That might just
>> about be feasible if the user were do authenticate with kinit before
>> being able to access NFSv4 mounted files. I.e. Its done at the user
>> level rather than the instance level. That might be an interesting
>> project as a feasibility study to look at, will it work? How would
>> we integrate into a federated access management system (something
>> like UK Federation and ABFAB/Moonshot/Assent maybe?). Could we
>> provide easy steps for a user in a VM to follow? Can we even make it
>> work with Ganesha in such an environment?
>
>
>Kerberized NFSv3 and Kerberized NFSv4 provide nearly the same level of
>security. Kerberos makes the difference and not the NFS version. I have
>posted some background information to the GPFS forum:
>http://ibm.co/1VFLUR4
>
>Kerberized NFSv4 has the advantage that it allows different UID/GID ranges
>on NFS server and NFS client. I have led a proof-of-concept where we have
>used this feature to provide secure data access to personalized patient
>data for multiple tenants where the tenants had conflicting UID/GID
>ranges.
>I have some material which I will share via the GPFS forum.
>
>UK Federation seems to be based on SAML/Shibboleth. Unfortunately there is
>no easy integration of network file protocols such as NFS and SMB and
>SAML/Shibboleth, because file protocols require attributes which are
>typically not stored in SAML/Shibboleth. Fortunately I provided technical
>guidance to a customer who exactly implemented this integration in order
>to
>provide secure file service to multiple universities, again with
>conflicting UID/GID ranges. I need some time to write it up and publish
>it.

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

More information about the gpfsug-discuss mailing list