[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lustre-discuss
Subject:    [Lustre-discuss] Block clients from mounting a Lustre	filesystem
From:       Nicolas.Williams () sun ! com (Nicolas Williams)
Date:       2009-07-27 20:08:36
Message-ID: 20090727200836.GE1020 () Sun ! COM
[Download RAW message or body]

On Mon, Jul 27, 2009 at 01:53:02PM -0600, Andreas Dilger wrote:
> On Jul 27, 2009  12:01 +0200, Arne Wiebalck wrote:
> > with versions <= 1.8.0.1 is there a more elegant way of blocking
> > clients from mounting a Lustre fs than configuring IP tables accordingly?
> 
> I don't think there is any other easy way to do this.  I believe LLNL
> had a patch to essentially implement xinetd-like allow/deny inside the
> LNET code, but I don't think it was merged.

It'd be nice to have a way to evict clients at any time and stop them
from re-connecting.  Client addresses don't mean much; some time after a
client is banned some other client may replace it and use the same
address.  This argues for a UI (and API) that allows one to ban/un-ban
addresses.

> > Is it correct that with versions >= 2.0 Kerberos will deliver this
> > 'functionality' as I can enforce the client to authenticate (which
> > it can't if I refused to give it keytab in the first place)?
> 
> Right, though Kerberos will not yet be a supported feature in 2.0.

Client principal names are a lot more meaningful than client addresses,
so being able to blacklist clients by principal name is a lot more
useful than blacklisting them by address.  But you'd still want this to
be a function of the Lustre servers, not a function of denying Kerberos
credentials to clients.

Nico
-- 


[prev in list] [next in list] [prev in thread] [next in thread]