Re: CDS blueprint: strong auth for cephfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 14, 2013 at 12:30 PM, Arne Wiebalck <Arne.Wiebalck@xxxxxxx> wrote:
>
> On Nov 14, 2013, at 5:37 PM, Gregory Farnum <greg@xxxxxxxxxxx>
>  wrote:
>
>> On Thu, Nov 14, 2013 at 8:21 AM, Dan van der Ster <dan@xxxxxxxxxxxxxx> wrote:
>>> On Thu, Nov 14, 2013 at 4:55 PM, Gregory Farnum <greg@xxxxxxxxxxx> wrote:
>>>> Ah, I hadn't gotten that from skimming the blueprint. So this isn't
>>>> just about hooking into Kerberos when we do a mount, you want to
>>>> dynamically retrieve different caps from the monitors as users log on,
>>>> and have that single client choose between them based on who's making
>>>> the request?
>>>
>>> In our proposal the "additional capabilities" (which allow IOs with a
>>> particular file/object) are encrypted and sent by the MDS to the
>>> client who passes it on to the OSD for object IOs.
>>
>> I'm confused; if two different people are using the same client mount,
>> the MDS can't distinguish between them unless the client is
>> cooperating. Isn't that what you were saying it needs to do?
>
> It's the "who passes it on" which created the confusion? This was to say that
> the client kernel module can't decrypt the additional capability (as it does not
> have the corresponding key). That does however not mean that the MDS or
> the CephFS client module can't distinguish between users as all communication
> is done using session keys. That's at least how I understood it :)

Yeah, this sequence is what I'm confused about. As I understand it,
you're going to have an existing client with existing sessions to the
monitor and MDS, and then a user is going to log in and the client is
going to add additional keys to the monitor session, and then switch
back and forth between each user's tickets for different messages to
the MDS? And the MDS will send back "data access" tickets which the
client will further switch between for each OSD op?
-Greg
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [CEPH Users]     [Ceph Large]     [Information on CEPH]     [Linux BTRFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]
  Powered by Linux