summaryrefslogtreecommitdiffstats
path: root/Feature Planning/GlusterFS 3.7/Exports and Netgroups Authentication.md
blob: 03b43f0066773faa26ba3bafececb45b96e1a4a4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
Feature
-------

Exports and Netgroups Authentication for NFS

Summary
-------

This feature adds Linux-style exports & netgroups authentication to
Gluster's NFS server. More specifically, this feature allows you to
restrict access to specific clients & netgroups for both Gluster volumes
and subdirectories within Gluster volumes.

Owners
------

Shreyas Siravara  
Richard Wareing

Current Status
--------------

Today, Gluster can restrict access to volumes through simple IP list.
This feature makes that capability more scalable by allowing large lists
of IPs to be managed through a netgroup. It also allows more granular
permission handling on volumes.

Related Feature Requests and Bugs
---------------------------------

-   [Bug 1143880](https://bugzilla.redhat.com/1143880): Exports and
    Netgroups Authentication for Gluster NFS mount

Patches ([Gerrit
link](http://review.gluster.org/#/q/project:glusterfs+branch:master+topic:bug-1143880,n,z)):

-   [\#1](http://review.gluster.org/9359): core: add generic parser
    utility
-   [\#2](http://review.gluster.org/9360): nfs: add structures and
    functions for parsing netgroups
-   [\#3](http://review.gluster.org/9361): nfs: add support for separate
    'exports' file
-   [\#4](http://review.gluster.org/9362): nfs: more fine grained
    authentication for the MOUNT protocol
-   [\#5](http://review.gluster.org/9363): nfs: add auth-cache for the
    MOUNT protocol
-   [\#6](http://review.gluster.org/8758): gNFS: Export / Netgroup
    authentication on Gluster NFS mount
-   [\#7](http://review.gluster.org/9364): glusterd: add new NFS options
    for exports/netgroups and related caching
-   [\#8](http://review.gluster.org/9365): glusterfsd: add
    "print-netgroups" and "print-exports" command

Detailed Description
--------------------

This feature allows users to restrict access to Gluster volumes (and
subdirectories within a volume) to specific IPs (exports authentication)
or a netgroup (netgroups authentication), or a combination of both.

Benefit to GlusterFS
--------------------

This is a scalable security model and allows more granular permissions.

Scope
-----

### Nature of proposed change

This change modifies the NFS server code and the mount daemon code. It
adds two parsers for the exports & netgroups files as well as some files
relating to caching to improve performance.

### Implications on manageability

The authentication can be turned off with a simply volume setting
('gluster vol set <VOLNAME> nfs.exports-auth-enable off'). The feature
has some tweakable parameters (how long authorizations should be cached,
etc.) that can be tweaked through the CLI interface.

### Implications on presentation layer

Adds per-fileop authentication to the NFS server. No other elements of
the presentation layer are affected.

### Implications on persistence layer

No implications.

### Implications on 'GlusterFS' backend

No implications.

### Modification to GlusterFS metadata

No modifications.

### Implications on 'glusterd'

Adds a few configuration options to NFS to tweak the authentication
model.

How To Test
-----------

Restrict some volume in the exports file to some IP, turn on the
authentication through the Gluster CLI and see mounts/file-operations
denied (or authorized depending on your setup).

User Experience
---------------

Authentication can be toggled through the command line.

Dependencies
------------

No external dependencies.

Documentation
-------------

TBD

Status
------

Feature complete, currently testing & working on enhancements.

Comments and Discussion
-----------------------

TBD