blob: 03b43f0066773faa26ba3bafececb45b96e1a4a4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
Feature
-------
Exports and Netgroups Authentication for NFS
Summary
-------
This feature adds Linux-style exports & netgroups authentication to
Gluster's NFS server. More specifically, this feature allows you to
restrict access to specific clients & netgroups for both Gluster volumes
and subdirectories within Gluster volumes.
Owners
------
Shreyas Siravara
Richard Wareing
Current Status
--------------
Today, Gluster can restrict access to volumes through simple IP list.
This feature makes that capability more scalable by allowing large lists
of IPs to be managed through a netgroup. It also allows more granular
permission handling on volumes.
Related Feature Requests and Bugs
---------------------------------
- [Bug 1143880](https://bugzilla.redhat.com/1143880): Exports and
Netgroups Authentication for Gluster NFS mount
Patches ([Gerrit
link](http://review.gluster.org/#/q/project:glusterfs+branch:master+topic:bug-1143880,n,z)):
- [\#1](http://review.gluster.org/9359): core: add generic parser
utility
- [\#2](http://review.gluster.org/9360): nfs: add structures and
functions for parsing netgroups
- [\#3](http://review.gluster.org/9361): nfs: add support for separate
'exports' file
- [\#4](http://review.gluster.org/9362): nfs: more fine grained
authentication for the MOUNT protocol
- [\#5](http://review.gluster.org/9363): nfs: add auth-cache for the
MOUNT protocol
- [\#6](http://review.gluster.org/8758): gNFS: Export / Netgroup
authentication on Gluster NFS mount
- [\#7](http://review.gluster.org/9364): glusterd: add new NFS options
for exports/netgroups and related caching
- [\#8](http://review.gluster.org/9365): glusterfsd: add
"print-netgroups" and "print-exports" command
Detailed Description
--------------------
This feature allows users to restrict access to Gluster volumes (and
subdirectories within a volume) to specific IPs (exports authentication)
or a netgroup (netgroups authentication), or a combination of both.
Benefit to GlusterFS
--------------------
This is a scalable security model and allows more granular permissions.
Scope
-----
### Nature of proposed change
This change modifies the NFS server code and the mount daemon code. It
adds two parsers for the exports & netgroups files as well as some files
relating to caching to improve performance.
### Implications on manageability
The authentication can be turned off with a simply volume setting
('gluster vol set <VOLNAME> nfs.exports-auth-enable off'). The feature
has some tweakable parameters (how long authorizations should be cached,
etc.) that can be tweaked through the CLI interface.
### Implications on presentation layer
Adds per-fileop authentication to the NFS server. No other elements of
the presentation layer are affected.
### Implications on persistence layer
No implications.
### Implications on 'GlusterFS' backend
No implications.
### Modification to GlusterFS metadata
No modifications.
### Implications on 'glusterd'
Adds a few configuration options to NFS to tweak the authentication
model.
How To Test
-----------
Restrict some volume in the exports file to some IP, turn on the
authentication through the Gluster CLI and see mounts/file-operations
denied (or authorized depending on your setup).
User Experience
---------------
Authentication can be toggled through the command line.
Dependencies
------------
No external dependencies.
Documentation
-------------
TBD
Status
------
Feature complete, currently testing & working on enhancements.
Comments and Discussion
-----------------------
TBD
|