nfsv4 1 acl and co tigran mkrtchyan for dcache team acl
play

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics - PowerPoint PPT Presentation

Jan 05, 2023 •39 likes •379 views

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics (for file system) ACLs is a list of Access Control Entries attached to a file or a directory ACEs grant or deny a principal an action on a file or a directory ACL basics

  1. NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team

  2. ACL basics (for file system) ● ACLs is a list of Access Control Entries attached to a file or a directory ● ACEs grant or deny a principal an action on a file or a directory

  3. ACL basics (for file system) Traditional UNIX mode: -rw-r—r-- 3 bit ACE for OTHER 3 bit ACE for GROUP 3 bit ACE for OWNER R Read Access W Write Access X Execute/Lookup Access

  4. When we need 'Other' ACLs? ● Two or more user principals should have the explicit permissions ● Two or more group principals should have explicit permissions ● Explicit DENY to some set of user/group principals. NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 4

  5. ACL models NFSv4 Windows NT ACLs ACLs POSIX ACLs UNIX mode NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 5

  6. NFSv4 ACLs ● Defined in NFSv4 standard ● Defined in rfc3010, rfc3530 ● Modified, clarified rfc5661 (v4.1) ● Users & Groups identified by UTF-8 strings ● “user@domain” and “goup@domain” ● Client and server responsible to map those to local representations NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 6

  7. NFSv4 ACLs [2] ● 14 access mask bits ● Binary values identical to Windows ● Name and semantics similar to Windows ● Unlimited number or principals ● 3 useful special principals ● OWNER@, GROUP@, EVERYONE@ ● Nearly identical to Windows NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 7

  8. NFSv4 ACLs [3] ● More complex than UNIX mode ● Deny-type ACE ● Order of ACEs is significant ● EVERYONE@ != UNIX other ● Similar enough to cause confusions ● Must retain UNIX mode compatibility ● Chmod adjusts ACLs ● Set ACL adjusts UNIX mode NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 8

  9. NFSv4.1 ACE masks r read-data (files) / list-directory (directories) w write-data (files) / create-file (directories) a append-data (files) / create-subdirectory (directories) x execute (files) / change-directory (directories) d delete - delete the file/directory. D delete-child - remove a file or subdirectory from within the given directory t read-attributes - read the attributes of the file/directory. T write-attributes - write the attributes of the file/directory. n read-named-attributes - read the named attributes of the file/directory. N write-named-attributes - write the named attributes of the file/directory. c read-ACL - read the file/directory NFSv4 ACL. C write-ACL - write the file/directory NFSv4 ACL. o write-owner - change ownership of the file/directory. y synchronize - allow clients to use synchronous I/O with the server. NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 9

  10. NFSv4 ACLs in dCache ● Pushed by WLCG as MUST ● 'PRODUCTION' users should be able to delete any file ● Never used officially ● Real use case with Photon Science @ DESY ● No real user groups ● Any data taking results can be shared with different set of people ● Supported by all protocols ● Differences in enable/disable NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 10

  11. Enable in dCache NFS door ● Controlled by exports file ● Per client option ● Can be enabled/disabled on running system ● Set/GetACL available always NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 11

  12. Enable in dCache NFS # /etc/dcache/exports /data trusty(rw,noacl) shared(rw,acl) weak(ro) NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 12

  13. Enable in dCache NFS ● Enable/disable with 'acl'/'noacl' ● No option == noacl (old behavior) ● 'exports reload' re-reads exports file ● No re-mount required ● Takes effect in the fly NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 13

  14. Enable in dCache NFS # /etc/dcache/exports /data h*(ro) h1*(rw) host1(rw) 1.1.1.1(rw) 1.1.1.0/24(ro) /data/read-only host1(ro) ● Internally sorted as more precise entry first ● 1.1.1.1, 1.1.1.0/24, host1, h1*, h* ● First match wins ● Shortest path wins => /data host1(rw) NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 14

  15. PseudoFS /data/set1 / /data/set2 /archive data archive set1 set2 Clients can always mount the '/', but will see only exports directories. NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 15

  16. Pitfalls – per client option ● Not all client see the same access rights ● Users access depends on the client node ● RO exports will RJECT updates even if ACL allows ● Independent of 'aclEnabled=true/false' ● Not all doors see the same access rights ● Other protocols do not sync ACL and UNIX mode ● Update of UNIX mode doesn't adjust ACLs ● Update of ACLs doesn't adjust UNIX mode NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 16

  17. Enable on a Client ● RHEL6 and Clones (SL6, CentOS6) ● Other OSes supports as well – check the docs ● Install nfs4-acl-tools ● 'nfs4_getfacl' and 'nfs4_setfacl' ● Hopefully, one day will be merged into setfacl and getfacl NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 17

  18. Examples $ ls -ld file.X -rwxrwxr-x 2 tigran nobody 512 May 19 12:47 file.X $ nfs4_getfacl file.X A::OWNER@:rwaDxtTcC A::GROUP@:rwaDxtc A::EVERYONE@:rxtc $ No ACLs, unix to ACL translation NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 18

  19. Examples $ chmod 000 file.X $ ls -ld file.X ---------- 2 tigran nobody 512 May 19 12:47 file.X $ nfs4_getfacl file.X A::OWNER@:tTcC A::GROUP@:t A::EVERYONE@:t $ No ACLs, unix to ACL translation NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 19

  20. Examples $ nfs4_setfacl -s 'A::tigran@desy.afs:r' file.X $ ls -ld file.X -rwxrwxr-x 2 tigran nobody 512 May 19 12:47 file.X $ nfs4_getfacl file.X A::tigran@desy.afs:r A::OWNER@:rwaDxtTcC A::GROUP@:rwaDxtc A::EVERYONE@:rxtc $ NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 20

  21. Examples $ touch file.X $ nfs4_setfacl -a 'A::EVERYONE@:rw' file.X $ nfs4_setfacl -a 'A::tigran@desy.afs:rw' file.X $ nfs4_setfacl -a 'A::paul@desy.afs:rw' file.X $ nfs4_getfacl file.X A::paul@desy.afs:rw A::tigran@desy.afs:rw A::EVERYONE@:rwtc A::OWNER@:rwatTcC A::GROUP@:rwatc $ chmod 000 file.X <- ACL are adjusted here $ nfs4_getfacl file.X A::paul@desy.afs:rw A::tigran@desy.afs:rw A::OWNER@:tTcC A::GROUP@:t A::EVERYONE@:t $ NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 21

  22. Decision maker ● ACLs processed in top-down order ● First DENY ACE stops evaluation ● ALLOW ACEs evaluated until all requested masks verified ● Fall-back to unix mode if decision can't be made based on ACLs NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 22

  23. Log messages decrypted ● Access Deny (RO export) ● The client wants to modify on read-only export ● Access Deny (no export) ● The client doesn't have an entry in the export file ● Access denied: pseudo Inode ● The client want's to modify an object with export path ● Access denied: ● The client doesn't have required permission NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 23

  24. Log messages 17 May 2013 14:05:16 (NFSv41-dcache-dir-photon01) [] Access Deny: 01caffee00000000102ce059002e303a494e4f44453a303030303133353733413834324232 4134424145413630443934303831354441463132443a30 T rtc Subject: Principal: UidPrincipal[16606] Principal: GidPrincipal[1467,primary] Principal: GidPrincipal[49] Principal: GidPrincipal[1467] Principal: GidPrincipal[3144] Principal: GidPrincipal[3328] Principal: GidPrincipal[3844] Principal: GidPrincipal[3951] Principal: GidPrincipal[5202] Principal: GidPrincipal[1100356520] NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 24

  25. Real life example ● Unix mode to DENY ● ACL used to for ALLOW [p3-wgs13] /pnfs/desy.de/petra3/disk $ ls -ld dataset1 d--------- 4 psgsrv it 512 Apr 23 14:05 dataset1 [p3-wgs13] /pnfs/desy.de/petra3/disk $ nfs4_getfacl dataset1 A::psgsrv@desy.afs:rwaDxtTnNcCy A::gXXl@desy.afs:rxtncy A::rXX@desy.afs:rxtncy A::fXX@desy.afs:rxtncy A::bXX@desy.afs:rxtncy A::OWNER@:tTcC A::GROUP@:t A::EVERYONE@:t [p3-wgs13] /pnfs/desy.de/petra3/disk $ NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 25

  26. Internals : $ nfs4_setfacl -a 'A::tigran@desy.afs:rw' file.X NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 26

  27. One Essential component - gPlazma ● Set/Getacl require proper mapping ● Identity plugin should provide One-to-one mapping ● Current plugins NIS, LDAP, NSSWITCH IDENTITY tigran nis NISSERV 3750 NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 27

  28. Idmapping and gPlazma for NFS 101 ● Client and dCache should use the same nfs domain ● On client: /etc/idmapd.conf ● In dCache nfs.domain in dcache.conf ● Identity plugin should be configured in gPlazma NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 28

  29. Troubleshoot mapping errors ● Use RHEL 6.4 ( 6.3 is OK ) ● Check gPlazma mapping ● 'get identity / ridentity ' ● Check door cache ● 'login dump cache' ● Clear door/client idmap cache ● dCache: 'login clear cache' ● RHEL/SL >= 6.3 : 'nfsidmap -c' NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 |

dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 |

dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 | Page 1 Outline NFSv41 basics NFSv4.1 concepts PNFS Id mapping Industry standard dCache implementation dCache NFSv4.1 |

1.14k views • 46 slides
Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden

Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden

Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden What will be NOT covered with talks Changes in REST API New functionality in dCache-view CEPH HA-dCache Macaroons and OpenID-connect

267 views • 25 slides
dCache - delegated storage solutions Tigran Mkrtchyan for dCache Team ISGC 2016, Taiwan dCache

dCache - delegated storage solutions Tigran Mkrtchyan for dCache Team ISGC 2016, Taiwan dCache

dCache - delegated storage solutions Tigran Mkrtchyan for dCache Team ISGC 2016, Taiwan dCache on one slide JVM JVM JVM Message passing layer Door(s) Pool Manager Name Space Pools (clients entry point) Door Pools (requests scheduler)

254 views • 21 slides
Visualization of dCache accounting information with state-of-the-art Data Analysis Tools Tigran

Visualization of dCache accounting information with state-of-the-art Data Analysis Tools Tigran

Visualization of dCache accounting information with state-of-the-art Data Analysis Tools Tigran Mkrtchyan for DESY dCache operating Team Tigran Mkrtchyan | Visualization of dCache accounting information | Date | Page 1 Outline Tigran

633 views • 41 slides
Chimera and NFS 4.1 in dCache dCache.ORG Patrick Fuhrmann Tigran Mkrtchyan presented by Peter

Chimera and NFS 4.1 in dCache dCache.ORG Patrick Fuhrmann Tigran Mkrtchyan presented by Peter

Chimera and NFS 4.1 in dCache dCache.ORG Patrick Fuhrmann Tigran Mkrtchyan presented by Peter van der Reest, DESY at HEPiX, Fall 2007 dCache.ORG Fuhrmann, Mkrtchyan, v.d.Reest HEPiX, Fall 2007 Nov 6, 2007 Content Motivation dCache.ORG

621 views • 16 slides
July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin

July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin

NFS 4.1 demonstrator Jean-Philippe Baud, IT-GT, CERN Patrick Fuhrmann, DESY July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin Gasthuber dCache.org Quick reminder on why we are doing this ! The next

404 views • 19 slides
dCache, Storage Interoperability beyond WLCG WLCG Data Grid meets reality . patrick FUHRMANN

dCache, Storage Interoperability beyond WLCG WLCG Data Grid meets reality . patrick FUHRMANN

Grid Middleware &amp; Interoperability dCache, Storage Interoperability beyond WLCG WLCG Data Grid meets reality . patrick FUHRMANN WITH CONTRIBUTIONS BY dcache TEAM And in particular gerd BEHRMANN, NDGF And with many thanks to tigran

371 views • 33 slides
dCache for Photon Science Outline: Overview and Resources Photon dCache Monitoring Birgit

dCache for Photon Science Outline: Overview and Resources Photon dCache Monitoring Birgit

dCache for Photon Science Outline: Overview and Resources Photon dCache Monitoring Birgit Lewendel for the dCache operations team Summary DESY IT 6th dCache Workshop dCache at DESY DESY National Analysis Facility Zeuthen 0.7 PB CTA

100 views • 7 slides
dCache: Powerful Storage Made Easy Paul l Milla illar (on behalf of the dCache.org team)

dCache: Powerful Storage Made Easy Paul l Milla illar (on behalf of the dCache.org team)

dCache: Powerful Storage Made Easy Paul l Milla illar (on behalf of the dCache.org team) dCache dCache is powerful storage system, providing what people need, now. We're also pushing the envelope of what storage systems can do.

1.04k views • 25 slides
SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry

SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry

SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry Litvintsev Wednesday, May 29, 13 Plan SRM, a reminder SRM parameters SRM troubleshooting dCache Team 2 Dmitry Litvintsev

827 views • 34 slides
dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh,

dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh,

dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh, November 2007 Nov 13-14, 2007, Edinburgh SRM 2.2 Workshop 1 Project Topology : The Team Head of dCache.ORG Head of Development FNAL : Timur

281 views • 11 slides
dCache dCache seminar at FERMIlab dCache.ORG Patrick Fuhrmann et al. dCache.ORG and slides

dCache dCache seminar at FERMIlab dCache.ORG Patrick Fuhrmann et al. dCache.ORG and slides

dCache dCache seminar at FERMIlab dCache.ORG Patrick Fuhrmann et al. dCache.ORG and slides stolen from nearly everywhere additional funding, support or contributions by d-grid DGI II P. Fuhrmann Sep 26, 2008 dCache seminar, FERMIlab

375 views • 34 slides
Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement

Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement

Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement for Java Serialization in dCache Lea Morschel for dCache Team, November 7 2019 About dCache A distributed petabyte-scale storage system for

713 views • 42 slides
dCache Beginners Course Introducing dCache An overview to dCache and how it is deployed in grid

dCache Beginners Course Introducing dCache An overview to dCache and how it is deployed in grid

dCache Beginners Course Introducing dCache An overview to dCache and how it is deployed in grid environments. Karlsruhe Institute of Technology (KIT), Steinbuchcentre for Computing (SCC) KIT University of the State of Baden-Wuerttemberg and

297 views • 12 slides
7th International dCache Workshop Berlin Bits and Pieces 2013 Christian Bernardt (at DESY)

7th International dCache Workshop Berlin Bits and Pieces 2013 Christian Bernardt (at DESY)

7th International dCache Workshop Berlin Bits and Pieces 2013 Christian Bernardt (at DESY) Berlin, 28.05.2013 dCache Team dCache Team Chris&amp;an Bernardt Content New webpage IPv6 (OS, JVM, dCache) No PinManager for Tier 2

503 views • 33 slides
Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd

Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd

Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd Schuller, Arsen Hayrapetyan, Marcus Hardt, Shiraz Memon, Shahbaz Memon, Christian Bernardt, Tigran Mkrtchyan, Dennis Klein The grid X.509 (user)

352 views • 17 slides
Le Lecture 15 15 Access Control 1 Recall: Secu curity Service ces Confidentiality: to

Le Lecture 15 15 Access Control 1 Recall: Secu curity Service ces Confidentiality: to

Le Lecture 15 15 Access Control 1 Recall: Secu curity Service ces Confidentiality: to assure information privacy and secrecy Authentication: to assert who created or sent data Integrity: to show that data has not been altered

656 views • 32 slides
Scaling Backend Authentication at Facebook Kevin Lewi , Callen Rain , Stephen Weis, Yueting Lee,

Scaling Backend Authentication at Facebook Kevin Lewi , Callen Rain , Stephen Weis, Yueting Lee,

Scaling Backend Authentication at Facebook Kevin Lewi , Callen Rain , Stephen Weis, Yueting Lee, Haozhi Xiong, Benjamin Yang Facebook Infrastructure Security Network Perimeter Trusted Services Building from a Root of Trust ] &quot;

288 views • 24 slides
Lean in Lean Leonardo de Moura - MSR - USA Workshop Lean Programming Language Goals

Lean in Lean Leonardo de Moura - MSR - USA Workshop Lean Programming Language Goals

Programming Language http://leanprover.github.io Lean in Lean Leonardo de Moura - MSR - USA Workshop Lean Programming Language Goals Extensibility, Expressivity, Scalability, Proof stability Functional Programming (e ffi ciency)

1.13k views • 54 slides
CompSci514/ECE558: Computer Networks Lecture 17: Programmable Switches Xiaowei Yang

CompSci514/ECE558: Computer Networks Lecture 17: Programmable Switches Xiaowei Yang

CompSci514/ECE558: Computer Networks Lecture 17: Programmable Switches Xiaowei Yang xwy@cs.duke.edu http://www.cs.duke.edu/~xwy Some slides are adapted from Prof Nick McKeowns lecture slides Overview The Trio of modern networking

803 views • 54 slides
Annotation Graphs, Annotation Servers and Multi-Modal Resources Infrastructure for

Annotation Graphs, Annotation Servers and Multi-Modal Resources Infrastructure for

Annotation Graphs, Annotation Servers and Multi-Modal Resources Infrastructure for Interdisciplinary Education, Research and Development Christopher Cieri and Steven Bird University of Pennsylvania Linguistic Data Consortium

439 views • 13 slides
Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Slides: http://tiny.cc/adversarial Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are Adversarial Examples? panda gibbon 57.7% confidence 99.3% confidence [Goodfellow et al, ICLR 2015 ]

1.56k views • 43 slides
You Talking to Me? A Corpus and Algorithm for Conversation Disentanglement Micha Elsner and

You Talking to Me? A Corpus and Algorithm for Conversation Disentanglement Micha Elsner and

You Talking to Me? A Corpus and Algorithm for Conversation Disentanglement Micha Elsner and Eugene Charniak Brown Laboratory for Linguistic Information Processing (BLLIP) Life in a Multi-User Channel Does anyone here shave How do I limit the

445 views • 40 slides
Keeping objects secure IN TRODUCTION TO AW S BOTO IN P YTH ON Maksim Pecherskiy Data

Keeping objects secure IN TRODUCTION TO AW S BOTO IN P YTH ON Maksim Pecherskiy Data

Keeping objects secure IN TRODUCTION TO AW S BOTO IN P YTH ON Maksim Pecherskiy Data engineer Why care about permissions? df = pd.read_csv('https://gid-staging.s3.amazonaws.com/potholes.csv') INTRODUCTION TO AWS BOTO IN PYTHON Why care

1.16k views • 68 slides

More recommend