nfsv4 1 acl and co tigran mkrtchyan for dcache team acl
play

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics - PowerPoint PPT Presentation

Jan 05, 2023 •39 likes •379 views

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics (for file system) ACLs is a list of Access Control Entries attached to a file or a directory ACEs grant or deny a principal an action on a file or a directory ACL basics

  1. NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team

  2. ACL basics (for file system) ● ACLs is a list of Access Control Entries attached to a file or a directory ● ACEs grant or deny a principal an action on a file or a directory

  3. ACL basics (for file system) Traditional UNIX mode: -rw-r—r-- 3 bit ACE for OTHER 3 bit ACE for GROUP 3 bit ACE for OWNER R Read Access W Write Access X Execute/Lookup Access

  4. When we need 'Other' ACLs? ● Two or more user principals should have the explicit permissions ● Two or more group principals should have explicit permissions ● Explicit DENY to some set of user/group principals. NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 4

  5. ACL models NFSv4 Windows NT ACLs ACLs POSIX ACLs UNIX mode NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 5

  6. NFSv4 ACLs ● Defined in NFSv4 standard ● Defined in rfc3010, rfc3530 ● Modified, clarified rfc5661 (v4.1) ● Users & Groups identified by UTF-8 strings ● “user@domain” and “goup@domain” ● Client and server responsible to map those to local representations NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 6

  7. NFSv4 ACLs [2] ● 14 access mask bits ● Binary values identical to Windows ● Name and semantics similar to Windows ● Unlimited number or principals ● 3 useful special principals ● OWNER@, GROUP@, EVERYONE@ ● Nearly identical to Windows NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 7

  8. NFSv4 ACLs [3] ● More complex than UNIX mode ● Deny-type ACE ● Order of ACEs is significant ● EVERYONE@ != UNIX other ● Similar enough to cause confusions ● Must retain UNIX mode compatibility ● Chmod adjusts ACLs ● Set ACL adjusts UNIX mode NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 8

  9. NFSv4.1 ACE masks r read-data (files) / list-directory (directories) w write-data (files) / create-file (directories) a append-data (files) / create-subdirectory (directories) x execute (files) / change-directory (directories) d delete - delete the file/directory. D delete-child - remove a file or subdirectory from within the given directory t read-attributes - read the attributes of the file/directory. T write-attributes - write the attributes of the file/directory. n read-named-attributes - read the named attributes of the file/directory. N write-named-attributes - write the named attributes of the file/directory. c read-ACL - read the file/directory NFSv4 ACL. C write-ACL - write the file/directory NFSv4 ACL. o write-owner - change ownership of the file/directory. y synchronize - allow clients to use synchronous I/O with the server. NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 9

  10. NFSv4 ACLs in dCache ● Pushed by WLCG as MUST ● 'PRODUCTION' users should be able to delete any file ● Never used officially ● Real use case with Photon Science @ DESY ● No real user groups ● Any data taking results can be shared with different set of people ● Supported by all protocols ● Differences in enable/disable NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 10

  11. Enable in dCache NFS door ● Controlled by exports file ● Per client option ● Can be enabled/disabled on running system ● Set/GetACL available always NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 11

  12. Enable in dCache NFS # /etc/dcache/exports /data trusty(rw,noacl) shared(rw,acl) weak(ro) NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 12

  13. Enable in dCache NFS ● Enable/disable with 'acl'/'noacl' ● No option == noacl (old behavior) ● 'exports reload' re-reads exports file ● No re-mount required ● Takes effect in the fly NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 13

  14. Enable in dCache NFS # /etc/dcache/exports /data h*(ro) h1*(rw) host1(rw) 1.1.1.1(rw) 1.1.1.0/24(ro) /data/read-only host1(ro) ● Internally sorted as more precise entry first ● 1.1.1.1, 1.1.1.0/24, host1, h1*, h* ● First match wins ● Shortest path wins => /data host1(rw) NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 14

  15. PseudoFS /data/set1 / /data/set2 /archive data archive set1 set2 Clients can always mount the '/', but will see only exports directories. NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 15

  16. Pitfalls – per client option ● Not all client see the same access rights ● Users access depends on the client node ● RO exports will RJECT updates even if ACL allows ● Independent of 'aclEnabled=true/false' ● Not all doors see the same access rights ● Other protocols do not sync ACL and UNIX mode ● Update of UNIX mode doesn't adjust ACLs ● Update of ACLs doesn't adjust UNIX mode NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 16

  17. Enable on a Client ● RHEL6 and Clones (SL6, CentOS6) ● Other OSes supports as well – check the docs ● Install nfs4-acl-tools ● 'nfs4_getfacl' and 'nfs4_setfacl' ● Hopefully, one day will be merged into setfacl and getfacl NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 17

  18. Examples $ ls -ld file.X -rwxrwxr-x 2 tigran nobody 512 May 19 12:47 file.X $ nfs4_getfacl file.X A::OWNER@:rwaDxtTcC A::GROUP@:rwaDxtc A::EVERYONE@:rxtc $ No ACLs, unix to ACL translation NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 18

  19. Examples $ chmod 000 file.X $ ls -ld file.X ---------- 2 tigran nobody 512 May 19 12:47 file.X $ nfs4_getfacl file.X A::OWNER@:tTcC A::GROUP@:t A::EVERYONE@:t $ No ACLs, unix to ACL translation NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 19

  20. Examples $ nfs4_setfacl -s 'A::tigran@desy.afs:r' file.X $ ls -ld file.X -rwxrwxr-x 2 tigran nobody 512 May 19 12:47 file.X $ nfs4_getfacl file.X A::tigran@desy.afs:r A::OWNER@:rwaDxtTcC A::GROUP@:rwaDxtc A::EVERYONE@:rxtc $ NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 20

  21. Examples $ touch file.X $ nfs4_setfacl -a 'A::EVERYONE@:rw' file.X $ nfs4_setfacl -a 'A::tigran@desy.afs:rw' file.X $ nfs4_setfacl -a 'A::paul@desy.afs:rw' file.X $ nfs4_getfacl file.X A::paul@desy.afs:rw A::tigran@desy.afs:rw A::EVERYONE@:rwtc A::OWNER@:rwatTcC A::GROUP@:rwatc $ chmod 000 file.X <- ACL are adjusted here $ nfs4_getfacl file.X A::paul@desy.afs:rw A::tigran@desy.afs:rw A::OWNER@:tTcC A::GROUP@:t A::EVERYONE@:t $ NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 21

  22. Decision maker ● ACLs processed in top-down order ● First DENY ACE stops evaluation ● ALLOW ACEs evaluated until all requested masks verified ● Fall-back to unix mode if decision can't be made based on ACLs NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 22

  23. Log messages decrypted ● Access Deny (RO export) ● The client wants to modify on read-only export ● Access Deny (no export) ● The client doesn't have an entry in the export file ● Access denied: pseudo Inode ● The client want's to modify an object with export path ● Access denied: ● The client doesn't have required permission NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 23

  24. Log messages 17 May 2013 14:05:16 (NFSv41-dcache-dir-photon01) [] Access Deny: 01caffee00000000102ce059002e303a494e4f44453a303030303133353733413834324232 4134424145413630443934303831354441463132443a30 T rtc Subject: Principal: UidPrincipal[16606] Principal: GidPrincipal[1467,primary] Principal: GidPrincipal[49] Principal: GidPrincipal[1467] Principal: GidPrincipal[3144] Principal: GidPrincipal[3328] Principal: GidPrincipal[3844] Principal: GidPrincipal[3951] Principal: GidPrincipal[5202] Principal: GidPrincipal[1100356520] NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 24

  25. Real life example ● Unix mode to DENY ● ACL used to for ALLOW [p3-wgs13] /pnfs/desy.de/petra3/disk $ ls -ld dataset1 d--------- 4 psgsrv it 512 Apr 23 14:05 dataset1 [p3-wgs13] /pnfs/desy.de/petra3/disk $ nfs4_getfacl dataset1 A::psgsrv@desy.afs:rwaDxtTnNcCy A::gXXl@desy.afs:rxtncy A::rXX@desy.afs:rxtncy A::fXX@desy.afs:rxtncy A::bXX@desy.afs:rxtncy A::OWNER@:tTcC A::GROUP@:t A::EVERYONE@:t [p3-wgs13] /pnfs/desy.de/petra3/disk $ NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 25

  26. Internals : $ nfs4_setfacl -a 'A::tigran@desy.afs:rw' file.X NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 26

  27. One Essential component - gPlazma ● Set/Getacl require proper mapping ● Identity plugin should provide One-to-one mapping ● Current plugins NIS, LDAP, NSSWITCH IDENTITY tigran nis NISSERV 3750 NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 27

  28. Idmapping and gPlazma for NFS 101 ● Client and dCache should use the same nfs domain ● On client: /etc/idmapd.conf ● In dCache nfs.domain in dcache.conf ● Identity plugin should be configured in gPlazma NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 28

  29. Troubleshoot mapping errors ● Use RHEL 6.4 ( 6.3 is OK ) ● Check gPlazma mapping ● 'get identity / ridentity ' ● Check door cache ● 'login dump cache' ● Clear door/client idmap cache ● dCache: 'login clear cache' ● RHEL/SL >= 6.3 : 'nfsidmap -c' NFsv41, ACL, gPlazma | Tigran Mkrtchyan | 5/28/13 | Page 29

Recommend

dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 |

dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 |

dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 | Page 1 Outline NFSv41 basics NFSv4.1 concepts PNFS Id mapping Industry standard dCache implementation dCache NFSv4.1 |

1.14k views • 46 slides
Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden

Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden

Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden What will be NOT covered with talks Changes in REST API New functionality in dCache-view CEPH HA-dCache Macaroons and OpenID-connect

267 views • 25 slides
dCache - delegated storage solutions Tigran Mkrtchyan for dCache Team ISGC 2016, Taiwan dCache

dCache - delegated storage solutions Tigran Mkrtchyan for dCache Team ISGC 2016, Taiwan dCache

dCache - delegated storage solutions Tigran Mkrtchyan for dCache Team ISGC 2016, Taiwan dCache on one slide JVM JVM JVM Message passing layer Door(s) Pool Manager Name Space Pools (clients entry point) Door Pools (requests scheduler)

254 views • 21 slides
Visualization of dCache accounting information with state-of-the-art Data Analysis Tools Tigran

Visualization of dCache accounting information with state-of-the-art Data Analysis Tools Tigran

Visualization of dCache accounting information with state-of-the-art Data Analysis Tools Tigran Mkrtchyan for DESY dCache operating Team Tigran Mkrtchyan | Visualization of dCache accounting information | Date | Page 1 Outline Tigran

633 views • 41 slides
Chimera and NFS 4.1 in dCache dCache.ORG Patrick Fuhrmann Tigran Mkrtchyan presented by Peter

Chimera and NFS 4.1 in dCache dCache.ORG Patrick Fuhrmann Tigran Mkrtchyan presented by Peter

Chimera and NFS 4.1 in dCache dCache.ORG Patrick Fuhrmann Tigran Mkrtchyan presented by Peter van der Reest, DESY at HEPiX, Fall 2007 dCache.ORG Fuhrmann, Mkrtchyan, v.d.Reest HEPiX, Fall 2007 Nov 6, 2007 Content Motivation dCache.ORG

621 views • 16 slides
July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin

July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin

NFS 4.1 demonstrator Jean-Philippe Baud, IT-GT, CERN Patrick Fuhrmann, DESY July 2010 Tigran, Ricardo , Maarten, Andrea, Yves Kemp, Dmitry Ozerov, desy DOT Team, Martin Gasthuber dCache.org Quick reminder on why we are doing this ! The next

404 views • 19 slides
dCache, Storage Interoperability beyond WLCG WLCG Data Grid meets reality . patrick FUHRMANN

dCache, Storage Interoperability beyond WLCG WLCG Data Grid meets reality . patrick FUHRMANN

Grid Middleware &amp; Interoperability dCache, Storage Interoperability beyond WLCG WLCG Data Grid meets reality . patrick FUHRMANN WITH CONTRIBUTIONS BY dcache TEAM And in particular gerd BEHRMANN, NDGF And with many thanks to tigran

371 views • 33 slides
dCache for Photon Science Outline: Overview and Resources Photon dCache Monitoring Birgit

dCache for Photon Science Outline: Overview and Resources Photon dCache Monitoring Birgit

dCache for Photon Science Outline: Overview and Resources Photon dCache Monitoring Birgit Lewendel for the dCache operations team Summary DESY IT 6th dCache Workshop dCache at DESY DESY National Analysis Facility Zeuthen 0.7 PB CTA

100 views • 7 slides
dCache: Powerful Storage Made Easy Paul l Milla illar (on behalf of the dCache.org team)

dCache: Powerful Storage Made Easy Paul l Milla illar (on behalf of the dCache.org team)

dCache: Powerful Storage Made Easy Paul l Milla illar (on behalf of the dCache.org team) dCache dCache is powerful storage system, providing what people need, now. We're also pushing the envelope of what storage systems can do.

1.04k views • 25 slides
SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry

SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry

SRM Dmitry Litvintsev 7th international dCache workshop, May 27-29,2013 dCache Team Dmitry Litvintsev Wednesday, May 29, 13 Plan SRM, a reminder SRM parameters SRM troubleshooting dCache Team 2 Dmitry Litvintsev

827 views • 34 slides
dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh,

dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh,

dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh, November 2007 Nov 13-14, 2007, Edinburgh SRM 2.2 Workshop 1 Project Topology : The Team Head of dCache.ORG Head of Development FNAL : Timur

281 views • 11 slides
dCache dCache seminar at FERMIlab dCache.ORG Patrick Fuhrmann et al. dCache.ORG and slides

dCache dCache seminar at FERMIlab dCache.ORG Patrick Fuhrmann et al. dCache.ORG and slides

dCache dCache seminar at FERMIlab dCache.ORG Patrick Fuhrmann et al. dCache.ORG and slides stolen from nearly everywhere additional funding, support or contributions by d-grid DGI II P. Fuhrmann Sep 26, 2008 dCache seminar, FERMIlab

375 views • 34 slides
Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement

Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement

Effjcient Message Serialization for Inter-Service Communication in dCache Evaluating a Replacement for Java Serialization in dCache Lea Morschel for dCache Team, November 7 2019 About dCache A distributed petabyte-scale storage system for

713 views • 42 slides
dCache Beginners Course Introducing dCache An overview to dCache and how it is deployed in grid

dCache Beginners Course Introducing dCache An overview to dCache and how it is deployed in grid

dCache Beginners Course Introducing dCache An overview to dCache and how it is deployed in grid environments. Karlsruhe Institute of Technology (KIT), Steinbuchcentre for Computing (SCC) KIT University of the State of Baden-Wuerttemberg and

297 views • 12 slides
7th International dCache Workshop Berlin Bits and Pieces 2013 Christian Bernardt (at DESY)

7th International dCache Workshop Berlin Bits and Pieces 2013 Christian Bernardt (at DESY)

7th International dCache Workshop Berlin Bits and Pieces 2013 Christian Bernardt (at DESY) Berlin, 28.05.2013 dCache Team dCache Team Chris&amp;an Bernardt Content New webpage IPv6 (OS, JVM, dCache) No PinManager for Tier 2

503 views • 33 slides
Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd

Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd

Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd Schuller, Arsen Hayrapetyan, Marcus Hardt, Shiraz Memon, Shahbaz Memon, Christian Bernardt, Tigran Mkrtchyan, Dennis Klein The grid X.509 (user)

352 views • 17 slides
dCache in Use at DESY dCache in Use DESY DV/IT 5.7.2010 Overview grid gridFTP, (gsi)dcap,

dCache in Use at DESY dCache in Use DESY DV/IT 5.7.2010 Overview grid gridFTP, (gsi)dcap,

Andreas Haupt, Birgit Lewendel dCache in Use at DESY dCache in Use DESY DV/IT 5.7.2010 Overview grid gridFTP, (gsi)dcap, SRM dcache-se-desy dcache-se-cms dcache-se-atlas lcg-se1 lcg-se0 Calice, CFEL, GKSS, ILC, Olympus, Petra3,

417 views • 7 slides
NFSv4 Beyond v4.2 Part 2 of Road Map of the features in NFS v4.1, v4.2, and beyond Dave Noveck

NFSv4 Beyond v4.2 Part 2 of Road Map of the features in NFS v4.1, v4.2, and beyond Dave Noveck

NFSv4 Beyond v4.2 Part 2 of Road Map of the features in NFS v4.1, v4.2, and beyond Dave Noveck Netapp Vault Conference March 2017 Contents A tiny bit about the NFSv4 Working group and the IETF process NFSv4 beyond v4.2 as approved

750 views • 16 slides
NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1

NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1

NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1 pNFS product community Value of NFSv4.1 / pNFS Industry Standard Secure Performance and Scale Throughput Increased Storage Capacity

368 views • 24 slides
Shader Programming BY TIGRAN GASPARIAN Who am I? Name: Tigran Gasparian Age: 22 Master student

Shader Programming BY TIGRAN GASPARIAN Who am I? Name: Tigran Gasparian Age: 22 Master student

Shader Programming BY TIGRAN GASPARIAN Who am I? Name: Tigran Gasparian Age: 22 Master student Game and Media Technology Working on a game for almost two years already The Flock multiplayer horror game Like us on Facebook!

1.01k views • 72 slides
CMS Subgroups in dCache 2.2 CMS T3 requirements for dCache We manage a CMS T3 cluster financed

CMS Subgroups in dCache 2.2 CMS T3 requirements for dCache We manage a CMS T3 cluster financed

CMS Subgroups in dCache 2.2 CMS T3 requirements for dCache We manage a CMS T3 cluster financed by 3 Swiss Institutes: PSI , UniZ , ETHZ ; during 2013 we will run 700TB net based on 2*NetApp E5400 + 4*Sun X4500 + 5*Sun X4540 ; Our user

210 views • 10 slides
dCache dCache in the in the NDGF Distributed Tier 1 NDGF Distributed Tier 1 Gerd Behrmann

dCache dCache in the in the NDGF Distributed Tier 1 NDGF Distributed Tier 1 Gerd Behrmann

dCache dCache in the in the NDGF Distributed Tier 1 NDGF Distributed Tier 1 Gerd Behrmann Second dCache Workshop Hamburg, 18 th of January 2007 NORDUnet A/S NORDUnet A/S The Nordic Regional Research and Educational Network (RREN)

520 views • 18 slides
How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache

How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache

How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache Team Contents Join the CMS XrootD Federation (AAA) Join the Atlas XrootD Federation (FAX) Install the Atlas Pool Monitoring Plugin Use the

645 views • 60 slides
IETF-64 2005-11-08 Mike Eisler email2mre-ietf@yahoo.com draft-eisler-nfsv4-impid-00.txt

IETF-64 2005-11-08 Mike Eisler email2mre-ietf@yahoo.com draft-eisler-nfsv4-impid-00.txt

draft-eisler-nfsv4-impid-00.txt draft-adamson-nfsv4-spkm3-00.txt IETF-64 2005-11-08 Mike Eisler email2mre-ietf@yahoo.com draft-eisler-nfsv4-impid-00.txt Problem: NFSv4.0 has no method for allowing clients and servers to provide to each

487 views • 7 slides

More recommend