Scaling Security for Big, Parallel File Systems Andrew Leung and Ethan Miller University of California, Santa Cruz {aleung, elm}@cs.ucsc.edu FAST 2007 Work-in-Progress
Motivation ❖ Large systems hard to secure • Upwards of hundreds of thousands of nodes • Peta- to exabytes of data, gigabyte size files • Files striped across thousands of devices ❖ HPC workloads are demanding • Highly Parallel • Bursty, flash crowds, short inter-arrival times • Large, long lasting I/O ❖ How do we scale security for such a file system? • Maat - security for big, parallel file systems 2
Extended Capabilities Users root hash Client Files root hash Extended Capability Mode T_start, T_end open() open() open() Signature Cap Cap Cap Authorize I/O for multiple MDS users & ! les Verify Sign Cache Cap Perform I/O OSD ❖ Reduces capability generation ❖ Authorize I/O for any number of users and files ❖ Secured w/ asymmetric cryptography ❖ Enforces confinement w/ Merkle hash trees 3
Automatic Revocation T1 C2 C1 C4 C3 Client T2 C2 C1 C4 C3 !"#"$%&%'%()*(+#%,(*"'*-. /(0(1"& /(23()' !45*!6 7+'(0)%80 9:;5 9:;5 9:;5 7+'(0 7+'(0 7+'(0 MDS C1 C4 C6 C1 C5 Cn T2, T3 OSD 7+'(0)%80*<8, ❖ Revocation is scalable 0*="#)*30'%& '%>(*-? ❖ Capabilities have short lifetimes ❖ expiration = revocation ❖ Shift problem from revocation to renewal 4
Scalable, Secure Delegation Comp Prv Key Client Comp Pub Key Client creates File Comp Pub/Prv compute keys Handle, Pub Prv Key Key openg() File Handle I/O I/O I/O MDS Path, Mode Capability T_s, T_e Signature Cap names comp pub key OSD ❖ Secure group computation ❖ Open a file on behalf of many ❖ Delegate key pair rather than capability alone ❖ POSIX I/O extension: openg() and openfh() 5
Status ❖ Initial design discussion in an earlier paper ❖ Being implemented in Ceph petascale, parallel file system ❖ Future work: • Scalable on-disk security • Explore untrusted remote storage ❖ Questions? 6
Recommend
More recommend
