Securing MogileFS

[Brad Fitzpatrick]

I'm working on an access control plugin for Perlbal (mogstored), but you
don't have to use Perlbal for your mogstoreds... you can just run Apache
and mod_dav.  Or you can use mogstored for PUT/DELETEing the files, and
run Apache in parallel for GETting the files.

I really don't recommend that, though, since it's trivial for end-users to
then enumerate all the files if they have direct access to Apache.

The way LiveJournal solves it is Perlbal and its internal redirect
feature.  mod_perl looks up where the files are, but then it just tells
Perlbal the address(es) and perlbal handles shuttling the data to the user
at whatever rate, now that mod_perl isn't involved.

See:  http://danga.com/words/2005_oscon/

- Brad


On Wed, 24 Aug 2005, Brandon Ooi wrote:

> Hi,
>
> I have a couple questions/comments regarding MogileFS security.
>
> mogilefsd - It seems like mogilefsd was not built for clients to talk to
> directly but rather, indirectly. Securing mogilefsd should not be a
> problem.
>
> mogstored - This one is a little bit trickier. We would like to have the
> clients talk directly to the storage nodes (in order to reduce traffic
> on the trackers). However, it seems like there are no ACLs on mogstored.
> In fact it seems like a very slim webserver. This also means that
> anybody can GET, PUT and DELETE any file if the storage node is
> externally available. It would also be difficult to block this at the
> firewall stage (would require inspection of the HTTP packet request).
>
> One solution would be to shield the storage nodes with Squid caches and
> let the caches serve up eveything. Out of curiosity, how have other
> people approached this problem?
>
> Brandon
>
>
>