One cluster, serveral apps: Authentication?

Brad Fitzpatrick brad at danga.com
Thu Aug 2 20:38:19 UTC 2007


Per-namespace security shouldn't be too hard.

I don't see myself getting to it anytime soon here, but there are several
people I know who'd be available for contracting work, if you don't feel
like hacking it out yourself.

Basically I'd:

-- add a new table of usernames and hashed passwords

-- add new column 'security' to namespace table (defaulting to 'none')

-- add new 'permissions' table linking userids and namespaces
   with one or more permission roles:
       read
       write
       admin  (not tied to a namespace, works on all...namespace 0?)
       ...

-- for bootstrapping, allow localhost connection on a mogilefsd machine,
   using mogadm, to be an admin.

-- perhaps change mogstored to block the DELETE method for each of
   perlbal, lighttpd, and apache, and make delete be a mogstored
   side-channel command that the mogilefsd has to do (with some auth
   so the mogstored knows it's talking to a mogilefsd process,
   and not a malicious user).  not that this wouldn't stop unauthorized
   reads of random inodes (nnnnnnnn.fid files), but at least the
   malicious user wouldn't know how to map either between inode
   numbers and names, so it's possibly not a big deal, at least for
   your use case.

-- keep per-connection authentication info, pass to query workers
   with each request.

-- add new "get_challenge" and "authenticate" commands to protocol,
   and let queryworkers set state in parent process once authenticate
   passes.  (so parent process can keep sending authenticated
   user with all future requests on same connection)


That's a rough sketch, at least.


On Thu, 2 Aug 2007, Luis Zarrabeitia wrote:

>
> Hi there.
> I work at an university, and frequently there are
> students/professors/researches asking for (reliable) disk space for the apps
> they develop. Some of those may make it to production, some of them don't,
> but it is a shame that lack of storage may stop them. For most of their
> needs, MogileFS seems to be a great solution, so I'm planning to set up a
> Mogile cluster.
>
> The problem is, it will be hosting file for different apps, developed by
> different people. There is an obvious use for namespaces there, but:
>
> * is there some kind of access control? Could I say "this app/user/whatever
> can only read/write/whatever from this namespace"? (ideally, per-file
> settings would be better, but per-namespace is enough for now).
>
> * As disk space is scarce, a similar setting for the replication classes would
> be great: "this user/app/whatever can only put files in class 'development'
> with a repcount of 2, this other can put them in class 'production' with
> repcount 3, etc".
>
> I have neither installed Mogile or read the sources yet, but from the
> documentation, it seems neither of those is possible right now. (In fact, I
> can't even find anthing  about security: how to prevent a computer on the
> network from connecting to the daemon and deleting files/devies). Am I wrong?
> Would it be too hard/disruptive to add at least the first one? Where should I
> start?
>
> (I fear perl... but not nearly enough to walk away from this project :D)
>
> --
> Luis Zarrabeitia (aka Kyrie)
> Fac. de Matemática y Computación, UH.
> http://profesores.matcom.uh.cu/~kyrie
>
>


More information about the mogilefs mailing list