Lustre Security

C H A P T E R 26

Lustre Security

This chapter describes Lustre security and includes the following sections:

Using ACLs

Using Root Squash

26.1 Using ACLs

An access control list (ACL), is a set of data that informs an operating system about permissions or access rights that each user or group has to specific system objects, such as directories or files. Each object has a unique security attribute that identifies users who have access to it. The ACL lists each object and user access privileges such as read, write or execute.

26.1.1 How ACLs Work

Implementing ACLs varies between operating systems. Systems that support the Portable Operating System Interface (POSIX) family of standards share a simple yet powerful file system permission model, which should be well-known to the Linux/Unix administrator. ACLs add finer-grained permissions to this model, allowing for more complicated permission schemes. For a detailed explanation of ACLs on Linux, refer to the SuSE Labs article, Posix Access Control Lists on Linux:

http://www.suse.de/~agruen/acl/linux-acls/online/

We have implemented ACLs according to this model. Lustre supports the standard Linux ACL tools, setfacl, getfacl, and the historical chacl, normally installed with the ACL package.

Note - ACL support is a system-range feature, meaning that all clients have ACL enabled or not. You cannot specify which clients should enable ACL.

26.1.2 Using ACLs with Lustre

Lustre supports POSIX Access Control Lists (ACLs). An ACL consists of file entries representing permissions based on standard POSIX file system object permissions that define three classes of user (owner, group and other). Each class is associated with a set of permissions [read (r), write (w) and execute (x)].

Owner class permissions define access privileges of the file owner.

Group class permissions define access privileges of the owning group.

Other class permissions define access privileges of all users not in the owner or group class.

The ls -l command displays the owner, group, and other class permissions in the first column of its output (for example, -rw-r- -- for a regular file with read and write access for the owner class, read access for the group class, and no access for others).

Minimal ACLs have three entries. Extended ACLs have more than the three entries. Extended ACLs also contain a mask entry and may contain any number of named user and named group entries.

Lustre ACL support depends on the MDS, which needs to be configured to enable ACLs. Use --mountfsoptions to enable ACL support when creating your configuration:

$ mkfs.lustre --fsname spfs --mountfsoptions=acl --mdt -mgs /dev/sda

Alternately, you can enable ACLs at run time by using the --acl option with mkfs.lustre:

$ mount -t lustre -o acl /dev/sda /mnt/mdt

To check ACLs on the MDS:

$ lctl get_param -n mdc.home-MDT0000-mdc-*.connect_flags | grep acl acl

To mount the client with no ACLs:

$ mount -t lustre -o noacl ibmds2@o2ib:/home /home

Lustre ACL support is a system-wide feature; either all clients enable ACLs or none do. Activating ACLs is controlled by MDS mount options acl / noacl (enable/disableACLs). Client-side mount options acl/noacl are ignored. You do not need to change the client configuration, and the “acl” string will not appear in the client /etc/mtab. The client acl mount option is no longer needed. If a client is mounted with that option, then this message appears in the MDS syslog:

...MDS requires ACL support but client does not

The message is harmless but indicates a configuration issue, which should be corrected.

If ACLs are not enabled on the MDS, then any attempts to reference an ACL on a client return an Operation not supported error.

26.1.3 Examples

These examples are taken directly from the POSIX paper referenced above. ACLs on a Lustre file system work exactly like ACLs on any Linux file system. They are manipulated with the standard tools in the standard manner. Below, we create a directory and allow a specific user access.

[root@client lustre]# umask 027
[root@client lustre]# mkdir rain
[root@client lustre]# ls -ld rain
drwxr-x---  2 root root 4096 Feb 20 06:50 rain
[root@client lustre]# getfacl rain
# file: rain
# owner: root
# group: root
user::rwx
group::r-x
other::---
 
[root@client lustre]# setfacl -m user:chirag:rwx rain
[root@client lustre]# ls -ld rain
drwxrwx---+ 2 root root 4096 Feb 20 06:50 rain
[root@client lustre]# getfacl --omit-heade rain
user::rwx
user:chirag:rwx
group::r-x
mask::rwx
other::---

26.2 Using Root Squash

Lustre 1.6 introduced root squash functionality, a security feature which controls super user access rights to an Lustre file system. The root squash feature works by re-mapping the user ID (UID) and group ID (GID) of the root user to a UID and GID specified by the system administrator, via the Lustre configuration management server (MGS). Additionally, the root squash feature enables the Lustre administrator to specify a NID for which UID/GID re-mapping does not apply.

Note - Before the root squash feature was added, Lustre users could run rm -rf * as root and remove data which should not be deleted. Using the root squash feature prevents this outcome.

26.2.1 Configuring Root Squash

Root squash functionality is managed by two configuration parameters, rootsquash and nosquash_nid.

The rootsquash parameter specifies the UID and GID with which the root user accesses the Lustre file system.

The nosquash_nid parameter specifies a single NID to which root squash does not apply. For example:

nosquash_nid=172.16.245.1@tcp

In this example, root squash does not apply to TCP clients on subnet 172.16.245.1.

26.2.2 Enabling and Tuning Root Squash

By default, nosquash_nid is set such that root squashing applies to all clients. Setting the root squash UID and GID to 0 turns root squash off.

Root squash parameters can be set when the MDT is created (mkfs.lustre --mdt). For example:

mkfs.lustre	--reformat --fsname=Lustre --mdt --mgs \
	--param "mdt.rootsquash=500:501" \
	--param "mdt.nosquash_nids=0@lo" /dev/sda1

Root squash parameters can also be changed on an unmounted device with tunefs.lustre. For example:

tunefs.lustre --param "mdt.rootsquash=65534:65534"  \
--param "mdt.nosquash_nid=192.168.0.13@tcp0" /dev/sda1

Root squash parameters can also be changed with the lctl conf_param command. For example:

lctl conf_param Lustre.mdt.rootsquash="1000:100"
lctl conf_param Lustre.mdt.nosquash_nid="192.168.1.1@tcp"

When using the lctl conf_param command, remember the following:

lctl conf_param is to be used once per a parameter

lctl conf_param has to be run on the MGS node

Changes to the parameters made with lctl conf_param are permanent

To check root squash parameters, use the lctl get_param command:

lctl get_param mds.lustre-MDT0000.rootsquash
lctl get_param mds.lustre-MDT000*.nosquash_nid

Note - An empty nosquash_nid list is reported as 0@<0:0>.

Also, root squash parameters can be changed with lctl set_param command. For example:

lctl set_param mds.*-MDT0000.rootsquash=500:500

Changes to parameters using the lctl set_param command are not permanent; that is, previously set values are restored on remount.

26.2.3 Syntax Error Handling

The syntax for the nosquash_nid parameter is <address>@<type><networkid>. Examples of correct nosquash_nid syntax are 192.168.1.1@tcp and 4@elan8. There is no syntax checking for nosquash_nid. In case of a syntax error, nosquash_nid is set to the default value, LNET_NID_ANY.

The syntax for rootsquash is <decnum>':'<decnum>. Examples of correct rootsquash syntax are 500:501, 500 and :501. In case of a syntax error, Lustre commands handle the error in different ways:

mkfs.lustre and tune.lustre commands ignore the syntax error, and set the parameter to the default value, 0:0.

lctl set_param and lctl conf_param commands preserve the current rootsquash value. In the case of the lctl conf_param command, the incorrect parameter takes effect when the MDS restarts. The parameter is set to the default value, 0:0.