File:LUG2019-Lustre Security-Buisson.pdf

Today, parallel file systems are not just scratch, and Lustre as a user home or project directory has become commonplace in non-traditional HPC field domains. Some organizations have obligations to comply with new standards, rules, and methods that require security hardening. High Performance file systems are more and more often inserted into ‘Enterprise’ workflows requiring sophisticated security configurations. File systems now have to support technologies that have been designed and developed with enhanced security in mind.

Under these circumstances, Lustre endeavors to fulfill various security requirements, such as authentication, access control, network security, multi-tenancy, encryption, or audit. Unfortunately, a number of these security requirements may sound complicated or unfamiliar to people in charge of file system deployment and administration.

With a pedagogical approach, this presentation proposes to explain how each of these security requirements can be achieved with the community versions of Lustre shipping today. We are going to detail the features involved with each requirement, and show how each of these features can be implemented in order to meet the requirement with the intention of making this a less daunting prospect for those who are responsible for deploying and administrating file systems.

Of course, there is still room for further improvements in the security area, so we will also mention what additional development is currently in progress for each of the requirements. This includes new features being added to future community versions of Lustre, like encryption directly at the Lustre client level, but also stabilization efforts and endeavors to expand the documentation.