UID/GID Mapping: Difference between revisions

Introduction

Using Nodemap, UIDs, GIDs and PROJIDs provided by remote clients can be mapped onto a local set of UIDs, GIDs and PROJIDs for storage in the filesystem. Non-overlapping ranges of UID, GID, PROJID would be used from the filesystem to cater to different subsets of users.

The Nodemap functionality also allows restricting client sub-groups to mount only a specific subdirectory tree of the filesystem, rather than the whole filesystem (Subdirectory Mount).

You may find Nodemaps useful if:

• You need to prevent UID, GID, and PROJID collisions between clients in different administrative domains
• Two or more partner organizations would like to share data in the same filesystem
• You can limit access from a partner site
• You can limit administrator/root access to the filesystem
• Force clients to mount the filesystem read-only
• Specifying a subdirectory for clients (e.g. multi-tenancy)
• Selectively enable audit logging for clients
• Selectively enable client-side data encryption

Resources

• IU UID/GID Mapping Feature (LU-3291)
• OpenSFS Contract SFS-DEV-002
  • UID-GID Scope Statement v2
  • UID-GID Solution Architecture
  • UID-GID High Level Design

Presentations

• Multi-tenancy: real-life implementation (LUG 2018)
• Securing Lustre with Nodemap and Shared Key (Lustre Ecosystem 2016)
• Using UID Mapping in Lustre 2.7 and GSS Shared Key Update (LUG 2015)