|Version 3 (modified by walt, 20 months ago)|
Access Control Project
PVFS implements standard Posix access control in the form of a file owner, group, and access control list. The client library gets the user id and group ids from the OS on the client and sends them along with requests to the server. Because PVFS is implemented at the user level, it is possible for a program to fake its identity and send it along to a server, thus bypassing the access control. Also, PVFS is highly distributed, with metadata stored separately from data, thus it is tricky to manage access control without resorting to shared state.
OrangeFS is implementing a new access control scheme. Two items are signed using a public key encryption scheme: credentials, which hold user identity info, and capabilities, which hold the results of access control decisions. All access control data is stored with a file's metadata. Clients send a credential which contains user attributes to the server holding the metadata. An access control decision is made using a policy that refers both to the user's attributes, and to the file's attributes. The result of the decision is that the user is granted specific access rights (read, write, etc.) to the specific data objects holding the file data. These objects may be on a different server. A capability records this information, is signed, and returned to the client. The client then uses the capability to access data objects.
Credentials and capabilities have timeouts and servers maintain revocation lists, both of which serve to limit the lifetime of the objects. Clients can cache these items to reduce the number of times they must be generated. Capabilities can be shared with other processes owned by the user.
Currently, the attributes used in this system are much the same as with Posix file systems: userid, group, etc., but more elaborate schemes can be developed using different attributes and corresponding access policies. Examples could include role based schemes or tiered security levels. OrangeFS does not handle authentication. An existing mechanism such as local login with password or remote authentication with Shibboleth can be used to generate a signed credential which is then used by OrangeFS.