Hardware Reference
In-Depth Information
10.2.10 Capability-Based Security
OrangeFS 2.9 and later provide three modes of system-wide security: de-
fault, key-based, and certificate-based. All modes use standard file ownership
and permissions to control access to OrangeFS files and directories.
Default Security. This was the sole security mode used in OrangeFS prior
to v2.9. While it enforces standard file ownership and permissions, it was
unable to prevent a number of simple attacks as it relied on the client
library to provide the correct
uid
. It also was unable to prevent processes
from snooping the network to acquire object handles which could be used
to access data, circumventing the permission checks. The two following
security modes were developed to provide much more robust protection.
Key-Based Security. In key-based security mode, OrangeFS uses public
key cryptography to authenticate client systems. Each OrangeFS server
and client has a key pair (a public and a private key that are crypto-
graphically related). A file used by the servers, known as the keystore,
contains public keys for all servers and clients. Each server and client
has its own private key which is kept secret. All keys and the keystore
must be created together, and then copied to their appropriate locations.
The keys and keystore are created in a temporary folder on the build
system during the OrangeFS installation. When a client sends a request
to the server, it submits a credential object signed by its private key.
The server veries the signature using the client's known public key.
Certificate-Based Security with LDAP. In certificate-based security
mode, all servers share a common CA (certificate authority) certificate
with which all other certificates are associated. Figure 10.2 outlines the
basic function of certificate-based security mode. Each OrangeFS user
is assigned a unique certificate with an associated private key. The cer-
ticate is signed by the CA certicate and stored in the user's home
directory. The subject of the user certificate is mapped to a Linux
uid
or
gid
by the server, using an LDAP (Lightweight Directory Access
Protocol) directory. Each server knows where to reference the LDAP
directory through an entry in the OrangeFS configuration file.
10.2.11 Clients and Interfaces
OrangeFS is architected to allow a variety of interfaces for client access.
Figure 10.3 shows the seven interfaces currently supported. In some cases (such
as the Direct Interface), there are actually several layers of user-level interface
not shown in this diagram. There are experimental and under-development
interfaces in addition to all of these.
