Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-17410

Add per-nodemap capabilities mask

Details

    • Improvement
    • Resolution: Unresolved
    • Major
    • None
    • Lustre 2.16.0
    • None
    • 3
    • 9223372036854775807

    Description

      Please add a per-node mask version of the mdt.*.enable_cap_mask parameter.

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. LU-17431 dynamically configurable nodemap

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-13791 Capabilities are not effective

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. LU-17569 move HSM capabilities to CAP_SYS_RESOURCE

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            [LU-17410] Add per-nodemap capabilities mask
            gerrit Gerrit Updater added a comment -

            "Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/57938
            Subject: LU-17410 sec: per-nodemap capabilities mask
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: e0695b637113b823987ca0d2024731f52df1ba14

            gerrit Gerrit Updater added a comment - "Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/57938 Subject: LU-17410 sec: per-nodemap capabilities mask Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: e0695b637113b823987ca0d2024731f52df1ba14
            adilger Andreas Dilger added a comment -

            Sebastien, do you have any thoughts on how difficult this would be to implement? It would add a new 64-bit capability mask to the nodemap config, which would be used in preference to the global enable_cap_mask parameter if it is set. We might consider a separate RBAC flag that indicates if the capability mask is a "set" or a "mask" on the client, so that it is possible to add capabilities (for a small number of admin or protocol export nodes) or reduce them (for e.g. remote data transfer nodes, or similar)?

            adilger Andreas Dilger added a comment - Sebastien, do you have any thoughts on how difficult this would be to implement? It would add a new 64-bit capability mask to the nodemap config, which would be used in preference to the global enable_cap_mask parameter if it is set. We might consider a separate RBAC flag that indicates if the capability mask is a "set" or a "mask" on the client, so that it is possible to add capabilities (for a small number of admin or protocol export nodes) or reduce them (for e.g. remote data transfer nodes, or similar)?

            People

              sebastien Sebastien Buisson
              adilger Andreas Dilger
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: