Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-3289

IU Shared Secret Key authentication and encryption

Details

    • New Feature
    • Resolution: Fixed
    • Minor
    • Lustre 2.9.0
    • None
    • 8147

    Description

      Tracking bug for Indiana University's Shared Secret Key authentication and encryption security feature.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. LU-5951 sanity test_39k: mtime is lost on close

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-7508 LBUG sending reply to GSS enabled client

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-3290 disallow ptlrpc RPCs with old client XIDs

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. LU-4625 errors seen during lustre rpm install

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-7661 MGS_SET_INFO handler is too permissive

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-7182 LBUG during key reestablishment with GSS clients

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-7184 (lod_dev.c:1493:lod_device_free()) ASSERTION( atomic_read(&lu->ld_ref) == 0 ) failed: lu is ffff88010cf8a000

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-7185 restore flags on ptlrpc_connect_import failure to prevent LBUG

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-7183 lctl set_param -P does not work for sptlrpc flavor

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. LUDOC-197 Complete Lustre Manual updates for IU Shared Secret Key authentication and encryption

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Technical task - A technical task. LU-3778 GSS doesn't know about proxy subsystems

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. LU-8229 SSK: allow multiple keys on a single nodemap

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. LU-8602 Support GSS crypto code with linux 4.6 kernels

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-8590 Fix issues with SK privacy and integrity mode

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-6356 Kerberos revival

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. LU-4371 Mechanism-agnostic GSSAPI testing

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. LU-4764 Factor common code out of GSS-related test scripts

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. LU-8275 ssk: add flag to test suite to enable ssk for tests

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            [LU-3289] IU Shared Secret Key authentication and encryption
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/22626/
            Subject: LU-3289 gss: Change the handling of keys for SK
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 7b596ad0b36ec5f0281be368b67b7e624457de18

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/22626/ Subject: LU-3289 gss: Change the handling of keys for SK Project: fs/lustre-release Branch: master Current Patch Set: Commit: 7b596ad0b36ec5f0281be368b67b7e624457de18
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/22806/
            Subject: LU-3289 gss: don't build SSK if libssl-1.0+ not available
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: bbee5d1ae941a208d7a07d0348e835ab58ca90ce

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/22806/ Subject: LU-3289 gss: don't build SSK if libssl-1.0+ not available Project: fs/lustre-release Branch: master Current Patch Set: Commit: bbee5d1ae941a208d7a07d0348e835ab58ca90ce
            gerrit Gerrit Updater added a comment -

            Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: http://review.whamcloud.com/22806
            Subject: LU-3289 gss: don't build SSK if libssl-1.0+ not available
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 3d750b41a6892e5b19f3bab4de75ca4dd0b6c033

            gerrit Gerrit Updater added a comment - Andreas Dilger (andreas.dilger@intel.com) uploaded a new patch: http://review.whamcloud.com/22806 Subject: LU-3289 gss: don't build SSK if libssl-1.0+ not available Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 3d750b41a6892e5b19f3bab4de75ca4dd0b6c033
            gerrit Gerrit Updater added a comment -

            Jeremy Filizetti (jeremy.filizetti@gmail.com) uploaded a new patch: http://review.whamcloud.com/22801
            Subject: LU-3289 gss: Add autoconf check to prevent GSS with SLES11
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 2807d42f2dcead6092d4ffc58c1aaf9631e41253

            gerrit Gerrit Updater added a comment - Jeremy Filizetti (jeremy.filizetti@gmail.com) uploaded a new patch: http://review.whamcloud.com/22801 Subject: LU-3289 gss: Add autoconf check to prevent GSS with SLES11 Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 2807d42f2dcead6092d4ffc58c1aaf9631e41253
            gerrit Gerrit Updater added a comment -

            Jeremy Filizetti (jeremy.filizetti@gmail.com) uploaded a new patch: http://review.whamcloud.com/22626
            Subject: LU-3289 gss: Change the handling of keys for SK
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 8ae0caabad096181b21ba7d7013662f928327738

            gerrit Gerrit Updater added a comment - Jeremy Filizetti (jeremy.filizetti@gmail.com) uploaded a new patch: http://review.whamcloud.com/22626 Subject: LU-3289 gss: Change the handling of keys for SK Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 8ae0caabad096181b21ba7d7013662f928327738
            simmonsja James A Simmons added a comment -

            I created ticket LU-8602 for the crypto API changes in 4.6+ kernels.

            simmonsja James A Simmons added a comment - I created ticket LU-8602 for the crypto API changes in 4.6+ kernels.
            pjones Peter Jones added a comment -

            It really sounds to me like sometihng to spin out into a separate ticket

            pjones Peter Jones added a comment - It really sounds to me like sometihng to spin out into a separate ticket
            adilger Andreas Dilger added a comment -

            I just noticed that this ticket is closed, since the SSK code is landed for 2.9.0.

            James, can you please file a separate ticket for the crypto API changes for 4.6 so that this can be tracked separately.

            adilger Andreas Dilger added a comment - I just noticed that this ticket is closed, since the SSK code is landed for 2.9.0. James, can you please file a separate ticket for the crypto API changes for 4.6 so that this can be tracked separately.
            adilger Andreas Dilger added a comment -

            Since this affects the network protocol compatibility, I don't think we should allow arbitrary crypto algorithms for SSK. I argued in the past that we shouldn't even allow old algorithms like 3DES for Kerberos, but this might be needed for backward compatibility. For SSK the current plan is to allow only AES with varying key sizes. We'll need more input from Jeremy before this moves forward.

            adilger Andreas Dilger added a comment - Since this affects the network protocol compatibility, I don't think we should allow arbitrary crypto algorithms for SSK. I argued in the past that we shouldn't even allow old algorithms like 3DES for Kerberos, but this might be needed for backward compatibility. For SSK the current plan is to allow only AES with varying key sizes. We'll need more input from Jeremy before this moves forward.
            simmonsja James A Simmons added a comment -

            I can do the work The question is what approach should be done? Do I use the libcfs crypto API's or the kernel internal APIs. Their are pros and cons to both approaches. The main difference being that libcfs crypto is limited to the number of algo's it supports and the digest size. If I remembering right libcfs crypto API's limits the digest to 64 bytes whereas the kernel's api can support up to 2K if I remember right.

            simmonsja James A Simmons added a comment - I can do the work The question is what approach should be done? Do I use the libcfs crypto API's or the kernel internal APIs. Their are pros and cons to both approaches. The main difference being that libcfs crypto is limited to the number of algo's it supports and the digest size. If I remembering right libcfs crypto API's limits the digest to 64 bytes whereas the kernel's api can support up to 2K if I remember right.
            nrutman Nathan Rutman added a comment -

            The scope of Lustre 2.9 does not include support for such new kernels; we will defer any work for supporting 4.6 until Lustre 2.10.

            nrutman Nathan Rutman added a comment - The scope of Lustre 2.9 does not include support for such new kernels; we will defer any work for supporting 4.6 until Lustre 2.10.

            People

              jfilizetti Jeremy Filizetti
              adilger Andreas Dilger
              Votes:
              0 Vote for this issue
              Watchers:
              19 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: