Ceph CDS G/H, 25 Jun 2014

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: CDS G/H (Day 2) - CephFS: security & multiple instances in a single RADOS cluster

Description

https://wiki.ceph.com/Planning/CDS/CDS_Giant_and_Hammer_(Jun_2014)

25 June 2014
Ceph Developer Summit G/H
Day 2
CephFS: security & multiple instances in a single RADOS cluster

A

Hey we were uh home plate.

B

All right in multiple instances in a single dose cluster go all right. So this this blueprint is basically a plea for people to come and give us information about what they want to do, um um and, and so the reason for that is that one of the things that has been popular to talk about with with some of our developers lately has been adding support for multiple staff of s file systems within a single ratos cluster I.

B

Don't know that we're likely to implement it, but there are a couple of different approaches to how we can do it better bound up with and they sort of have different security versus convenience guarantees and security is also a thing which we know is a big deal for many people, so that I think will impact how we go about doing multiple file systems. If we ever do it. I want to talk about both of those.

B

So unfort I'm afraid I just dash this blueprint off, but there's sort of two approaches. You can see that I can see for doing multiple file systems.

B

um The first one is when the sages championed, which is where we say: okay, we're going to have a we're going to allow you know any number of of file systems within the cluster and we're going to do that by having multiple MDS maps that specify different pools for the data and metadata for each one, and that mean that we have a different set of MDS is for each file system and clients when they can act, have to tell you which file system they're connecting to so that has some advantages in terms of the file system code.

B

It's a lot simpler. It's it's more work in the met in the in the monitors, but it's very simple for the file system, because basically, nothing changes except that it has to deal with like when you're turning it on. You have to tell it which one it belongs to so I can tell the monitor it gets us some fairly effective, multi-tenancy features very very cheaply.

B

Just um we would need to sort of specify a much stronger, mdss defects on authentication capabilities system, so you can specify the file systems allowed to talk to, but once you do that, then basically, you can have physically segregated file systems or every tenant within a within a shared resource cluster.

B

The downside of that is that you have a different metadata server or cluster of metadata servers in a different set of radio schools for every file system. So there's no load sharing.

A

So the other way we can go up arrow is lasting. Different set off sandvine BSS.

B

Alright ever say standby mdss, no just a different set of mbss in general white. Each file system has its own with it are getting the map for that file system. Everything now I mean standbys her another thing the monitor has to cope with, but in terms of in terms of the generic stuff. That's not a real big deal, um good yeah, okay. So the alternative approach is one that I'm not sure that I'm I'm not sure that I'm a real big kind of this one either.

B

But it's sort of I think it's more philosophically in line with some of the things that cept was trying to do when it started out where it was sort of easing the job of the administrator, which is that we already have this system that allows you to mount a subtree of the file system on a client and and and stay within that sub tree.

B

um So we could put a little bit better fencing around that and a lot of syntactic sugar and basically just have multiple file system is implemented as directories within a file system with syntactic sugar around them, so that you can reasonably say.

B

I want this client to have access to file system, a which is just the directory in the route, but you know we don't work care about that, and then you get much better and then you don't need to make the changes to the to the monitor that allow multiple things within a clinton that'll allow multiple files from the cluster. You just have the syntactic sugar and you also get all the benefits of load balancing across your clients.

B

Of course, that means that you need a stable, multi, MDS implementation, the otherwise all your clients are stuck with one with one MDS, and also you need a real Wow system, security setup, which we don't have yet because you don't have any physical separation.

B

um But so that would be good to talk about, like which of those are more important to people who think they might deploy, something that something that looks like we'll tow file systems within a cluster. um But more importantly, or not, more importantly, but also I want to talk about, like the security expectation that people have, because.

A

B

Multi-Tenancy by way of multiple MDS isn't strong enough. Then it's less interesting as a thing to implement. If we're, if we already, if we would need to implement a serious and capable security system within our normal setup anyway, then maybe we just want to do that and not make all these changes to the monitor and allow for the for the sort of administrative simplicity of just having a big pool of metadata servers. um I don't have any answers.

B

They're, basically I'm hoping that I'll that people will hear about this and then come and tell us use cases that they have.

A

B

A

B

About this earlier I.

A

Thought I missed totally misunderstood your option too. I thought your often to was suggesting that you'd have one MDS map structure, but every field, and it would have liked Oh a map mapping file since all the different things I was like. That's not a good idea now that would be a poor idea.

A

Yeah yeah, so I think honestly. I think that both of these things are things that we want to do, and there are different reasons for doing each of them like option. Two is really just about having being able to have an MDS capability that locks you into a subdirectory because you're right this is this is so option. Two is totally the model that that I think we always envisioned in the past, where the whole point is that you don't want to have subvolumes.

A

You must want to have directories that you can do everything acknowledge these directories and you just mount a sub directories and lock and lock line into them. I think that the.

B

A

Is that there are a couple of things that doesn't capture it, doesn't give you fault, tolerance for performance isolation. So if you have one file systems, that's like just logs or something and another one. That's needs to be fast.

A

They all get sort of jumbled up into the in the same set, mdss and maybe I mean maybe you have administered commands that sort of lock subtrees into different classes, and you sort of structure have a service overlay, sub structure to your MDS cluster. Where you have you know you, it's not just a flat array of MDS is, but you say I want this subtree to stay on this and yes and this subtree to stay on that one.

A

I have that which would give you some of that, but I think just from like a from a high level.

A

You know if we did our job perfectly, then yes, but at the same time there's some.

A

You can imagine cases where you have different rooms of the data, so you could have had cluster that spans different data centers. You could have yeah.

B

A

I can hear cases a little bit more difficult in this.

B

Though um yeah, so it's not just about locking people into it into a certain location, um it would really be like having a proper security model, that's enforced on the server sides um yeah and the advantage to hats it to going through. All that trouble is that, then you can do things like have client have different tenant like have a tenant share its data with other dragons, whereas.

A

You can't do that at all. We do it yeah.

B

A

Definitely definitely with some servers. You know we want a workstation to be able to mount home user and be locked in there right. Like that's, that's it. That's it.

A

That's an important use case that we want to capture, and some of my way that I've always sort of imagined that would work would be that the India's capability, essentially for that FX user or whatever would would basically just say you know, allow MDS in path home, foo and then, and the MDS would just verify that the inodes that you're caching and operating on and doing all the stuff that they are just within that that sub tree, that was, that was sort of what how I assumed that might work um and that that captures sort of the like subvolume useless.

B

To your mat, there's more to it than that, though, like um for instance, I mean really what generally, what you would expect is that actually they can only do stuff in their own home directory, but then mate, but then maybe there is someone who's who's like got globally shared stuff. They want everyone to be able to just access from wherever game, though so I want to build yeah you guys as well um and.

A

And and the capability would would do that right, it would say, allow read/write, home, foo, allow read home shared or allow star get the whole thing. You know I right um dude, it's an access or what's a set of grants whatever you call that yeah.

B

Well but I mean putting.

A

All sitting waiting right, a.

B

Multi-Tenancy system, where it's not just different users in the falsa, but actually tenants within like a cloud data structure within a cloud data center, where one of them is like we're in general, they all do in private files. But then one of them is like I want to share this location of my stuff with everyone who comes along looking for it, and you can't just have them, and you can't just give everyone a grant to that.

A

B

It needs to be like, like a publicly available thing, that they can, that they can somehow ask for and just get hooked up, yah.

A

Yah yah yah, yah, okay,.

B

Zoe I mean and.

A

So that's I, guess that that, and also.

B

Sort of a mapping to the UNIX permissions, because, right now we just rely on the client to like not to be polite about it, whereas we wouldn't need some sort of remapping, saying: okay, there, this user internally and all that sort of thing, yeah.

A

I guess the so I think option two is: is it in my mind, is largely about security multi-tenancy and I think the the problem I has is it would? It would be difficult to convince a paranoid user that we've sort of cover all our bases, because our client-server protocol client india's protocol is inherently very trusting of the client.

A

So the clients are like allocating I nodes and doing all this they're doing all kinds of stuff, and so it it's it's a lot of it's a lot of holes to sort of clothes and convince them that even that they like can't exploit a bug in the end. Yes and oh so, whereas I think option one for me, is it's a little bit? It's even less about I, guess so, but consider, but it's more about the like the type of hardware deploying on and in having things that are completely independent.

A

So in the same way that you create a ratos pools that can be mapped to different hardware, you could create. You know file systems where you have I just want a completely different set of India I want like one MDS and I'm gonna like pound to death, because this is like a use case where it doesn't really matter and I'm going to map it onto a state of pool for a dose. Where is this other one, I'm gonna back it with something else?

A

That's my home directory and one to be totally independent from you know my databases or something you know this is it's the same way that you would you can create multiple reduce gateway zones within the with the cluster, and you have a different set of readers gateways that are sort of sitting in front of them, like you can architect the where the demons go and how they're mapped onto the Monta the radio Slayer? That way.

B

Anyway, I mean I.

A

Isolated cases.

B

For both of them, it's mostly just that I want to like ya, hear from users about what the overlaps are and sort of where their relative priorities are, because our two-week projects that we are unlikely to work on at the same time and I mean not necessarily soon either. But if it turns out that, like multiple MTS's are a key thing for a whole lot of people and it would satisfy their security requirements for eighty-five percent of use cases, then I'd become a lot more interested in working on it soon.

B

A

I think I think part of it comes down to in the cases where people want security. Isolation for that multi-tenancy. Is it because they want it for like hundreds of users or because they have like three use cases yeah that are like logically different like three tenants that could be satisfied by three independent Custer's? Or is it really that, like they want.

B

Every home directory.

A

They have their own little yeah. I. Think that that that's sort of for me determines whether it on whether it's sort of pushes things towards one or thur or not. I, think the other thing with option two is that the security enforcement that we need to address that it sort of is also the same thing we need to do in order to eliminate some of the trust on the client that you currently have when you're using, for example, stuff views or lips f of s yeah, where you have a potential user level process.

A

That is, you kind of have to grant. You know, root access to the the file phantom in order to know just like yeah I think the head, you use case might be one where that is gonna be covered like if you're running how to open it. Semi untrusted, environment.

A

B

A

Anybody who's in the room have questions I'm.

B

A

We leave that as the.

B

Yahoos little video.

A

A

All right good enough for me. Likewise, all.

B

A

B

A

That's that's the bulk of it. Then we have completed it. Micra done hooray, just good did it. I think my connection is is dying.

A