rpc.fedfsd now uses an Access Control List and strong authentication to control who can perform ADMIN operations. Security warnings about using rpc.fedfsd are no longer needed.
Signed-off-by: Chuck Lever <[email protected]> --- README | 53 ++++++++++++++++++++++------------------------------- 1 file changed, 22 insertions(+), 31 deletions(-) diff --git a/README b/README index d236605..31d2355 100644 --- a/README +++ b/README @@ -20,13 +20,6 @@ guaranteed to work. Programming, administrative, and user interfaces may change significantly before the next release. This release is for technology preview only. -Warning: This package installs an externally visible RPC service that -allows creation and deletion of directories on all areas of a fileserver. -The security features of the FedFS ADMIN server code (RPCSEC GSSAPI) -have not yet been implemented. Until these features are implemented, -use careful judgement about deploying the FedFS ADMIN RPC service daemon -on production file servers. - Warning: The implementation in this package is based on internet draft standards that are still evolving. The current release of fedfs-utils may not be compatible with the next release of this package, nor with @@ -142,10 +135,11 @@ is available to support the use of this plug-in library. The fedfsd program is an RPC server that allows remote administrators to create FedFS junctions in local file systems. FedFS ADMIN requests that -can mutate local file system state are authenticated via RPCSEC GSSAPI -(not yet implemented). Run this program on NFS file servers that -participate in a FedFS federation to allow the management of FedFS -junctions on that server. +can mutate local file system state are authenticated via RPCSEC GSSAPI. +Run this program on NFS file servers that participate in a FedFS +federation to allow the management of FedFS junctions on that server. +The use of strong authentication (the Kerberos GSS mechanism) is highly +encouraged when deploying an FedFS ADMIN server. The command-line clients are used by FedFS adminstrators to manage the state of the local FedFS federation. These are simple clients that @@ -189,11 +183,10 @@ An entry for the FedFS ADMIN protocol in /etc/rpc: fedfs_admin 100418 -The fedfsd program requires rpcbind and libtirpc. In the future, it -will also require correctly configured RPCSEC GSSAPI on the system -where it is running. For example, to support Kerberos authentication, -Kerberos configuration files would have to be up to date, and a proper -keytab must be established. +The fedfsd program requires rpcbind and libtirpc. It requires correctly +configured RPCSEC GSSAPI on the system where it is running. For example, +to support Kerberos authentication, Kerberos configuration files have to +be up to date, and a proper keytab must be established. Distributors should provide an appropriate init script (or equivalent) to ensure that fedfsd is started after a system boot. The contrib/ @@ -213,9 +206,9 @@ libcap is required to permit rpc.fedfsd, nsdbparams, and the junction plug-in library to access trusted extended attributes in each file system. -The FedFS ADMIN clients require libtirpc. In the future, they will -also require correctly configured RPCSEC GSSAPI (usually Kerberos is -the preferred authentication flavor). +The FedFS ADMIN clients require libtirpc. They also require correctly +configured RPCSEC GSSAPI. Typically Kerberos with integrity is the +preferred authentication flavor. NSDB client components require LDAP libraries and support for TLS (namely, OpenSSL). @@ -238,18 +231,16 @@ Security considerations The FedFS network protocols employ standard network security mechanisms to authenticate servers and administrators. Therefore, -packaged support for RPCSEC GSSAPI (in the future) and LDAP over TLS -must be installed and configured correctly on the systems running -these programs. Further discussion of installation and configuration -of these packages is beyond the scope of this document. (To do: -implement RPCSEC GSSAPI support). - -FedFS ADMIN clients contact the FedFS ADMIN server with no -authentication today, but in the future will use RPCGSS security. -The FedFS administrator will authenticate to the ADMIN server when -performing operations that change the persistent state of the ADMIN -and file server (eg. creating junctions or setting NSDB connection -parameters). +packaged support for RPCSEC GSSAPI and LDAP over TLS must be +installed and configured correctly on the systems running these +programs. Further discussion of installation and configuration +of these packages is beyond the scope of this document. + +FedFS ADMIN clients contact the FedFS ADMIN server using AUTH_SYS +or RPCGSS security. The FedFS administrator authenticates to the +ADMIN server when performing operations that change the persistent +state of the ADMIN and file server (eg. creating junctions or +setting NSDB connection parameters). Before performing operations that change the persistent state of an NSDB node, NSDB clients should authenticate the server using the _______________________________________________ fedfs-utils-devel mailing list [email protected] https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
