Authentication

[Renich Bon Ciric]

Hello,

I've noticed that x509 authentication is available.

Is there a HowTo on this one?

Are there any other ways of allowing users to mount their own volumes only; while denying access to the world?

[Jan Stender]

Hi Renich,

Please note that there are different mechanisms in XtreemFS to handle
_authentication_ and _authorization_ of users. X.509 certificates can be
used to securely authenticate users (i.e., to ensure their identity in
an unforgeable manner), which, however, is independent of the question
how authorize users (i.e., to determine what they are allowed to do).

The alternatives to using X.509 certificates for user authentication are
the following:
- do it the default NFS way: assume that clients are trusted, and rely
on local user IDs (i.e., use the default 'NullAuthProvider');
- implement your own authentication provider that does something else
(e.g., LDAP).

For user authorization, the default setting is POSIX, which includes
normal permissions (rwx) as well as POSIX ACLs. To keep users other than
the owner from accessing a volume, it is sufficient to accordingly
restrict the access rights on the root volume (e.g., by changing the
mode to 700).

One thing missing in XtreemFS is the ability to limit the visibility of
volumes to their owners. Currently, every user can list and mount all
volumes that exist in the system, regardless of access rights and
authorization policies. To completely isolate users, XtreemFS would
require an additional authorization scheme that involves both the DIR
and MRC.

Best regards,
Jan

[Renich Bon Ciric]

Ah, yes. Well, thanks a lot for the reply. This could be limited via
firewall settings, which isn't that bad. Then again, this mechanism
would be really nice in XtreeFS too ;)

--
It's hard to be free... but I love to struggle. Love isn't asked for;
it's just given. Respect isn't asked for; it's earned!
Renich Bon Ciric

http://www.woralelandia.com/
http://www.introbella.com/