We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison
I've been working on Kerberos + NFSv4. There's a reason it's not common though - there's a lot of hoops to jump through to get it "working" in a way that's suitably convenient. It's not too bad on RHEL6, but on 5 you've got to do a bit more messing around with host nfs principals than I like (you need a nfs service principal to mount your KRB mount in the first place).
The thing we like though, is that NFS4 + KRB is quite a lot closer to CIFS styles. Within RHEL6 you can use 'net ads' to do a lot of the integration with Active Directory, including keytab generation, which makes it fairly convenient.
The thing we've had most trouble with is though, is root mounts - it's irritatingly difficult to get the root user on an NFS client set up in kerberos. Fortunately, you can also do mixed security mode exports from your filer, and designate your 'admin' host as a valid system to mount 'sec=sys'. Or you can configure kerberos root service principals (which is probably the _right_ way of doing it).
On 7 November 2014 21:53, Michael Garrison mcgarr@umich.edu wrote:
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
I work for NetApp and while I’m not really involved in general file services projects, I see the email discussions internally and I know adoption of NFSv4 is quite widespread. It’s a routine customer practice to just go to NFSv4. It’s not just file services, there are applications like WebSphere that leverage some of the features of NFSv4.
There were some growing pains with AIX and linux for a while, but recent versions of all OS’s seem just fine with NFSv4. I’ve worked on some internal projects relating to databases where we beat up NFSv4 with various workloads and we didn’t run into any problems with performance or stability.
There was some use of kerberized NFSv3, but it never really caught on much.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Michael Garrison Sent: Friday, November 07, 2014 10:53 PM To: toasters@teaparty.net Subject: "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison
Hi Jeff,
For clarification - Are you saying it's routine for customers to do NFSv4 with Kerberos? Or just NFSv4 sec=sys style?
-- Mike Garrison
On Sat, Nov 8, 2014 at 12:13 AM, Steiner, Jeffrey < Jeffrey.Steiner@netapp.com> wrote:
I work for NetApp and while I’m not really involved in general file services projects, I see the email discussions internally and I know adoption of NFSv4 is quite widespread. It’s a routine customer practice to just go to NFSv4. It’s not just file services, there are applications like WebSphere that leverage some of the features of NFSv4.
There were some growing pains with AIX and linux for a while, but recent versions of all OS’s seem just fine with NFSv4. I’ve worked on some internal projects relating to databases where we beat up NFSv4 with various workloads and we didn’t run into any problems with performance or stability.
There was some use of kerberized NFSv3, but it never really caught on much.
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Michael Garrison *Sent:* Friday, November 07, 2014 10:53 PM *To:* toasters@teaparty.net *Subject:* "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks,
Mike Garrison
Mostly v4 without Kerberos, but v4 RFC kind of implies that it’s expected to use Kerberos with v4 to ensure full security.
We’re seeing more and more Kerberos adoption with v4, however. And v4 is becoming more widely accepted as a standard, including application vendors that are requiring NFSv4 for their platforms.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Michael Garrison Sent: Monday, November 10, 2014 11:35 AM To: Steiner, Jeffrey Cc: toasters@teaparty.net Subject: Re: "Sensitive data" storage needs
Hi Jeff,
For clarification - Are you saying it's routine for customers to do NFSv4 with Kerberos? Or just NFSv4 sec=sys style?
-- Mike Garrison
On Sat, Nov 8, 2014 at 12:13 AM, Steiner, Jeffrey <Jeffrey.Steiner@netapp.commailto:Jeffrey.Steiner@netapp.com> wrote: I work for NetApp and while I’m not really involved in general file services projects, I see the email discussions internally and I know adoption of NFSv4 is quite widespread. It’s a routine customer practice to just go to NFSv4. It’s not just file services, there are applications like WebSphere that leverage some of the features of NFSv4.
There were some growing pains with AIX and linux for a while, but recent versions of all OS’s seem just fine with NFSv4. I’ve worked on some internal projects relating to databases where we beat up NFSv4 with various workloads and we didn’t run into any problems with performance or stability.
There was some use of kerberized NFSv3, but it never really caught on much.
From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net] On Behalf Of Michael Garrison Sent: Friday, November 07, 2014 10:53 PM To: toasters@teaparty.netmailto:toasters@teaparty.net Subject: "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison
I presumed kerberos, but I’m not actually sure what they’re doing in the end. I just see the email traffic and occasionally field a question related to the host OS patch level.
From: Michael Garrison [mailto:mcgarr@umich.edu] Sent: Monday, November 10, 2014 5:35 PM To: Steiner, Jeffrey Cc: toasters@teaparty.net Subject: Re: "Sensitive data" storage needs
Hi Jeff,
For clarification - Are you saying it's routine for customers to do NFSv4 with Kerberos? Or just NFSv4 sec=sys style?
-- Mike Garrison
On Sat, Nov 8, 2014 at 12:13 AM, Steiner, Jeffrey <Jeffrey.Steiner@netapp.commailto:Jeffrey.Steiner@netapp.com> wrote: I work for NetApp and while I’m not really involved in general file services projects, I see the email discussions internally and I know adoption of NFSv4 is quite widespread. It’s a routine customer practice to just go to NFSv4. It’s not just file services, there are applications like WebSphere that leverage some of the features of NFSv4.
There were some growing pains with AIX and linux for a while, but recent versions of all OS’s seem just fine with NFSv4. I’ve worked on some internal projects relating to databases where we beat up NFSv4 with various workloads and we didn’t run into any problems with performance or stability.
There was some use of kerberized NFSv3, but it never really caught on much.
From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net] On Behalf Of Michael Garrison Sent: Friday, November 07, 2014 10:53 PM To: toasters@teaparty.netmailto:toasters@teaparty.net Subject: "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison
We’re piloting NFSv3 with Kerberos in our environment. See http://snia.org/sites/default/files2/SPDEcon2013/presentations/Security/Greg... for some details. The main goal is to overcome 16 GIDs limitation.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Michael Garrison Sent: Friday, November 07, 2014 23:53 To: toasters@teaparty.net Subject: "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison --------------------------------------------------------------------- Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
7mode allows you to get past the 16 GID limitation by extending GIDs out to 256.
cDOT will offer that parity in the upcoming release – but it will allow 1024.
As for Kerberos, NFSv4, etc… it is challenging to set up, but once you have a working infrastructure, implementing it is no problem.
TR-4073 covers this in detail.
http://www.netapp.com/us/media/tr-4073.pdf
I hear the guy who wrote it is cool, too.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Touretsky, Gregory Sent: Sunday, November 09, 2014 2:30 AM To: Michael Garrison; toasters@teaparty.net Subject: RE: "Sensitive data" storage needs
We’re piloting NFSv3 with Kerberos in our environment. See http://snia.org/sites/default/files2/SPDEcon2013/presentations/Security/Greg... for some details. The main goal is to overcome 16 GIDs limitation.
From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Michael Garrison Sent: Friday, November 07, 2014 23:53 To: toasters@teaparty.netmailto:toasters@teaparty.net Subject: "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison
--------------------------------------------------------------------- Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
yeah, I heard Bikash Roy Choudhury is cool!! :)
houdhury
On Nov 9, 2014, at 5:35 PM, Parisi, Justin Justin.Parisi@netapp.com wrote:
7mode allows you to get past the 16 GID limitation by extending GIDs out to 256.
cDOT will offer that parity in the upcoming release – but it will allow 1024.
As for Kerberos, NFSv4, etc… it is challenging to set up, but once you have a working infrastructure, implementing it is no problem.
TR-4073 covers this in detail.
http://www.netapp.com/us/media/tr-4073.pdf http://www.netapp.com/us/media/tr-4073.pdf
I hear the guy who wrote it is cool, too.
From: toasters-bounces@teaparty.net mailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net mailto:toasters-bounces@teaparty.net] On Behalf Of Touretsky, Gregory Sent: Sunday, November 09, 2014 2:30 AM To: Michael Garrison; toasters@teaparty.net mailto:toasters@teaparty.net Subject: RE: "Sensitive data" storage needs
We’re piloting NFSv3 with Kerberos in our environment. Seehttp://snia.org/sites/default/files2/SPDEcon2013/presentations/Security/Greg... http://snia.org/sites/default/files2/SPDEcon2013/presentations/Security/Gregory_Touretsky_Implementing_Kerberos.pdf for some details. The main goal is to overcome 16 GIDs limitation. <> From: toasters-bounces@teaparty.net mailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net mailto:toasters-bounces@teaparty.net] On Behalf Of Michael Garrison Sent: Friday, November 07, 2014 23:53 To: toasters@teaparty.net mailto:toasters@teaparty.net Subject: "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
Toasters mailing list Toasters@teaparty.net mailto:Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters http://www.teaparty.net/mailman/listinfo/toasters
Thanks Greg! Have you implemented any type of automated keytab generation/management system?
The hard part in our environment is that, for the most part, I have no control over client machines and what they are doing. Our ticket lifetime renewable maxes out at 7 days; we could discuss changing that or generating keytabs for people to use, but we have to train researchers/their support staff on properly executing long running jobs, etc.
We have an OpenAFS cell here and it's always been a struggle for clients to install that. In my experience, Kerberized NFSv4 (or v3) Linux support is far behind where the AFS client is, not to mention the lack of Windows or OS X support (unless things have changed since last time I looked). Even if everything is in place, I believe that a lot of folks will see what it takes to implement it properly and decide to do something else.
I appreciate all the feedback from everyone so far, Mike Garrison
On Sun, Nov 9, 2014 at 2:30 AM, Touretsky, Gregory < gregory.touretsky@intel.com> wrote:
We’re piloting NFSv3 with Kerberos in our environment.
See http://snia.org/sites/default/files2/SPDEcon2013/presentations/Security/Greg... for some details.
The main goal is to overcome 16 GIDs limitation.
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Michael Garrison *Sent:* Friday, November 07, 2014 23:53 *To:* toasters@teaparty.net *Subject:* "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks,
Mike Garrison
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
We don’t want to use keytabs for regular users due to security concerns. For interactive servers, we integrated kinit as part of X unlock process. So every time user unlocks his screen (at least once a day), he gets a new ticket on that interactive server. From there, when a user tries to connect to another server via SSH – it will transfer the ticket We use internally developed grid management system, we added support in this system for ticket transfer and distribution between all compute servers where user’s job is landing
For faceless accounts, cron jobs, etc we’ve developed a special distributed system to store keytabs, and it is accessed to get a ticket when needed.
From: Michael Garrison [mailto:mcgarr@umich.edu] Sent: Monday, November 10, 2014 18:48 To: Touretsky, Gregory Cc: toasters@teaparty.net Subject: Re: "Sensitive data" storage needs
Thanks Greg! Have you implemented any type of automated keytab generation/management system?
The hard part in our environment is that, for the most part, I have no control over client machines and what they are doing. Our ticket lifetime renewable maxes out at 7 days; we could discuss changing that or generating keytabs for people to use, but we have to train researchers/their support staff on properly executing long running jobs, etc.
We have an OpenAFS cell here and it's always been a struggle for clients to install that. In my experience, Kerberized NFSv4 (or v3) Linux support is far behind where the AFS client is, not to mention the lack of Windows or OS X support (unless things have changed since last time I looked). Even if everything is in place, I believe that a lot of folks will see what it takes to implement it properly and decide to do something else.
I appreciate all the feedback from everyone so far, Mike Garrison
On Sun, Nov 9, 2014 at 2:30 AM, Touretsky, Gregory <gregory.touretsky@intel.commailto:gregory.touretsky@intel.com> wrote: We’re piloting NFSv3 with Kerberos in our environment. See http://snia.org/sites/default/files2/SPDEcon2013/presentations/Security/Greg... for some details. The main goal is to overcome 16 GIDs limitation.
From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net] On Behalf Of Michael Garrison Sent: Friday, November 07, 2014 23:53 To: toasters@teaparty.netmailto:toasters@teaparty.net Subject: "Sensitive data" storage needs
We currently offer a NFS v3 service that people can purchase. It's relatively inexpensive and basic, but thats what folks like. They can access it from their desktop and then access the data on a cluster to do compute jobs. However, it doesn't meet the requirements of being able to store sensitive data - like ePHI.
I've been exploring the route of NFS v4 with Kerberos, but the Linux client leaves a lot to be desired. Additionally, folks are so used to how NFS v3 works that introducing Kerberos into the mix is challenging.
How are other groups (business, academic, whatever), addressing security, yet doing it in an inexpensive manner and allowing cross-platform access? Is anyone doing NFS v4 (or v3) with Kerberos today?
Thanks, Mike Garrison
--------------------------------------------------------------------- Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
--------------------------------------------------------------------- Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
-
Edward Rolison -
Michael Garrison -
Parisi, Justin -
Steiner, Jeffrey -
steve klise -
Touretsky, Gregory