NFSRODS v1.0.0

June 9-11, 2020

User Group Meeting

Virtual Conference

Kory Draughn

korydraughn@renci.org

Software Developer, iRODS Consortium

NFSRODS v1.0.0

NFSRODS v0.8.0 - Authorization Model

  • Mapped traditional Unix permissions
  • No group support
  • Used world permissions

NFSRODS - What's changed since v0.8.0?

  • Permissions are now managed via NFSv4 ACLs
  • Groups are fully supported
  • Added SSL support
  • Added support for LDAP and AD via sssd
  • Made it possible to retrieve the Git SHA of your deployment
  • NFSRODS properly closes iRODS connections
  • NFSRODS correctly handles listing of large collections
  • Testing via BATS

NFSRODS v1.0.0 - Authorization Model

  • Maps iRODS permissions to/from NFSv4.1 ACLs.
  • Traditional UNIX permissions are only set for the owner.
  • Permissions managed via nfs4_getfacl and nfs4_setfacl.
  • Collections are always executable, while data objects are never executable.

NFSRODS - Enabling SSL/TLS

$ cat /home/ubuntu/nfsrods_config/server.json
{
    "irods_client": {

        "ssl_negotiation_policy": "CS_NEG_REQUIRE"
    }
}

1. NFSRODS Configuration (shaved down for conciseness):

Could also be set to CS_NEG_DONT_CARE.

2. Launch the NFSRODS Docker container with your SSL certificate:

$ docker run -d --name nfsrods \
        -p 3000:2049 \
        -v /home/ubuntu/nfsrods_config:/nfsrods_config:ro \
        -v /etc/passwd:/etc/passwd:ro \
        -v /<full/path/to/certificate.crt>:/nfsrods_ssl.crt:ro \
        irods/nfsrods:latest

NFSRODS - Enabling sssd

$ docker run -d --name nfsrods \
        -p 3000:2049 \
        -v /home/ubuntu/nfsrods_config:/nfsrods_config:ro \
        -v /var/lib/sss:/var/lib/sss \
        irods/nfsrods:latest

Launch the NFSRODS Docker container with the sssd socket:

Thanks to Jonathon Anderson, NFSRODS can use sssd to resolve users and groups as an alternative to /etc/passwd.

Enables support for LDAP and Active Directory.

NFSRODS - Future Work

  • Hard Links
  • Parallel Transfer
  • Performance (e.g. "ls")
  • Unit Testing
  • NFStest - POSIX Filesystem Level Access Testing

 

  • SMBRODS - Possible sister project to make iRODS accessible to Microsoft Windows machines

Questions?

  • Thank you!

 

  • This version (NFSv4.1) of NFSRODS was built by:
    • Kory Draughn, iRODS Consortium
    • Alek Mieczkowski, iRODS Consortium
    • Mike Conway, NIH/NIEHS
    • Jason Coposky, iRODS Consortium
    • Terrell Russell, iRODS Consortium

 

  • Inspired by work (NFSv3) presented at UGM2016 (slides, paper):
    • Danilo Oliveira, Center for Informatics UFPE, Brazil
    • I. Fé, Center for Informatics UFPE, Brazil
    • A. Lobo Jr., Center for Informatics UFPE, Brazil
    • F. Silva, Center for Informatics UFPE, Brazil
    • G. Callou, Center for Informatics UFPE, Brazil
    • V. Alves, Center for Informatics UFPE, Brazil
    • P. Maciel, Center for Informatics UFPE, Brazil
    • Stephen Worth, EMC Corporation

 

  • Preliminary testing provided by:
    • Bristol Myers Squibb
    • University of Colorado Boulder Research Computing
Made with Slides.com