Hi, Yes it is possible to use nodemaps to just restrict the IP ranges from which clients can connect. To achieve this you can create 2 nodemap entries for your clients (in addition to the always recommended entry for servers): - the first one, with the IP ranges you want to allow connection from, will have all properties set so that access is unmapped (no UID/GID mapping) and unrestricted; - the second one, with the IP ranges you want to forbid connection from, will simply have the fileset property set to something like ‘/NULL’. Then, assuming that NULL is a directory that does *not* exist at the root of your Lustre file system, this will make clients pertaining to this IP range fail mounting Lustre. Depending on your address schema, you might need multiple entries of each kind, in order to cover all desired IP addresses.
Generally speaking, UID/GID mapping and SSK features are serving different purposes. You do not need one to benefit from the other, if that is the concern. Cheers, Sebastien. > Le 23 juil. 2020 à 18:30, Kolacz, John Gilbert <[email protected]> a écrit : > > Hi, > > I’m going to try to make this as TLDR minimal as possible. > > I’m working on a project to provide better security for our lustre storage. > > What I’ve found is plenty of info on nodemap with ssk, but I have a few > questions- > > Can I set up nodemap so it allows full access and simply restricts the IP > ranges from which clients can connect? > > Running lctl nodemap_info all looks like it has an option for squash_gid and > squash_uid. Does that mean I can turn those off? > > If I use ssk, do I still have to set up uid and gid translations? > > > My test environment: > > Client at 192.168.57.100@tcp1 lnet router to tcp0 mgs at > 192.168.10.10@tcp0 (with mds and 2 oss) > > Lnet routing works, and I can give and take access using Nodemap_activate 0/1 > > > > > > Thanks, > > John Kolacz > HPCSYS FS > > _______________________________________________ > lustre-discuss mailing list > [email protected] > http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org _______________________________________________ lustre-discuss mailing list [email protected] http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
