-

This site is deprecated and will be decommissioned shortly. For current information regarding HPC visit our new site: hpc.njit.edu

Merge

From NJIT-ARCS HPC Wiki
Jump to: navigation, search

Merging of cad.njit.edu and uis.njit.edu cells

The following are basic notes on the proposed merging of these two OAFS cells into one AuriStorFS cell.

Differences between AuriStorFS and OpenAFS (OAFS) BOS super user lists

(BOS (Basic OverSeer Server) super users are administrative entites that can modify the behavior of the bos server, which is responsible for running the basic processes on a cell's file servers and database servers)

AuriStorFS BOS managed lists

  • UserListExt : full super user permissions
  • ReaderList : read-only permissions

OAFS BOS managed list

  • UserLIst : full super user permissions

Difference between AuriStorFS and OAFS General Security Service (GSS)

  • AuriStorFS uses the full GSS name of the Kerberos v5 principal
  • OAFS uses the first component of the Kerberos v5 principal

Therefore, unlike in OAFS, which would treat name@NJIT.EDU the same as name@CORESYS.NJIT.EDU if both Kerberos realms were trusted, AuriStorFS does not.

Cell management

  • ARCS principal names can be listed as the exclusive super users for the cad file servers, and CSO names for the uis file servers. This would permit only ARCS administrators to manage the volumes and BOS on the cad file servers and only CSO administrators to manage the volumes and BOS on the uis file servers.
  • The DB servers can be shared by the two groups. Both ARCS and CSO principals would be added to the DB server's super user list. That is necessary to perform administrative operations.
  • There is still one cell-wide key, the -localauth key, that is trusted by all servers. Any administrator with root access to that key can manipulate any of the servers.
  • The uis file servers can be configured with a policy that requires yfs-rxgk authentication and privacy for all connections. Page 6 AuriStorFS Fact Sheet. The uis volumes can also be assigned a matching policy. If the cad file servers are not configured with that policy then the uis volumes cannot be moved to the cad file servers intentionally or by accident unless the volume security policy is altered. Altering the policy is an audited event.

Kerberos principals management

  • If the NJIT.EDU and CORESYS.NJIT.EDU realms remain, the NJIT.EDU realm, which is much larger than the CORESYS.NJIT.EDU realm, would be the primary local realm, and the CORESYS.NJIT.EDU the foreign realm. The PTS entries for the UIS principals would be in the system:authuser@cso.njit.edu group and would have the form uisname@cso.njit.edu
    • The system:authuser group would not include the members in the system:authuser@cso.njit.edu group.
    • Alternatively, if the principal names in the NJIT.EDU and CORESYS.NJIT.EDU realms must always represent the same entity if they exist in both realms, then the cell can trust both realms for identity and the UIS entities can be folded into system:authuser.
  • Alternatively, the CORESYS.NJIT.EDU realm can be incorporated into the NJIT.EDU realm.

Migration of volumes, etc.

When migrating volumes from the uis.njit.edu cell to the cad.njit.edu cell a transformation process will be required to convert volume IDs, PTS IDs, etc., to unused values in the cad.njit.edu cell.

Migration Documentation

AuriStor migration

Retrieved from "https://wiki.hpc.arcs.njit.edu/index.php?title=Merge&oldid=111"