[Federated-fs] FedFS Minutes, 8/28/2008
James Lentini
jlentini at netapp.com
Fri Aug 29 07:25:43 PDT 2008
FedFS Minutes, 8/28/2008
------------------------
Attendees
---------
Dan Ellard (BBN)
Renu Tewari (IBM/ARC)
Robert Thurlow (Sun)
Paul Lemahieu (EMC)
James Lentini (NetApp)
Manoj Naik (IBM/ARC)
Theresa Lingutla-Raj (NetApp)
Amy Weaver (NetApp)
Minutes
-------
+ Feedback on Dan's changes to the NSDB Protocol document
- Definition of a Junction
The term junction is used to mean different things in different places.
In some instances, a junction is an object internal to a server while in
other places it is an external object. The suggestion was to clarify this
terminology.
Dan explained that the junction key is used to name the relation between
two filesets that are linked by a junction. For each junction in the name
space, there will be a junction key. A junction key is an attribute of a
junction object.
There was an earlier meaning of the term junction key in the specification.
Dan believed he has removed these uses.
It appears that the text in section 6.2.2 on page 15 is using the older
definition of a "junction key". This text should be updated.
To clarify the terminology, the junction key in the LDAP schema could be
changed to a junction UUID.
- Clarification of the root fileset?
The goal is to provide a federation wide namespace, not a global namespace.
The conclusion was that section 3.7 needs to be expanded/revised.
- How are NSDBs replicated?
The idea is that NDSBs would be replicated, but entries in an NSDB
would not be replicated to other NSDBs.
This is the proposed approach because it matches the features of
different LDAP implementations. Support for replication between two
arbitrary LDAP implementations (e.g. OpenLDAP and Active Directory) is
not available.
Dan believes that there may be a paragraph describing this in the document.
He will either add or augment the existing text.
- Consistency checks of the objects definitions
Some of the descriptions in section 3.3 and the LDAP definitions are not
consistent.
For example, the text describing the FSL definition is different from
LDAP definition (there are different fields).
- Description of LDAP protocol versus APIs
There had been a C API descriptions.
The agreement was to describe the LDAP protocol.
This is the most useful. There are many programming language APIs.
- LDAP versus other things?
We can do the things we want in LDAP now. For the next set of things (features)
we don't know if LDAP will do what we want.
+ IETF feedback from Dublin
The NFSv4 working group presentation went very well. There were three areas
the audience requested we address:
- security: the was concern that the referral mechanism could be miss-used to
direct a client to a rogue server.
The consensus was the security of the overall system is not decreased by
using FedFs. We need to state that when using the existing NFS security
measures (GSS API, etc) and LDAP security measures, the use of FedFs does
not decrease security.
Dan noted that there are now two systems (NFS + LDAP) to configure correctly.
Does FedFs expose existing security issues to a wider audience (the entire
world?).
- root fileset/namespace: the issue raised was that clients can mount the
namespace at different locations and different places in the federation
namespace.
Is there anyway to close this with NFS? We agreed that there was not.
NFS clients are allowed to mount at any point in their namespace.
The proposal is to provide a best practices guide for how NSDB's are
setup and where clients should mount the federation namespace.
This could be part of the admin document.
What about loops in the namespace? It is difficult (impossible?) to
protect against this. Keeping this from happening this is not a goal.
- LDAP help from IETF
There was a general offer of help on LDAP issues from the IETF
+ LDAP transactions
We ran out of time (again) to discuss this topic.
More information about the Federated-fs
mailing list