certificate based access type in openstack manila @ openstack paris nov. 2014
If you can't read please download the document
TRANSCRIPT
1. Certificate based access type in Manilavbrownbag-techtalk@openstack-parisDeepak C [email protected]: deepakcs 2. What is Manila Shared FileSystem as a service Incubated since openstack Juno Provision file shares to Nova (openstack compute) instance(s) Strives to provide an API for management of shared filesystemswith support for multiple protocols and backend implementations NFS and CIFS primarily supported Other protocols are encouraged too (eg: glusterfs)Openstack Paris Summit 2 Supports Multi-tenancy Enables public cloud usecase Has framework to support storage backends that don't supportmulti-tenancy natively 3. Manila usecaseOpenstack Paris Summit 3 4. Manila access typesOpenstack Paris Summit 4 IP Access control using IP address Takes IP as an argument Typically used in controlling access to NFS shares User Access control using user name Takes user name as argument Typically used in controlling access to CIFS shares Cert Access control using SSL certificates Takes SSL Certificate's CN (common name) as argument Certificate setup (aka trust setup) between client and server is out of band Currently implemented by GlusterFS native driver ('glusterfs' protocol) 5. GlusterFS Native Driver Supports Certificate based access type of Manila Provision shares that use the 'glusterfs' protocol Instances directly talk with GlusterFS storage backendOpenstack Paris Summit 5 No service VM needed Secure access Only tenants with the right certificate will be able to access the share Multi-tenant Separation using tenant specific certificates Supports certificate chaining and cipher lists 6. GlusterFS Native Driver contd.Openstack Paris Summit 6 Available upstream 1 Manila share == 1 GlusterFS volume Pre-requisites GlusterFS volume(s) setup with Cert based access enabled Instance should have server signed client certificates pre-loaded Manila.conf Provide list of glusterfs volume(s) to work with TODOs Add documentation Snapshot support Dynamic creation of glusterfs volumes Data shredding as part of gluster volume delete Create share from snapshot 7. GlusterFS Native Driver contd.Openstack Paris Summit 6 Available upstream 1 Manila share == 1 GlusterFS volume Pre-requisites GlusterFS volume(s) setup with Cert based access enabled Instance should have server signed client certificates pre-loaded Manila.conf Provide list of glusterfs volume(s) to work with TODOs Add documentation Snapshot support Dynamic creation of glusterfs volumes Data shredding as part of gluster volume delete Create share from snapshot