Gluster users - Oct 2019 - untrusted users

We are attaching a gluster storage to our cluster. We give shell access to
our cluster to untrusted users. Each user has a folder in gluster. The
problem is that the users could get to mount as any user id and then access
the other users files as their own. Is there a way to authenticate a user
before a mount?

If there is none, can you help us implement a thin authentication layer
over mount? Where should we get started.

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.gluster.org/pipermail/gluster-users/attachments/20191021/8511bf4b/attachment.html>

Shell access to untrusted users. I would fight that tooth and nail as a
sysadmin. User that are untrusted get accounts deactivated.

If they have no sudo, they can't mount. Make mounts for them in fstab. Set
ownership and groups on mount points so each user is restricted to their folder
only. Use a centralized authentication system like freeipa or IdM. Every user
should have their own userid that's unique. No exceptions.

I work in HIPAA rules now, DoD clearance rules earlier. Users are not to be
trusted. Other sysadmins are barely trustable. If users have any access to
adjust the system configuration in any way, take it away. That's your job
not theirs. It's easier to say no 100 times a day than spend 2 weeks in
front of lawyers explaining why untrusted users could create a mess that
involves lawyers and courts, fines and jail time.

If your OS won't support basic system security, choose something that will.
Some Linux distros are not usable in a multiple user environment (kali is a
prime example). I work in an Enterprise environment so I use RedHat/CEntOS.

If users can't get things done with out being root, someone has really
messed up the work flow design.

Sorry to sound really harsh but this sounds like a nightmare that could be
avoided with a better sysadmin plan. Users are terrible sysadmin. Programmers
are too. Sysadmins are not very good programmers :-(


On October 21, 2019 10:03:46 PM EDT, pankaj kumar <pankaj at
datacabinet.systems> wrote:
>We are attaching a gluster storage to our cluster. We give shell access
>to
>our cluster to untrusted users. Each user has a folder in gluster. The
>problem is that the users could get to mount as any user id and then
>access
>the other users files as their own. Is there a way to authenticate a
>user
>before a mount?
>
>If there is none, can you help us implement a thin authentication layer
>over mount? Where should we get started.
>
>Thanks,
-- 
Sent from my Android device with K-9 Mail. All tyopes are thumb related and
reflect authenticity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.gluster.org/pipermail/gluster-users/attachments/20191021/3a83affb/attachment.html>