Plasma GitLab Archive
Projects Blog Knowledge

Previous  Up  Next

Module Nn_datanode_ctrl


module Nn_datanode_ctrl: sig .. end
Manage tickets and push ticket secrets to the datanodes
val reset : unit -> unit
Executes a ticket reset in the background

type ticket_verifier = {
   tv_safetrans_id : int64;
   tv_safetrans_tmo : int64;
   tv_safetrans_sec : int64;
   tv_datanodes : int list;
   tv_enabled : bool;
}
This is almost the same as Nn_alloc_types.transacted_datastores
val new_ticket_verifier : unit -> ticket_verifier
val enable_ticket_verifier_e : ticket_verifier -> unit Uq_engines.engine
Pushes a safetrans secret to all enabled datanodes. If this is the first invocation, the safetrans are reset beforehand. Returns the list of datastore ID's to which the new safetrans could be pushed (which may be empty!)
val disable_ticket_verifier_e : ticket_verifier -> unit Uq_engines.engine
Pushes a safetrans cancellation to all datanodes whose ID's are passed in the list.
val disconnect : int -> unit
Disconnects from this datanode
val post_start_hook : unit -> unit

Right now disable_ticket_verifier_e does not disable the verifier immediately, but delays this to the next round of housekeeping - which usually happens once every second.

There is a security risk here: The verifier remains valid even after the transaction is closed. Although this is only for a very short period of time, this can be abused by a malicious user.

The cure (only to be implemented once we secure everything): The verifier can be used to access blocks. There is no problem when only the blocks are accessed for which the ticket was originally valid, i.e. the blocks of the accessed files. The security hole exists only when these blocks are reused for other files - the verifier would then grant access to these other files although there is actually no permission.

So the idea is to prevent that blocks are reused for other files until the verifier is really cancelled. We already have a mechanism - the blocks need to be tagged with the "keep" method of the blockmaps. Such blocks are not freed as long as the tag remains.

So:

  • In the post_commit hook of the blockmap view, we look for newly allocated blocks. These blocks are not only committed/aborted as usual, but additionally they are tagged with keep (the owner may be an arbitrary object, maybe passed down from the transaction)
  • disable_ticket_verifier_e gets an additional callback: it is invoked when the verifier has really been invalidated.
  • This callback is used to remove the tag from the blocks in the blockmap
Things to take care of:
  • All newly allocated blocks need to be tagged this way, including those that are immediately freed by the same transaction. Because all these blocks are writable now. Best if this list is recorded by the blockmap object directly.
  • In the blockmap implementation: it is now possible to "keep" free blocks. The meaning is: keep these blocks unused. (If this does not work out, we would have to use the reserved bit for this purpose.)
Also securing read accesses this way is quite hard - we would have to tag all blocks that were ever returned to the user.
This web site is published by Informatikbüro Gerd Stolpmann
Powered by Caml