nfsv4-3----Page:15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
|
Object Security (1) Clean security model based on shared, secret device keys Part of T10 standard Metadata manager knows device keys Metadata manager signs caps, OSD verifies them (explained next slide) Metadata server returns capability to the client Capability encodes: object ID, operation, expire time, data range, cap version, and a signature Data range allows serialization over file data, as well as different rights to different attributes Cap version allows revocation by changing it on the object May want to protect capability with privacy (encryption) to avoid snooping the path between metadata manager and client |