Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Background

From spring quarter '09 discussions:

Goals

RAMCloud is designed as a cluster service. As such multi-tenancy is an important consideration. Multi-tenancy implies:

  • There may be mutually distrustful, even antagonistic, users of RAMCloud.
  • There may be mutually distrustful other clients or machines on the network.

We'll need some sort of secure authentication, as well as access control to constrain users of RAMCloud. We will also need to consider threats from other hosts.

Assumptions

  • The network can provide us sufficient isolation such that there is no:
    • Snooping - packets cannot be read by unintended hosts and the network cannot be fooled into routing packets to the incorrect host (e.g. ARP spoofing).

If we don't trust the network, we'll likely need heavy crypto, which is contrary to our performance goals.

Conclusions

  • We were skeptical that any proposed complicated model would be either useful or appropriate for most users. A simple model of having single principals authenticated with full access to a set of tables they own (i.e. like a full access user for each SQL database) would go a long way.
  • For the time being, we will punt access control and accounting and assume a trusted data center / single user model.
  • No labels