***SPAM*** Re: [ofa-general] Allowing end-users to query for fabric information

[Hal Rosenstock]

Mike,

On Mon, Oct 6, 2008 at 11:09 AM, Mike Heinz <michael.heinz at qlogic.com> wrote:
> Roland,
>
> I've been thinking about this some more and I have to say I'm still a
> bit confused. Are you saying that any root user on any node of the
> fabric can change the routing tables? Isn't the ability to access and
> alter subnet information controlled via the management key?

There are two levels to this. First you must be able to send the MAD
and once that can happen the receiving SMA performs the usual MKey
checks which depend on the protection level assuming it is an SM class
MAD like the one to change the routing tables.

-- Hal

>
>
> --
> Michael Heinz
> Principal Engineer, Qlogic Corporation
> King of Prussia, Pennsylvania
>
> -----Original Message-----
> From: general-bounces at lists.openfabrics.org
> [mailto:general-bounces at lists.openfabrics.org] On Behalf Of Mike Heinz
> Sent: Monday, September 22, 2008 3:19 PM
> To: Roland Dreier
> Cc: general at lists.openfabrics.org
> Subject: RE: [ofa-general] Allowing end-users to query for fabric
> information
>
> Thanks for the explanation.
>
>
> --
> Michael Heinz
> Principal Engineer, Qlogic Corporation
> King of Prussia, Pennsylvania
>
> -----Original Message-----
> From: Roland Dreier [mailto:rdreier at cisco.com]
> Sent: Monday, September 22, 2008 3:18 PM
> To: Mike Heinz
> Cc: general at lists.openfabrics.org
> Subject: Re: [ofa-general] Allowing end-users to query for fabric
> information
>
>  > What was the reason for making this design choice? While I could  >
> certainly provide boot scripts to change the permissions to  >
> /dev/infiniband/umad*, I'd rather understand why the decision was made
>> to restrict access.
>
> because /dev/infiniband/umadX allows full unfiltered access to
> send/receive any MADs.  Including changing routing tables, bringing
> ports down, etc.  Not stuff that unprivileged users should be able to
> do.
>
> It would make sense to have a higher-level interface that only allows
> safe queries without side effects, but that's quite a bit more work than
> just changing permissions on device nodes.
>
>  - R.
> _______________________________________________
> general mailing list
> general at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
>
> To unsubscribe, please visit
> http://openib.org/mailman/listinfo/openib-general
> _______________________________________________
> general mailing list
> general at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
>
> To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
>