David Spisla
2018-Apr-12 13:28 UTC
[Gluster-users] Question concerning TLS encryption of network traffic
Hello Gluster Community, according to that set steps I have configured network encryption for management and I/O traffic: https://www.cyberciti.biz/faq/how-to-enable-tlsssl-encryption-with-glusterfs-storage-cluster-on-linux/ I have chose the option for self-signed certificates, so each of the nodes has its own certificate and all of them are stored in the file glusterfs.ca. Each node in my cluster has a copy of that file. Everything is working fine. I set the volume option "auth.ssl-allow" with "*", but I am not sure what does this exactly means? 1. Does it mean, that only all clients which are listed in glusterfs.ca has access to the volume? or 2. Does it mean, that any TLS authenticated client can access the volume (maybe a client which is not in the glusterfs.ca list)? Regards David Spisla -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20180412/7da23f7a/attachment.html>
Milind Changire
2018-Apr-13 16:41 UTC
[Gluster-users] Question concerning TLS encryption of network traffic
On Thu, Apr 12, 2018 at 6:58 PM, David Spisla <spisla80 at gmail.com> wrote:> Hello Gluster Community, > > according to that set steps I have configured network encryption for > management and I/O traffic: > https://www.cyberciti.biz/faq/how-to-enable-tlsssl- > encryption-with-glusterfs-storage-cluster-on-linux/ > > I have chose the option for self-signed certificates, so each of the nodes > has its own certificate and all of them are stored in the file > glusterfs.ca. Each node in my cluster has a copy of that file. > > Everything is working fine. > > I set the volume option "auth.ssl-allow" with "*", but I am not sure what > does this exactly means? > > 1. Does it mean, that only all clients which are listed in glusterfs.ca > has access to the volume? > or > 2. Does it mean, that any TLS authenticated client can access the volume > (maybe a client which is not in the glusterfs.ca list)? > >Any client that needs to connect to the gluster nodes using SSL, needs to use a certificate that has been signed by a Certificate Authority whose certificate is amongst those listed in glusterfs.ca The '*' implies *anybody* ... but since this is going to be a SSL connection, the *anybody* is further qualified by requiring the certificate to be signed as I've mentioned above. Otherwise the SSL part is meaningless. How will the server verify the authenticity of the SSL connection ? Your confusion maybe arising since you might be the sole person configuring the gluster server nodes as well as clients. To get a clear picture of how this works, you might want to avoid using self-signed certificates and have a separate certificate as a signing authority and place that in glusterfs.ca on the client and server nodes. You will then have to sign the client and server certificates by this unique signing authority certificate and place the individual signed certificates in glusterfs.pem Also, if you have local mounts on the server nodes, you might not see the difference. You will see the difference when you use client nodes different from any of the cluster nodes. Regards> David Spisla > > _______________________________________________ > Gluster-users mailing list > Gluster-users at gluster.org > http://lists.gluster.org/mailman/listinfo/gluster-users >-- Milind -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20180413/73d8c0c9/attachment.html>