Discussion:
[Gluster-users] Question concerning TLS encryption of network traffic
David Spisla
2018-04-12 13:28:51 UTC
Permalink
Hello Gluster Community,

according to that set steps I have configured network encryption for
management and I/O traffic:
https://www.cyberciti.biz/faq/how-to-enable-tlsssl-encryption-with-glusterfs-storage-cluster-on-linux/

I have chose the option for self-signed certificates, so each of the nodes
has its own certificate and all of them are stored in the file glusterfs.ca.
Each node in my cluster has a copy of that file.

Everything is working fine.

I set the volume option "auth.ssl-allow" with "*", but I am not sure what
does this exactly means?

1. Does it mean, that only all clients which are listed in glusterfs.ca has
access to the volume?
or
2. Does it mean, that any TLS authenticated client can access the volume
(maybe a client which is not in the glusterfs.ca list)?

Regards
David Spisla
Milind Changire
2018-04-13 16:41:04 UTC
Permalink
Post by David Spisla
Hello Gluster Community,
according to that set steps I have configured network encryption for
https://www.cyberciti.biz/faq/how-to-enable-tlsssl-
encryption-with-glusterfs-storage-cluster-on-linux/
I have chose the option for self-signed certificates, so each of the nodes
has its own certificate and all of them are stored in the file
glusterfs.ca. Each node in my cluster has a copy of that file.
Everything is working fine.
I set the volume option "auth.ssl-allow" with "*", but I am not sure what
does this exactly means?
1. Does it mean, that only all clients which are listed in glusterfs.ca
has access to the volume?
or
2. Does it mean, that any TLS authenticated client can access the volume
(maybe a client which is not in the glusterfs.ca list)?
Any client that needs to connect to the gluster nodes using SSL, needs to
use a certificate that has been signed by a Certificate Authority whose
certificate is amongst those listed in glusterfs.ca
The '*' implies *anybody* ... but since this is going to be a SSL
connection, the *anybody* is further qualified by requiring the certificate
to be signed as I've mentioned above. Otherwise the SSL part is
meaningless. How will the server verify the authenticity of the SSL
connection ?

Your confusion maybe arising since you might be the sole person configuring
the gluster server nodes as well as clients. To get a clear picture of how
this works, you might want to avoid using self-signed certificates and have
a separate certificate as a signing authority and place that in glusterfs.ca
on the client and server nodes. You will then have to sign the client and
server certificates by this unique signing authority certificate and place
the individual signed certificates in glusterfs.pem

Also, if you have local mounts on the server nodes, you might not see the
difference. You will see the difference when you use client nodes different
from any of the cluster nodes.

Regards
Post by David Spisla
David Spisla
_______________________________________________
Gluster-users mailing list
http://lists.gluster.org/mailman/listinfo/gluster-users
--
Milind
Loading...