English ·   Russian

Authentication in GlusterFS Using SSL/TLS

As I was getting acquainted with GlusterFS, the first thing I decided to do was to look for information on security. I couldn’t find any login and password verification in GlusterFS, but there is an option to authenticate clients using TLS, and that’s what we’ll discuss next.

I’ll be doing everything under Debian, but everything should be relevant for other distributions as well. I won’t go into installing GlusterFS, let’s get to the point.

First of all, we create keys and certificates, this is done with the following commands:

openssl genrsa -out /etc/ssl/glusterfs.key 1024
openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj /CN=YourName -out /etc/ssl/glusterfs.pem

Pay attention to the CN (Common Name) parameter, specify your name in it.

Instead of YourName, specify your name, for example knik or any other.

After creating the certificate, we’ll make a copy of it:

cp /etc/ssl/glusterfs.pem /etc/ssl/glusterfs.ca

Set read rights for the root user only:

chown root:root /etc/ssl/glusterfs.*
chmod 600 /etc/ssl/glusterfs.*

Now we need to enable SSL for our volume:

gluster volume set gv0 client.ssl on
gluster volume set gv0 server.ssl on

Note that you should replace gv0 with the name of your volume, it can be any other name.

Set the list of ciphers:

gluster volume set gv0 ssl.cipher-list 'HIGH:!SSLv2'

Now allow client connections with the name YourName. Change this name to the one you specified in the first steps of generating keys and certificates.

gluster volume set gv0 auth.ssl-allow 'YourName'

If the volume is already running, you need to stop it and start it again, we do this with the following commands:

gluster volume stop gv0
gluster volume start gv0

Client setup

Setting up clients is not difficult. Copy the previously generated keys and certificates glusterfs.ca, glusterfs.pem, and glusterfs.key to the /etc/ssl directory on the client, then try to mount glusterfs:

mount -t glusterfs you-server:/gv0 /path/to/mount/point
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.