<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Apr 12, 2018 at 6:58 PM, David Spisla <span dir="ltr"><<a href="mailto:spisla80@gmail.com" target="_blank">spisla80@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div>Hello Gluster Community,<br><br></div>according to that set steps I have configured network encryption for management and I/O traffic:<br><a href="https://www.cyberciti.biz/faq/how-to-enable-tlsssl-encryption-with-glusterfs-storage-cluster-on-linux/" target="_blank">https://www.cyberciti.biz/faq/<wbr>how-to-enable-tlsssl-<wbr>encryption-with-glusterfs-<wbr>storage-cluster-on-linux/</a><br><br></div>I have chose the option for self-signed certificates, so each of the nodes has its own certificate and all of them are stored in the file <a href="http://glusterfs.ca" target="_blank">glusterfs.ca</a>. Each node in my cluster has a copy of that file.<br><br></div><div>Everything is working fine.<br></div><div><br></div>I set the volume option "auth.ssl-allow" with "*", but I am not sure what does this exactly means?<br><br></div>1. Does it mean, that only all clients which are listed in <a href="http://glusterfs.ca" target="_blank">glusterfs.ca</a> has access to the volume?<br></div>or<br></div>2. Does it mean, that any TLS authenticated client can access the volume (maybe a client which is not in the <a href="http://glusterfs.ca" target="_blank">glusterfs.ca</a> list)?<br><br></div></div></div></blockquote><div><br></div><div>Any client that needs to connect to the gluster nodes using SSL, needs to use a certificate that has been signed by a Certificate Authority whose certificate is amongst those listed in <a href="http://glusterfs.ca">glusterfs.ca</a><br></div><div>The '*' implies *anybody* ... but since this is going to be a SSL connection, the *anybody* is further qualified by requiring the certificate to be signed as I've mentioned above. Otherwise the SSL part is meaningless. How will the server verify the authenticity of the SSL connection ?<br><br></div><div>Your confusion maybe arising since you might be the sole person configuring the gluster server nodes as well as clients. To get a clear picture of how this works, you might want to avoid using self-signed certificates and have a separate certificate as a signing authority and place that in <a href="http://glusterfs.ca">glusterfs.ca</a> on the client and server nodes. You will then have to sign the client and server certificates by this unique signing authority certificate and place the individual signed certificates in glusterfs.pem<br><br></div><div>Also, if you have local mounts on the server nodes, you might not see the difference. You will see the difference when you use client nodes different from any of the cluster nodes.<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div></div>Regards<span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888">David Spisla<br></font></span></div>
<br>______________________________<wbr>_________________<br>
Gluster-users mailing list<br>
<a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br>
<a href="http://lists.gluster.org/mailman/listinfo/gluster-users" rel="noreferrer" target="_blank">http://lists.gluster.org/<wbr>mailman/listinfo/gluster-users</a><br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Milind<br><br></div></div></div></div>
</div></div>