[Bugs] [Bug 1209432] New: Using TLS Identities for Authorization is mandatory, not optional
bugzilla at redhat.com
bugzilla at redhat.com
Tue Apr 7 11:03:27 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1209432
Bug ID: 1209432
Summary: Using TLS Identities for Authorization is mandatory,
not optional
Product: GlusterFS
Version: 3.6.2
Component: access-control
Severity: low
Assignee: bugs at gluster.org
Reporter: ernetas at gmail.com
CC: bugs at gluster.org, gluster-bugs at redhat.com
Description of problem:
Version-Release number of selected component (if applicable):
glusterfs 3.6.2, from Ubuntu PPA repositories for Trusty.
How reproducible:
Steps to Reproduce:
1. Setup a volume, add access controls for IP addresses, setup SSL by setting
client.ssl and server.ssl to on.
2. Stop volume, restart glusterfs-server and start volume again.
3. The volume will not be possible to mount.
Actual results:
/var/log/glusterfs/bricks/data-gluster.log:
[2015-04-07 10:50:42.308465] E [socket.c:384:ssl_setup_connection]
0-tcp.files-server: SSL connect error
[2015-04-07 10:50:42.308534] E [socket.c:2371:socket_poller]
0-tcp.files-server: server setup failed
[2015-04-07 10:50:43.940634] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:50:43.945638] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:50:43.949279] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:50:43.949332] E [server-handshake.c:596:server_setvolume]
0-files-server: Cannot authenticate client from
files1-20797-2015/04/07-10:50:43:649809-files-client-2-0-0 3.6.2
[2015-04-07 10:50:43.950724] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:50:43.950744] E [server-handshake.c:596:server_setvolume]
0-files-server: Cannot authenticate client from
files1-20790-2015/04/07-10:50:42:638058-files-client-2-0-0 3.6.2
[2015-04-07 10:50:43.987593] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:50:43.988160] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:50:43.988180] E [server-handshake.c:596:server_setvolume]
0-files-server: Cannot authenticate client from
files3-30565-2015/04/07-10:50:38:958036-files-client-2-0-1 3.6.2
[2015-04-07 10:50:44.010998] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:50:44.011378] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:50:44.011391] E [server-handshake.c:596:server_setvolume]
0-files-server: Cannot authenticate client from
files3-30572-2015/04/07-10:50:39:978376-files-client-2-0-1 3.6.2
[2015-04-07 10:50:45.882219] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:50:45.883911] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:50:45.883934] E [server-handshake.c:596:server_setvolume]
0-files-server: Cannot authenticate client from
files2-25060-2015/04/07-10:50:45:857887-files-client-2-0-0 3.6.2
[2015-04-07 10:50:45.910123] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:50:45.911582] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:50:45.911622] E [server-handshake.c:596:server_setvolume]
0-files-server: Cannot authenticate client from
files2-25053-2015/04/07-10:50:44:846049-files-client-2-0-0 3.6.2
[2015-04-07 10:51:41.157280] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:51:41.157703] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:51:41.157717] E [server-handshake.c:596:server_setvolume]
0-files-server: Cannot authenticate client from
files3-30825-2015/04/07-10:51:41:131733-files-client-2-0-0 3.6.2
[2015-04-07 10:51:41.176712] E [socket.c:2486:socket_poller]
0-tcp.files-server: error in polling loop
Note that CN for the certificate here is "gluster". It only works when setting
auth.ssl-allow to "gluster" and it doesn't work when this parameter is not set.
Working example:
[2015-04-07 10:52:43.229281] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:52:43.230415] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:52:43.230432] I [login.c:82:gf_auth] 0-auth/login: allowed user
names: gluster
[2015-04-07 10:52:43.230444] I [server-handshake.c:585:server_setvolume]
0-files-server: accepted client from
files2-25495-2015/04/07-10:52:37:177801-files-client-2-0-0 (version: 3.6.2)
[2015-04-07 10:52:44.224511] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:52:44.225950] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:52:44.225985] I [login.c:82:gf_auth] 0-auth/login: allowed user
names: gluster
[2015-04-07 10:52:44.226012] I [server-handshake.c:585:server_setvolume]
0-files-server: accepted client from
files2-25488-2015/04/07-10:52:36:172744-files-client-2-0-0 (version: 3.6.2)
[2015-04-07 10:52:44.943023] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:52:44.945207] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:52:44.945231] I [login.c:82:gf_auth] 0-auth/login: allowed user
names: gluster
[2015-04-07 10:52:44.945243] I [server-handshake.c:585:server_setvolume]
0-files-server: accepted client from
files1-21442-2015/04/07-10:52:39:915784-files-client-2-0-0 (version: 3.6.2)
[2015-04-07 10:52:44.946016] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:52:44.947076] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:52:44.947089] I [login.c:82:gf_auth] 0-auth/login: allowed user
names: gluster
[2015-04-07 10:52:44.947100] I [server-handshake.c:585:server_setvolume]
0-files-server: accepted client from
files1-21449-2015/04/07-10:52:40:927783-files-client-2-0-0 (version: 3.6.2)
[2015-04-07 10:52:44.988492] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:52:44.990729] I [socket.c:379:ssl_setup_connection]
0-tcp.files-server: peer CN = gluster
[2015-04-07 10:52:44.991312] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:52:44.991337] I [login.c:82:gf_auth] 0-auth/login: allowed user
names: gluster
[2015-04-07 10:52:44.991359] I [server-handshake.c:585:server_setvolume]
0-files-server: accepted client from
files3-31532-2015/04/07-10:52:30:944772-files-client-2-0-1 (version: 3.6.2)
[2015-04-07 10:52:44.992521] I [login.c:39:gf_auth] 0-auth/login: connecting
user name: gluster
[2015-04-07 10:52:44.992544] I [login.c:82:gf_auth] 0-auth/login: allowed user
names: gluster
[2015-04-07 10:52:44.992566] I [server-handshake.c:585:server_setvolume]
0-files-server: accepted client from
files3-31539-2015/04/07-10:52:31:957776-files-client-2-0-1 (version: 3.6.2)
Expected results:
Judging from
http://www.gluster.org/community/documentation/index.php/SSL#Using_TLS_Identities_for_Authorization,
I would expect that auth.ssl-allow is optional, not mandatory.
Additional info:
Sorry if I tagged the components (access-control instead of docs) wrong - I'm
not sure if this is a feature that lacks documentation or a bug.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
More information about the Bugs
mailing list