[Bugs] [Bug 1213357] New: [FEAT] Improve SSL support
bugzilla at redhat.com
bugzilla at redhat.com
Mon Apr 20 11:21:16 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1213357
Bug ID: 1213357
Summary: [FEAT] Improve SSL support
Product: Red Hat Storage
Version: 3.1.0
Component: glusterfs
Sub Component: core
Keywords: FutureFeature
Severity: medium
Assignee: rhs-bugs at redhat.com
Reporter: rraja at redhat.com
QA Contact: sdharane at redhat.com
CC: bugs at gluster.org, gluster-bugs at redhat.com,
jdarcy at redhat.com
Depends On: 1114604
Group: redhat
+++ This bug was initially created as a clone of Bug #1114604 +++
Upstream 3.6 feature page:
http://www.gluster.org/community/documentation/index.php/Features/better-ssl
* Enable SSL for the management plane (glusterd).
* Allow SSL identities to be used for authorization as well as authentication
(and encryption).
* Provide more options, e.g. for cipher suites or certificate-signing
* Fix bugs related to increased concurrency levels from the multi-threaded
transport.
--- Additional comment from Anand Avati on 2014-06-30 09:23:28 EDT ---
REVIEW: http://review.gluster.org/8040 (socket: add certificate-depth and
cipher-list options for SSL) posted (#4) for review on master by Jeff Darcy
(jdarcy at redhat.com)
--- Additional comment from Anand Avati on 2014-06-30 09:24:49 EDT ---
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used
for authorization) posted (#10) for review on master by Jeff Darcy
(jdarcy at redhat.com)
--- Additional comment from Anand Avati on 2014-07-02 05:47:13 EDT ---
COMMIT: http://review.gluster.org/3695 committed in master by Vijay Bellur
(vbellur at redhat.com)
------
commit caa8a4ea50734378e7e19f70b39a837c58e9d229
Author: Jeff Darcy <jdarcy at redhat.com>
Date: Thu Apr 17 23:21:05 2014 +0000
rpc/auth: allow SSL identity to be used for authorization
Access to a volume is now controlled by the following options, based on
whether SSL is enabled or not.
* server.ssl-allow: get identity from certificate, no password needed
* auth.allow: get identity and matching password from command line
It is not possible to allow both simultaneously, since the connection
itself is either using SSL or it isn't.
Change-Id: I5a5be66520f56778563d62f4b3ab35c66cc41ac0
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy at redhat.com>
Reviewed-on: http://review.gluster.org/3695
Tested-by: Gluster Build System <jenkins at build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur at redhat.com>
--- Additional comment from Anand Avati on 2014-07-03 09:52:47 EDT ---
REVIEW: http://review.gluster.org/8040 (socket: add certificate-depth and
cipher-list options for SSL) posted (#5) for review on master by Jeff Darcy
(jdarcy at redhat.com)
--- Additional comment from Anand Avati on 2014-07-03 10:13:25 EDT ---
REVIEW: http://review.gluster.org/8094 (socket/glusterd/client: enable SSL for
management) posted (#4) for review on master by Jeff Darcy (jdarcy at redhat.com)
--- Additional comment from Anand Avati on 2014-07-04 07:18:08 EDT ---
COMMIT: http://review.gluster.org/8040 committed in master by Vijay Bellur
(vbellur at redhat.com)
------
commit 83c09b75a8fbc3a46fc0e76f805e061e949678f1
Author: Jeff Darcy <jdarcy at redhat.com>
Date: Thu Jul 3 13:27:13 2014 +0000
socket: add certificate-depth and cipher-list options for SSL
Change-Id: I82757f8461807301a4a4f28c4f5bf7f0ee315113
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy at redhat.com>
Reviewed-on: http://review.gluster.org/8040
Tested-by: Gluster Build System <jenkins at build.gluster.com>
Reviewed-by: Rajesh Joseph <rjoseph at redhat.com>
Reviewed-by: Vijay Bellur <vbellur at redhat.com>
--- Additional comment from Anand Avati on 2014-07-09 02:52:49 EDT ---
REVIEW: http://review.gluster.org/8094 (socket/glusterd/client: enable SSL for
management) posted (#5) for review on master by Vijay Bellur
(vbellur at redhat.com)
--- Additional comment from Anand Avati on 2014-07-10 10:37:23 EDT ---
COMMIT: http://review.gluster.org/8094 committed in master by Vijay Bellur
(vbellur at redhat.com)
------
commit b42688786f25420de671ea06030edf4371058433
Author: Jeff Darcy <jdarcy at redhat.com>
Date: Thu Jul 3 14:01:20 2014 +0000
socket/glusterd/client: enable SSL for management
The feature is controlled by presence of the following file:
/var/lib/glusterd/secure-access
See the comment near the definition of SECURE_ACCESS_FILE in glusterfs.h
for the rationale. With this enabled, the following rules apply to
connections:
UNIX-domain sockets never have SSL.
Management-port sockets (both connecting and accepting, in
daemons and CLI) have SSL based on presence of the file.
Other IP sockets have SSL based on the existing client.ssl and
server.ssl volume options.
Transport multi-threading is explicitly turned off in glusterd (it would
otherwise be turned on when SSL is) due to multi-threading issues.
Tests have been elided to avoid risk of leaving a file which will cause
all subsequent tests to run with management SSL still enabled.
IMPLEMENTATION NOTE
The implementation is a bit messy, and consists of two stages. First we
decide whether to set the relevant fields in our context structure, based
on presence of the sentinel file OR a command-line override. Later we
decide whether a particular connection should actually use SSL, based on
the
context flags plus what kind of connection we're making[1] and what kind of
daemon we're in[2].
[1] inbound, outbound to glusterd port, other outbound
[2] glusterd, glusterfsd, other
TESTING NOTE
Instead of just running one special test for this feature, the ideal
would be to run all tests with management SSL enabled. However, it
would be inappropriate or premature to set up an optional feature in the
patch itself. Therefore, the method of choice is to submit a separate
patch on top, which modifies "cleanup" in include.rc to recreate the
secure-access file and associated SSL certificate/key files before each
test.
Change-Id: I0e04d6d08163893e24ec8c031748c5c447d7f780
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy at redhat.com>
Reviewed-on: http://review.gluster.org/8094
Tested-by: Gluster Build System <jenkins at build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur at redhat.com>
--- Additional comment from Niels de Vos on 2014-09-22 08:44:10 EDT ---
A beta release for GlusterFS 3.6.0 has been released. Please verify if the
release solves this bug report for you. In case the glusterfs-3.6.0beta1
release does not have a resolution for this issue, leave a comment in this bug
and move the status to ASSIGNED. If this release fixes the problem for you,
leave a note and change the status to VERIFIED.
Packages for several distributions should become available in the near future.
Keep an eye on the Gluster Users mailinglist [2] and the update (possibly an
"updates-testing" repository) infrastructure for your distribution.
[1]
http://supercolony.gluster.org/pipermail/gluster-users/2014-September/018836.html
[2] http://supercolony.gluster.org/pipermail/gluster-users/
--- Additional comment from Niels de Vos on 2014-11-11 03:36:21 EST ---
This bug is getting closed because a release has been made available that
should address the reported issue. In case the problem is still not fixed with
glusterfs-3.6.1, please reopen this bug report.
glusterfs-3.6.1 has been announced [1], packages for several distributions
should become available in the near future. Keep an eye on the Gluster Users
mailinglist [2] and the update infrastructure for your distribution.
[1]
http://supercolony.gluster.org/pipermail/gluster-users/2014-November/019410.html
[2] http://supercolony.gluster.org/mailman/listinfo/gluster-users
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1114604
[Bug 1114604] [FEAT] Improve SSL support
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=qvYM1n2QLe&a=cc_unsubscribe
More information about the Bugs
mailing list