[Bugs] [Bug 1213357] New: [FEAT] Improve SSL support

bugzilla at redhat.com bugzilla at redhat.com
Mon Apr 20 11:21:16 UTC 2015


https://bugzilla.redhat.com/show_bug.cgi?id=1213357

            Bug ID: 1213357
           Summary: [FEAT] Improve SSL support
           Product: Red Hat Storage
           Version: 3.1.0
         Component: glusterfs
     Sub Component: core
          Keywords: FutureFeature
          Severity: medium
          Assignee: rhs-bugs at redhat.com
          Reporter: rraja at redhat.com
        QA Contact: sdharane at redhat.com
                CC: bugs at gluster.org, gluster-bugs at redhat.com,
                    jdarcy at redhat.com
        Depends On: 1114604
             Group: redhat



+++ This bug was initially created as a clone of Bug #1114604 +++

Upstream 3.6 feature page:

http://www.gluster.org/community/documentation/index.php/Features/better-ssl

* Enable SSL for the management plane (glusterd).

* Allow SSL identities to be used for authorization as well as authentication
(and encryption).

* Provide more options, e.g. for cipher suites or certificate-signing

* Fix bugs related to increased concurrency levels from the multi-threaded
transport.

--- Additional comment from Anand Avati on 2014-06-30 09:23:28 EDT ---

REVIEW: http://review.gluster.org/8040 (socket: add certificate-depth and
cipher-list options for SSL) posted (#4) for review on master by Jeff Darcy
(jdarcy at redhat.com)

--- Additional comment from Anand Avati on 2014-06-30 09:24:49 EDT ---

REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used
for authorization) posted (#10) for review on master by Jeff Darcy
(jdarcy at redhat.com)

--- Additional comment from Anand Avati on 2014-07-02 05:47:13 EDT ---

COMMIT: http://review.gluster.org/3695 committed in master by Vijay Bellur
(vbellur at redhat.com) 
------
commit caa8a4ea50734378e7e19f70b39a837c58e9d229
Author: Jeff Darcy <jdarcy at redhat.com>
Date:   Thu Apr 17 23:21:05 2014 +0000

    rpc/auth: allow SSL identity to be used for authorization

    Access to a volume is now controlled by the following options, based on
    whether SSL is enabled or not.

     * server.ssl-allow: get identity from certificate, no password needed

     * auth.allow: get identity and matching password from command line

    It is not possible to allow both simultaneously, since the connection
    itself is either using SSL or it isn't.

    Change-Id: I5a5be66520f56778563d62f4b3ab35c66cc41ac0
    BUG: 1114604
    Signed-off-by: Jeff Darcy <jdarcy at redhat.com>
    Reviewed-on: http://review.gluster.org/3695
    Tested-by: Gluster Build System <jenkins at build.gluster.com>
    Reviewed-by: Vijay Bellur <vbellur at redhat.com>

--- Additional comment from Anand Avati on 2014-07-03 09:52:47 EDT ---

REVIEW: http://review.gluster.org/8040 (socket: add certificate-depth and
cipher-list options for SSL) posted (#5) for review on master by Jeff Darcy
(jdarcy at redhat.com)

--- Additional comment from Anand Avati on 2014-07-03 10:13:25 EDT ---

REVIEW: http://review.gluster.org/8094 (socket/glusterd/client: enable SSL for
management) posted (#4) for review on master by Jeff Darcy (jdarcy at redhat.com)

--- Additional comment from Anand Avati on 2014-07-04 07:18:08 EDT ---

COMMIT: http://review.gluster.org/8040 committed in master by Vijay Bellur
(vbellur at redhat.com) 
------
commit 83c09b75a8fbc3a46fc0e76f805e061e949678f1
Author: Jeff Darcy <jdarcy at redhat.com>
Date:   Thu Jul 3 13:27:13 2014 +0000

    socket: add certificate-depth and cipher-list options for SSL

    Change-Id: I82757f8461807301a4a4f28c4f5bf7f0ee315113
    BUG: 1114604
    Signed-off-by: Jeff Darcy <jdarcy at redhat.com>
    Reviewed-on: http://review.gluster.org/8040
    Tested-by: Gluster Build System <jenkins at build.gluster.com>
    Reviewed-by: Rajesh Joseph <rjoseph at redhat.com>
    Reviewed-by: Vijay Bellur <vbellur at redhat.com>

--- Additional comment from Anand Avati on 2014-07-09 02:52:49 EDT ---

REVIEW: http://review.gluster.org/8094 (socket/glusterd/client: enable SSL for
management) posted (#5) for review on master by Vijay Bellur
(vbellur at redhat.com)

--- Additional comment from Anand Avati on 2014-07-10 10:37:23 EDT ---

COMMIT: http://review.gluster.org/8094 committed in master by Vijay Bellur
(vbellur at redhat.com) 
------
commit b42688786f25420de671ea06030edf4371058433
Author: Jeff Darcy <jdarcy at redhat.com>
Date:   Thu Jul 3 14:01:20 2014 +0000

    socket/glusterd/client: enable SSL for management

    The feature is controlled by presence of the following file:

        /var/lib/glusterd/secure-access

    See the comment near the definition of SECURE_ACCESS_FILE in glusterfs.h
    for the rationale.  With this enabled, the following rules apply to
    connections:

        UNIX-domain sockets never have SSL.

        Management-port sockets (both connecting and accepting, in
        daemons and CLI) have SSL based on presence of the file.

        Other IP sockets have SSL based on the existing client.ssl and
        server.ssl volume options.

    Transport multi-threading is explicitly turned off in glusterd (it would
    otherwise be turned on when SSL is) due to multi-threading issues.
    Tests have been elided to avoid risk of leaving a file which will cause
    all subsequent tests to run with management SSL still enabled.

    IMPLEMENTATION NOTE
    The implementation is a bit messy, and consists of two stages.  First we
    decide whether to set the relevant fields in our context structure, based
    on presence of the sentinel file OR a command-line override.  Later we
    decide whether a particular connection should actually use SSL, based on
the
    context flags plus what kind of connection we're making[1] and what kind of
    daemon we're in[2].

    [1] inbound, outbound to glusterd port, other outbound
    [2] glusterd, glusterfsd, other

    TESTING NOTE
    Instead of just running one special test for this feature, the ideal
    would be to run all tests with management SSL enabled.  However, it
    would be inappropriate or premature to set up an optional feature in the
    patch itself.  Therefore, the method of choice is to submit a separate
    patch on top, which modifies "cleanup" in include.rc to recreate the
    secure-access file and associated SSL certificate/key files before each
    test.

    Change-Id: I0e04d6d08163893e24ec8c031748c5c447d7f780
    BUG: 1114604
    Signed-off-by: Jeff Darcy <jdarcy at redhat.com>
    Reviewed-on: http://review.gluster.org/8094
    Tested-by: Gluster Build System <jenkins at build.gluster.com>
    Reviewed-by: Vijay Bellur <vbellur at redhat.com>

--- Additional comment from Niels de Vos on 2014-09-22 08:44:10 EDT ---

A beta release for GlusterFS 3.6.0 has been released. Please verify if the
release solves this bug report for you. In case the glusterfs-3.6.0beta1
release does not have a resolution for this issue, leave a comment in this bug
and move the status to ASSIGNED. If this release fixes the problem for you,
leave a note and change the status to VERIFIED.

Packages for several distributions should become available in the near future.
Keep an eye on the Gluster Users mailinglist [2] and the update (possibly an
"updates-testing" repository) infrastructure for your distribution.

[1]
http://supercolony.gluster.org/pipermail/gluster-users/2014-September/018836.html
[2] http://supercolony.gluster.org/pipermail/gluster-users/

--- Additional comment from Niels de Vos on 2014-11-11 03:36:21 EST ---

This bug is getting closed because a release has been made available that
should address the reported issue. In case the problem is still not fixed with
glusterfs-3.6.1, please reopen this bug report.

glusterfs-3.6.1 has been announced [1], packages for several distributions
should become available in the near future. Keep an eye on the Gluster Users
mailinglist [2] and the update infrastructure for your distribution.

[1]
http://supercolony.gluster.org/pipermail/gluster-users/2014-November/019410.html
[2] http://supercolony.gluster.org/mailman/listinfo/gluster-users


Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1114604
[Bug 1114604] [FEAT] Improve SSL support
-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=qvYM1n2QLe&a=cc_unsubscribe


More information about the Bugs mailing list