[Gluster-devel] Glusterfs SSL capability
Jeffrey Darcy
jdarcy at redhat.com
Fri Jan 24 05:35:36 UTC 2014
> 1) How permanent are these interfaces? Is this expected to be unchanged
> (and will it be the recommended method) for future GlusterFS versions ?
> What about in 4.0 ?
I hope these configuration methods are *not* permanent, because they're
crufty as hell.
> 2) Can you give me the _exact and full_ openssl command line that you'd
> recommend someone run. This way I won't make mistakes or hurt my brain.
Here's an example (from bug-873367.t) of how to create the key and cert
files:
openssl genrsa -out $SSL_KEY 1024
openssl req -new -x509 -key $SSL_KEY -subj /CN=Anyone -out $SSL_CERT
> Can you also be more specific about which files to concatenate to
> produce the glusterfs.ca file, and if it's a literal cat * > or if you
> need to use a special program to merge them.
It really is a straight "cat" of the peers' cert files into the local CA
file.
> 3) Are the /etc/ssl/glusterfs.* paths configurable (without re-compile)
> somehow?
Not currently. The "better-ssl" feature proposal for 3.6 should address
this, along with other options such as cipher suites and certificate
verification depth.
> 4) Does this change any of the ports that are used anywhere?
No.
> 5) Anything else you think I should know?
Only the caveats in the message you already cited. The fact that SSL is
used only for authentication but not authorization is pretty significant.
Ditto for the lack of support for it on the management path.
More information about the Gluster-devel
mailing list