[Gluster-users] GlusterFS share authentication?
Dan Mons
dmons at cuttingedge.com.au
Wed Jan 22 21:47:38 UTC 2014
Gluster's native "auth.allow/auth.reject" configuration and/or
iptables configured to drop all packets to/from a particular IP range
will stop unwanted clients accessing the services.
Your comment on spoofing IPs is understood, but if a client claimed it
was the IP of another Gluster node, you'd have other problems
manifesting (like failures within Gluster itself, as traffic destined
for another brick would go to the wrong place).
Others have made comments about separate networks, and that would
probably be your best bet. Gluster does technically listen on all
interfaces, but with appropriate physical networking setup (completely
separate network ranges on physically separate interfaces or VLANs)
you could circumvent security issues there.
For example, our Gluster infrastructure lives in a shared environment
with specific clients who aren't granted access. We do this via
physical networking setup, VLANs, and iptables on our core Linux
firewall. Production VFX users are the only ones who can have network
level access, and everyone else can't see the network range that
Gluster lives on. I could trivially create another VLAN for the
Gluster nodes to talk amongst themselves, and force all users to only
access services on top of Gluster (Samba, etc) on our production
network.
-Dan
----------------
Dan Mons
R&D SysAdmin
Unbreaker of broken things
Cutting Edge
http://cuttingedge.com.au
On 23 January 2014 01:43, Peter B. <pb at das-werkstatt.com> wrote:
> On 01/21/2014 10:31 PM, Dan Mons wrote:
>> On 22 January 2014 05:19, Peter B. <pb at das-werkstatt.com> wrote:
>>> The clients in fact *do* only access it over Samba. I just figured that
>>> *if* one user connected a GNU/Linux machine to the LAN, he could simply
>>> connect with write permissions using the GlusterFS Linux client. All
>>> he'd have to do for authenticating is to spoof one of the storage-IPs.
>> man iptables
>
> I've been working with iptables for many years, but in this particular
> case, I fail to see how they would help.
> Maybe I'm overlooking something very obvious?
>
> Could you please elaborate your suggestion a bit?
>
>
> Thanks,
> Pb
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://supercolony.gluster.org/mailman/listinfo/gluster-users
More information about the Gluster-users
mailing list