[Gluster-users] GlusterFS share authentication?

Dan Mons dmons at cuttingedge.com.au
Mon Jan 20 21:57:34 UTC 2014


GlusterFS via the FUSE client works like NFS, where it's a system
level share.  This is by design.  For certain workflows you want a
network file system to be mounted into the tree of a POSIX system, and
to be accessed as if it was local disk.  From the end-user's point of
view, the GlusterFS mount should act and feel like local disk, and
just be "one big tree".  The user should have little awareness that
they are suddenly accessing network storage.

In this case, we rely on system permissions to do what we need.  We
set up centralised user definitions (via LDAP/Kerberos, or tools like
Puppet/Chef/etc) that have consistent UIDs and GIDs on all machines,
and we ensure that permissions on the file systems are appropriate.
This is a common design in large, multi-user Linux/UNIX setups, and we
generally avoid needing to authenticate on each access to network
storage courtesy of sensible permissions.

For other workflows, you may want to authenticate at the share level
for a particular reason.  Note that for the sorts of work I do, this
breaks production (I have a large network with hundreds of machines
doing automated tasks on behalf of users, so authenticating each time
for a new user process would totally break our system).

For your workflow you might have end users who simply need to log on
to the system and use it similar to a simple Windows/SMB share.  My
advice here would be to use another protocol over the top of GlusterFS
if you want this sort of behaviour.  I'd consider making your
GlusterFS nodes only able to communicate with each other via IP
restrictions, and then using Samba over the top to force user
authentication at the share level available to all other IPs.

Again, this is not GlusterFS's primary design, as it's intended to
work more like an NFSv3 server and less like an SMB server.   (And
before anyone tells me that NFSv4 can do KRB auth and idmapping, I
challenge those people to show me a real business that uses that setup
for real work - AFAIK adoption of this is minuscule).

-Dan


----------------
Dan Mons
R&D SysAdmin
Unbreaker of broken things
Cutting Edge
http://cuttingedge.com.au


On 21 January 2014 07:11, Peter B. <pb at das-werkstatt.com> wrote:
> Hi.
>
> On 01/16/2014 10:21 PM, Peter B. wrote:
>> Is there any user/password based form of authentication or certificates?
>
> I assume that the absence of responses means that there's no
> positive/good/easy answer on this?
> Therefore I also assume that "authentication by IP" is currently
> GlusterFS' only way of handling access rights.
>
> Is that correct?
>
> Thanks,
> Pb
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://supercolony.gluster.org/mailman/listinfo/gluster-users



More information about the Gluster-users mailing list