[Gluster-users] Question concerning TLS encryption of network traffic
mchangir at redhat.com
Fri Apr 13 16:41:04 UTC 2018
On Thu, Apr 12, 2018 at 6:58 PM, David Spisla <spisla80 at gmail.com> wrote:
> Hello Gluster Community,
> according to that set steps I have configured network encryption for
> management and I/O traffic:
> I have chose the option for self-signed certificates, so each of the nodes
> has its own certificate and all of them are stored in the file
> glusterfs.ca. Each node in my cluster has a copy of that file.
> Everything is working fine.
> I set the volume option "auth.ssl-allow" with "*", but I am not sure what
> does this exactly means?
> 1. Does it mean, that only all clients which are listed in glusterfs.ca
> has access to the volume?
> 2. Does it mean, that any TLS authenticated client can access the volume
> (maybe a client which is not in the glusterfs.ca list)?
Any client that needs to connect to the gluster nodes using SSL, needs to
use a certificate that has been signed by a Certificate Authority whose
certificate is amongst those listed in glusterfs.ca
The '*' implies *anybody* ... but since this is going to be a SSL
connection, the *anybody* is further qualified by requiring the certificate
to be signed as I've mentioned above. Otherwise the SSL part is
meaningless. How will the server verify the authenticity of the SSL
Your confusion maybe arising since you might be the sole person configuring
the gluster server nodes as well as clients. To get a clear picture of how
this works, you might want to avoid using self-signed certificates and have
a separate certificate as a signing authority and place that in glusterfs.ca
on the client and server nodes. You will then have to sign the client and
server certificates by this unique signing authority certificate and place
the individual signed certificates in glusterfs.pem
Also, if you have local mounts on the server nodes, you might not see the
difference. You will see the difference when you use client nodes different
from any of the cluster nodes.
> David Spisla
> Gluster-users mailing list
> Gluster-users at gluster.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gluster-users