Bug 1209432
Summary: | Using TLS Identities for Authorization is mandatory, not optional | ||
---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Ernestas Lukoševičius <ernetas> |
Component: | transport | Assignee: | bugs <bugs> |
Status: | CLOSED NEXTRELEASE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.6.2 | CC: | bugs, ernetas, jdarcy, kaushal, ndevos, rabhat, ueberall |
Target Milestone: | --- | Keywords: | Patch, Triaged |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | glusterfs-3.7.0 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-08-30 12:50:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ernestas Lukoševičius
2015-04-07 11:03:27 UTC
Not working: root@files1:/home/supervisor# gluster volume info Volume Name: files Type: Replicate Volume ID: 9730c8ff-0992-4b41-a4a7-76aa3c9ae79b Status: Started Number of Bricks: 1 x 3 = 3 Transport-type: tcp Bricks: Brick1: files1:/data/gluster Brick2: files2:/data/gluster Brick3: files3:/data/gluster Options Reconfigured: auth.allow: 10.80.0.32,10.80.0.33,10.80.0.34 cluster.server-quorum-type: server storage.owner-uid: 33 storage.owner-gid: 33 client.ssl: on server.ssl: on ssl.cipher-list: HIGH:!SSLv2 cluster.server-quorum-ratio: 51% Working: root@files1:/home/supervisor# gluster volume info Volume Name: files Type: Replicate Volume ID: 9730c8ff-0992-4b41-a4a7-76aa3c9ae79b Status: Started Number of Bricks: 1 x 3 = 3 Transport-type: tcp Bricks: Brick1: files1:/data/gluster Brick2: files2:/data/gluster Brick3: files3:/data/gluster Options Reconfigured: auth.allow: 10.80.0.32,10.80.0.33,10.80.0.34 cluster.server-quorum-type: server storage.owner-uid: 33 storage.owner-gid: 33 client.ssl: on server.ssl: on ssl.cipher-list: HIGH:!SSLv2 auth.ssl-allow: gluster cluster.server-quorum-ratio: 51% There is also this doc: https://github.com/gluster/glusterfs/blob/master/doc/admin-guide/en-US/markdown/admin_ssl.md I am just not sure if that is correct for 3.6.1 too. Maybe Jeff can give some pointers here. This does affect 3.6 AFAICT. The patch that introduced SSL/TLS authorization is: rpc/auth: allow SSL identity to be used for authorization Thu Apr 17 23:21:05 2014 +0000 caa8a4ea50734378e7e19f70b39a837c58e9d229 (master/release-3.6) The patch that adds a default "auth.ssl-allow=*" is: transport: fix default behavior for SSL authorization Tue Jan 6 10:03:49 2015 -0500 548547b2e41c8e2cf79b929405cf18aecbdedebc (master only) It should be sufficient to backport 548547b2e41c8e2cf79b929405cf18aecbdedebc. Thanks Jeff! Adding this one to the planning for the next 3.6 release. [Well, failing to find the latest 3.6 tracker bug, I'll let Raghavendra add it.] This bug is being closed as GlusterFS-3.6 is nearing its End-Of-Life and only important security bugs will be fixed. This bug has been fixed in more recent GlusterFS releases. If you still face this bug with the newer GlusterFS versions, please open a new bug. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |