| Summary: | allow option to accept messages from insecure ports | ||
|---|---|---|---|
| Product: | [Community] GlusterFS | Reporter: | Pranith Kumar K <pkarampu> |
| Component: | protocol | Assignee: | Amar Tumballi <amarts> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | mainline | CC: | csaba, fharshav, gluster-bugs, vbhat, vraman |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | glusterfs-3.4.0 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-07-24 17:21:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Pranith Kumar K
2011-03-23 12:55:27 UTC
PATCH: http://patches.gluster.com/patch/6591 in master (rpc: Provide an option to allow insecure ports) PATCH: http://patches.gluster.com/patch/6592 in master (rpc: Don't warn on failure to bind to privileged port) PATCH: http://patches.gluster.com/patch/6593 in master (mgmt/glusterd: Allow insecure ports by default) PATCH: http://patches.gluster.com/patch/6594 in master (mgmt/glusterd: Provide volume option to allow insecure ports for server) PATCH: http://patches.gluster.com/patch/6595 in master (protocol/server: change allow_insecure option in reconfigure) PATCH: http://patches.gluster.com/patch/6614 in master (mgmt/glusterd: Add rpc-auth-allow-insecure option) PATCH: http://patches.gluster.com/patch/6596 in release-3.1 (rpc: Provide an option to allow insecure ports) PATCH: http://patches.gluster.com/patch/6597 in release-3.1 (rpc: Don't warn on failure to bind to privileged port) PATCH: http://patches.gluster.com/patch/6598 in release-3.1 (mgmt/glusterd: Allow insecure ports by default) PATCH: http://patches.gluster.com/patch/6599 in release-3.1 (mgmt/glusterd: Provide volume option to allow insecure ports for server) PATCH: http://patches.gluster.com/patch/6600 in release-3.1 (protocol/server: change allow_insecure option in reconfigure) PATCH: http://patches.gluster.com/patch/6612 in release-3.1 (mgmt/glusterd: Add rpc-auth-allow-insecure option) Now we can use the non-privileged ports by default. I was able to create 1500 volumes in a loop without any errors or warnings.
If i set the rpc-auth-allow-insecure to 'off' which will be 'on' by default i can't use non-privileged ports. To set the option i modified the /usr/local/etc/glusterfs/glusterd.vol and added the following line
option rpc-auth-allow-insecure off
After setting it to off, i can't use non-privileged ports. I can use them if i set it on.
"We met a security feature that showed to be uncomfortable in some respect therefore we get rid of it" - since we all are discussing about security. Allowing insecure connections is wrong, do we need this feature? . This was requested by a customer for their erroneous architecture? do we need this? . While there has been a big discussion of security, isn't this an rightful failure in those terms ?. Thanks to Csaba for bringing this into attention. Suggested solution for the original issue: pipe the whole command sequence to "gluster --mode=script" (so that we do all the operations with a single connection). Please confirm if this is sufficient. For sake of correctness, let's add that at the time of submitting the fix it did not hurt security due to 8d64ca70: "cli: Only admin should run gluster CLI". However, since then we have reverted 8d64ca70 in 74bf2c1f -- therefore we are now with insecure defaults. We do need non-admin usage of cli, so as of my suggestion the insecure mode should be reverted and use the technique sketched above. Amar, I was not sure whom to assign this bug. Pranith Pranith, why was this in your name in first place? Meantime, Csaba, do you think the issue is fixed? |