Bug 974624
Summary: | remote-host switch allows an untrusted host to manage the trusted pool | ||
---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Joe Julian <joe> |
Component: | cli | Assignee: | bugs <bugs> |
Status: | CLOSED EOL | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 3.4.0-beta | CC: | bugs, gluster-bugs, jdarcy |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-07 14:05:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joe Julian
2013-06-14 16:31:18 UTC
'gluster --remote-host' is just insecure in its current implementation. There really is no need to even do a 'peer probe' first for malicious actions, when you can just do something like this : gluster --remote-host=server1 volume info gluster --remote-host=server1 volume stop myvol gluster --remote-host=server1 volume delete myvol No 'peer probe' needed. *At the very least*, glusterd should restrict non-members to read-only operations (e.g. info, getspec). More generally, we should fix any remaining issues that prevent using SSL for glusterd, and protect all connections to glusterd using SSL certificates. If desired, we could implement a "bootstrap" process by which cluster members generate/acquire these certificates automatically, so the additional protection would be practically invisible to them. GlusterFS 3.7.0 has been released (http://www.gluster.org/pipermail/gluster-users/2015-May/021901.html), and the Gluster project maintains N-2 supported releases. The last two releases before 3.7 are still maintained, at the moment these are 3.6 and 3.5. This bug has been filed against the 3,4 release, and will not get fixed in a 3.4 version any more. Please verify if newer versions are affected with the reported problem. If that is the case, update the bug with a note, and update the version if you can. In case updating the version is not possible, leave a comment in this bug report with the version you tested, and set the "Need additional information the selected bugs from" below the comment box to "bugs". If there is no response by the end of the month, this bug will get automatically closed. GlusterFS 3.4.x has reached end-of-life. If this bug still exists in a later release please reopen this and change the version or open a new bug. |