Upstream 3.6 feature page: http://www.gluster.org/community/documentation/index.php/Features/better-ssl * Enable SSL for the management plane (glusterd). * Allow SSL identities to be used for authorization as well as authentication (and encryption). * Provide more options, e.g. for cipher suites or certificate-signing * Fix bugs related to increased concurrency levels from the multi-threaded transport.
REVIEW: http://review.gluster.org/8040 (socket: add certificate-depth and cipher-list options for SSL) posted (#4) for review on master by Jeff Darcy (jdarcy)
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#10) for review on master by Jeff Darcy (jdarcy)
COMMIT: http://review.gluster.org/3695 committed in master by Vijay Bellur (vbellur) ------ commit caa8a4ea50734378e7e19f70b39a837c58e9d229 Author: Jeff Darcy <jdarcy> Date: Thu Apr 17 23:21:05 2014 +0000 rpc/auth: allow SSL identity to be used for authorization Access to a volume is now controlled by the following options, based on whether SSL is enabled or not. * server.ssl-allow: get identity from certificate, no password needed * auth.allow: get identity and matching password from command line It is not possible to allow both simultaneously, since the connection itself is either using SSL or it isn't. Change-Id: I5a5be66520f56778563d62f4b3ab35c66cc41ac0 BUG: 1114604 Signed-off-by: Jeff Darcy <jdarcy> Reviewed-on: http://review.gluster.org/3695 Tested-by: Gluster Build System <jenkins.com> Reviewed-by: Vijay Bellur <vbellur>
REVIEW: http://review.gluster.org/8040 (socket: add certificate-depth and cipher-list options for SSL) posted (#5) for review on master by Jeff Darcy (jdarcy)
REVIEW: http://review.gluster.org/8094 (socket/glusterd/client: enable SSL for management) posted (#4) for review on master by Jeff Darcy (jdarcy)
COMMIT: http://review.gluster.org/8040 committed in master by Vijay Bellur (vbellur) ------ commit 83c09b75a8fbc3a46fc0e76f805e061e949678f1 Author: Jeff Darcy <jdarcy> Date: Thu Jul 3 13:27:13 2014 +0000 socket: add certificate-depth and cipher-list options for SSL Change-Id: I82757f8461807301a4a4f28c4f5bf7f0ee315113 BUG: 1114604 Signed-off-by: Jeff Darcy <jdarcy> Reviewed-on: http://review.gluster.org/8040 Tested-by: Gluster Build System <jenkins.com> Reviewed-by: Rajesh Joseph <rjoseph> Reviewed-by: Vijay Bellur <vbellur>
REVIEW: http://review.gluster.org/8094 (socket/glusterd/client: enable SSL for management) posted (#5) for review on master by Vijay Bellur (vbellur)
COMMIT: http://review.gluster.org/8094 committed in master by Vijay Bellur (vbellur) ------ commit b42688786f25420de671ea06030edf4371058433 Author: Jeff Darcy <jdarcy> Date: Thu Jul 3 14:01:20 2014 +0000 socket/glusterd/client: enable SSL for management The feature is controlled by presence of the following file: /var/lib/glusterd/secure-access See the comment near the definition of SECURE_ACCESS_FILE in glusterfs.h for the rationale. With this enabled, the following rules apply to connections: UNIX-domain sockets never have SSL. Management-port sockets (both connecting and accepting, in daemons and CLI) have SSL based on presence of the file. Other IP sockets have SSL based on the existing client.ssl and server.ssl volume options. Transport multi-threading is explicitly turned off in glusterd (it would otherwise be turned on when SSL is) due to multi-threading issues. Tests have been elided to avoid risk of leaving a file which will cause all subsequent tests to run with management SSL still enabled. IMPLEMENTATION NOTE The implementation is a bit messy, and consists of two stages. First we decide whether to set the relevant fields in our context structure, based on presence of the sentinel file OR a command-line override. Later we decide whether a particular connection should actually use SSL, based on the context flags plus what kind of connection we're making[1] and what kind of daemon we're in[2]. [1] inbound, outbound to glusterd port, other outbound [2] glusterd, glusterfsd, other TESTING NOTE Instead of just running one special test for this feature, the ideal would be to run all tests with management SSL enabled. However, it would be inappropriate or premature to set up an optional feature in the patch itself. Therefore, the method of choice is to submit a separate patch on top, which modifies "cleanup" in include.rc to recreate the secure-access file and associated SSL certificate/key files before each test. Change-Id: I0e04d6d08163893e24ec8c031748c5c447d7f780 BUG: 1114604 Signed-off-by: Jeff Darcy <jdarcy> Reviewed-on: http://review.gluster.org/8094 Tested-by: Gluster Build System <jenkins.com> Reviewed-by: Vijay Bellur <vbellur>
A beta release for GlusterFS 3.6.0 has been released. Please verify if the release solves this bug report for you. In case the glusterfs-3.6.0beta1 release does not have a resolution for this issue, leave a comment in this bug and move the status to ASSIGNED. If this release fixes the problem for you, leave a note and change the status to VERIFIED. Packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update (possibly an "updates-testing" repository) infrastructure for your distribution. [1] http://supercolony.gluster.org/pipermail/gluster-users/2014-September/018836.html [2] http://supercolony.gluster.org/pipermail/gluster-users/
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.6.1, please reopen this bug report. glusterfs-3.6.1 has been announced [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://supercolony.gluster.org/pipermail/gluster-users/2014-November/019410.html [2] http://supercolony.gluster.org/mailman/listinfo/gluster-users