New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL connection isn't working #20
Comments
same for |
It is implemented, but not documented or very well tested. It isn't as simple as adding satellites with SSL communication type, you would need to create a keystore file and a trustdb and also configure all satellite with an SSL connection. |
Encrypted controller-satellite communication is only half-implemented, because there is no mutual authentication yet. So it's only half useful as of now, because anyone could connect to a satellite and pretend to be a controller. Client-controller connections do work (one of our debug console clients has used SSL connections since mid 2017), but SSL is not yet implemented in the current LINSTOR CLI client. For SSL connections to work, the server's private key and certificate must be stored in a keystore file, and the certificate of the certificate authority that signed the server certificates must be in a truststore file. An SSL connector must be configured in the controller configuration, and the keystore, truststore and passphrases for the entries stored in those files must be set for that connector. |
@rp-, @raltnoeder thanks, I see. It's not critical now. About certificate authority and host certificates itself, do I right understand that simple using FreeIPA can automate this process in the future? For now I just want to avoid any commands execution on controller from satellite nodes. Is there any plans for adding simple authentication algorithm, like passphrase/access token? I don't like the idea that everyone can do everything on the controller if I allow access from the satellites to it. |
I have not used FreeIPA, but at first glance, the description of it does not say anything about FreeIPA's ability to manage SSL certificates. Satellite connection are only privileged to update certain information using certain APIs (e.g., update the free space information on storage pools). Apart from that, a satellite connection is subject to the same security limitations as any other connection to the controller. If mandatory authentication is enabled, controller commands can only be issued after signing in with a valid identity/password combination. At the RBAC and MAC security levels, access to controller objects (such as nodes, resources, etc.) are subject to access control checks, regardless of whether mandatory authentication is enabled or disabled (connections that have not signed in are assigned the PUBLIC role and PUBLIC security domain). |
FreeIPA can manage certificates.
Could you little describe please, how can I configure lintor-client and controller for use password-enabled authentication for execute remote commands on the controller. Is it supported by proxmox/kubernetes/opennebula plugins? |
As of now, authentication is not implemented on the client side. While it is partly implemented on the server side (by the |
Hi, I found simplest solution for me My linstor configured to accept only local connections:
Then I've configured stunnel with PSK authentication On server:
On client:
Afterwards I can use secure connection to the linstor-controller very easy. |
Any updates on implementing mutual SSL authentication for controller-satellite and client-controller connections? I have configured a keystore and truststore by updating settings on the controller and enabled SSL. Is there a way to turn on client certificate verification on the satellite and/or controller? I can write a PR if you can point me in the direction of where I can make this change in Java. |
PRs are always very welcome :) We have not tested that feature recently, so it might "just work". The classes you are looking for are here, where many of the |
As I understand it is not implemented yet?
ErrorReport-5BB35A2A-00000-000000.log
The text was updated successfully, but these errors were encountered: