-
Notifications
You must be signed in to change notification settings - Fork 85
Conversation
Can one of the admins verify this patch? |
This is a work in progress PR. Need to verify the changes with certificates in place. |
561fd25
to
01bac99
Compare
add to whitelist |
775a5e9
to
24969e9
Compare
Verified the changes with below steps
|
@kshlm @aravindavk @atinmu @prashanthpai please review the changes. |
Also tested by disabling TLS as below
and works as expected. Tried now the command
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should definitely move the defaults that have been set in elasticetcd out, and into GD2.
Also, I'd like to understand what all the different certs are for. And if possible, reduce the number.
glusterd2/store/config.go
Outdated
|
||
Dir string | ||
ConfFile string | ||
SrvrCertFile string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the difference between Server, Client and Peer here?
Why do we need so many certs and CA files? Couldn't we just use the same cert and ca for all?
Ideally, GD2 should be using the same identity ie., the same certs for all servers it exposes (rest, grpc, sunrpc, elasticetcd), and client connections it establishes (grpc, elasticetcd, external etcd). The only place I see we may possibly be required to use a different cert, would be the external etcd case, where the etcd provider may provide the cert for us.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Server has its own certificate and key and server should be started that set.
Clients get a public key and certificate which they use for getting authenticated at server.
Similarly peer-to-peer communication is also authenticated using a pair of certificate and key.
Same server certificates and keys it possible as we need below json input for cfssl
{
"CN": "My own CA",
"hosts": [
"{host1}",
"{host2}",
..........
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
I think similar thing is possible for clients as well with below json input
{
"CN": "My own CA",
"hosts": ["{clnt1}", "clnt2", ......],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
Using same certificates for rest, grpc, sunrpc, elasticetcd is something we might need to check I feel.
glusterd2/store/remote.go
Outdated
var e error | ||
if conf.UseTLS { | ||
tlsConfig = &tls.Config{ | ||
MinVersion: tls.VersionTLS10, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are the defaults for these. There is no need to set them unless you change to something different. I'd prefer if we just stick to tls1.2, but that's just my opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kshlm do you want min version to be set as 1.2?
pkg/elasticetcd/config.go
Outdated
DefaultName = "elasticetcd" | ||
DefaultIdealSize = 3 | ||
DefaultDir = "." | ||
DefaultCertFile = "/var/lib/gd2/certificates/server.crt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The elasticetcd package should not contain defaults referencing GD2. It is expected to remain a standalone package, without any ties to the rest of GD2. Please move these defaults to GD2, preferrably to the store package for now.
Also, we shouldn't hardcode paths, as GD2 can use different working/config/state directories. Instead, I'd suggest setting a default directory name for a certs directory, and default filenames for the certs. Then you could build the paths based on the configured directories when you need to pass the paths. For eg.
const (
DefaultCertDir = "certificates"
DefaultCertFile = "server.crt"
)
serverCert := path.Join(config.GetString("localstatedir", DefaultCertDir, DefaultCertFile)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with dirname and filename thing. Will change accordingly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now its removed from EE config and whatever value is set in config file would be considered as full path if the certificates. User can choose to keep the certs in any path.
pkg/elasticetcd/config.go
Outdated
CURLs: defaultCURLs, | ||
PURLs: defaultPURLs, | ||
IdealSize: DefaultIdealSize, | ||
CertFile: DefaultCertFile, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not necessary for the cert files to be set in the default config, as they are not necessary for the operation of elasticetcd.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack. Will remove these.
Ack.
The no. of certificates is as per the guidelines from etcd documents. For sure server and client certificates are to be different. Its like, using CA we create server certificates which is private to server. The client certificates are to be given to clients which connect to the server. Yes the client certificates could be same for all. Still I strongly feel the peer certificates should be different from client-server combo. We should not mix client-to-server communication with peer-to-peer communication. So in total we need at least below files I feel
comments?? |
The recommendations in the etcd document are for general etcd deployments, where you have an etcd cluster, and external consumers. In that case it makes sense to split TLS for internal etcd cluster interface (peer cert), and external client API (server cert and client cert). In GD2 with elasticetcd, we are a single entity. We are the etcd cluster doing the internal operations, and serving etcd kv store with ourselves as clients. So, it is okay (IMO) for us to be using a single certificate which identifies us, for all cases. If we really need to, we could split up TLS configuration for internal and external traffic. A cert and CA for internal traffic (etcd peer traffic and GD2 gRPC traffic). And a seperate cert and CA for external facing interfaces (GD2 ReST, SunRPC, etcd client API). External clients (GD2 or etcd) get their own certs, signed using the extrenal interface CA. |
I agree to the suggestion of two sets one for internal traffic and one for external traffic. I feel its better we rename the certs and key configuration names accordingly in this PR. And we have separate PRs for enabling TLS for gRPC, SunRPC and GD2 REST using the same cert configurations. In that case I suggest below configurations to be maintained CAFile: The pem file for certifying authority Suggestions? @prashanthpai @aravindavk @amarts @atinmu |
Let it be 'Client*' and 'Peer*' for external and internal respectively. We already call the addresses we listen on as ClientAddress and PeerAddress. And have these configs in the main GD2 config. |
Now we have client and server certs only. Instead of calling peer certs its just |
Can others also please review the PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shtripat Sorry for the really late review.
The PR looks good. A few of the files haven't been gofmt
ed, and is causing CI failure. You'll need to fix that.
As you do that, I also request that you move the config option keys out of store and into the main config. They're more suitable there.
glusterd2/store/config.go
Outdated
certFile = "cert-file" | ||
keyFile = "key-file" | ||
caFile = "caFile" | ||
clntCertFile = "client-cert-file" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be preferrable to add this to glusterd2/config.go
. I'd want to use the same options for tls certs for other servers.
Also, for uniformity change 'caFile' to 'ca-file'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done. will update the PR accordingly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving the constants to glusterd2/config.go
causes cyclic dependencies as below
package github.com/gluster/glusterd2/glusterd2
imports github.com/gluster/glusterd2/glusterd2/daemon
imports github.com/gluster/glusterd2/glusterd2/events
imports github.com/gluster/glusterd2/glusterd2/store
imports github.com/gluster/glusterd2/glusterd2
How to go about this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel rather we can have a commons
package with all the common stuff defined which could be used across modules like glusterd2
, glustercli
etc.
@kshlm thoughts??
@shtripat Still failing lint checks on centos-ci.
Also, when fixing this. We keep common packages under |
Ah I ran only ran |
pkg/commons/constants.go
Outdated
@@ -0,0 +1,11 @@ | |||
package commons |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have tried to avoid doing something like this if the reason was just to circumvent cyclic dependency. I'm okay duplicating this if multiple packages require just these constants.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kshlm @aravindavk what is your thought on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm actually okay with doing this, as I don't want to duplicate code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@prashanthpai also its not just about avoiding the cyclic dependency. Rather its more to do with reuse of common constants. I personally agree with @kshlm here. @aravindavk ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
commons package looks good to me, otherwise we will end up editing in multiple places if we have to change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay. Fair enough.
I'm afraid that we might end up putting lot more stuff (like struct definitions) under common
because of its name. I want to discourage that practice. IIUC, the pkg
directory is meant to be home for reusable code like libraries which can be used by other projects too.
What are you thoughts about naming this package as constants
because that's what it provides ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean a separate package constants
parallel to pkg
? I am fine with that.
Signed-off-by: Shubhendu <shtripat@redhat.com>
Signed-off-by: Shubhendu <shtripat@redhat.com>
Signed-off-by: Shubhendu <shtripat@redhat.com>
Signed-off-by: Shubhendu shtripat@redhat.com