-
Notifications
You must be signed in to change notification settings - Fork 82
Add TLS support for client-bricks communication #967
Conversation
Tested as follows: Setting up certs # openssl genrsa -out /etc/ssl/glusterfs.key 2048
# openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj /CN=Anyone -out /etc/ssl/glusterfs.pem
# cp /etc/ssl/glusterfs.pem /etc/ssl/glusterfs.ca Enabling TLS for a volume glustercli volume set test --advanced tls on $ glustercli volume info test
Volume Name: test
Type: Distribute
Volume ID: 12eb8aa0-8c2a-4aeb-b957-aba2d74f58b3
State: Created
Transport-type: tcp
Options:
client.transport.socket.ssl-enabled: on
server.transport.socket.ssl-enabled: on
Number of Bricks: 1
Brick1: 127.0.0.1:/export/brick1/data This shall be added to |
@@ -43,7 +43,7 @@ func optionSetValidate(c transaction.TxnCtx) error { | |||
return err | |||
} | |||
|
|||
if err := validateXlatorOptions(req.Options, &volinfo); err != nil { | |||
if err := validateXlatorOptions(options, &volinfo); err != nil { | |||
return fmt.Errorf("Validation failed for volume option:: %s", err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TRIVIAL : @prashanthpai @Madhu-1 Should this statement start with lower case as well? Not part of changes made in this PR though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure
2dd63bf
to
fb0cf02
Compare
This comment has been minimized.
This comment has been minimized.
586016b
to
24f75e8
Compare
96048b8
to
db33521
Compare
This change explicitly adds 'ssl-allow' options to the server xlator's options table so that glusterd2 can see it as a settable option. This change also marks 'auth.allow' and 'auth.reject' options as a settable. Glusterd2 doesn't maintain a separate volume options table. Glusterd2 dynamically loads shared objects of xlators to read their option table and other information. Glusterd2 reads 'xlator_api_t' if available. If that's not available, it falls back to reading just the options table directly. In glusterd2, volume set operations are performed by users on keys of the format <xlator>.<option-name>. Glusterd2 uses xlator name set in 'xlator_api_t.identifier'. If that's not present it will use the shared object's file name as xlator name. Hence, it is important for 'xlator_api_t.identifier' to be set properly, and in this case, the proper value is "server". This name shall be used by users as prefix while setting volume options implemented in server xlator. The name will also be used in volfile. A user in glusterd2 can authorize a client over TLS as follows: $ glustercli volume set <volname> server.ssl-allow <client1-CN>[,<clientN-CN>] gd2 References: gluster/glusterd2#971 gluster/glusterd2#214 gluster/glusterd2#967 Updates: bz#1193929 Change-Id: I59ef58acb8d51917e6365a83be03e79ae7c5ad17 Signed-off-by: Prashanth Pai <ppai@redhat.com>
db33521
to
984e82b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. A small change suggested for easier understand ability.
glusterd2/xlator/options/utils.go
Outdated
} | ||
graph = tmp[0] | ||
xlator = tmp[1] | ||
optName = k[len(graph)+1+len(xlator)+1:] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
strings.Join(tmp[2:], ".")
would be more readable here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
The options passed to validation function was the original group option present in the client request. This is incorrect and validation used to fail as group options aren't present in xlators. With this change, the expanded group options are passed to validation function. Signed-off-by: Prashanth Pai <ppai@redhat.com>
An empty default value for boolean type is to be treated as false. This will be used during resetting options to its default value. Signed-off-by: Prashanth Pai <ppai@redhat.com>
...that is used in setting volume options such as this one: server.auth.addr.*.allow 127.0.0.1 Signed-off-by: Prashanth Pai <ppai@redhat.com>
Volume set/reset options can be of one of these forms: <graph>.<xlator>.<option-name> <xlator>.<option-name> As xlator option name such as `transport.socket.ssl-enabled` can themselves contain dots, for the options.SplitKey() function it was hard to figure out which is graph and which is xlator. This change ensures that graph and xlator component are properly split for xlator options that contain dots. Signed-off-by: Prashanth Pai <ppai@redhat.com>
This change enables setting up TLS for client to bricks communication. Unlike glusterd1 which requires two separate options - `client.ssl` and `server.ssl` to be turned on, turning TLS on for a volume in glusterd2 is a single volume set operation. TLS can be enabled for a volume as follows: $ glustercli volume set <volname> --advanced tls on To achieve this, when xlator shared ojects are loaded during startup, options present in transport layer (socket.so and rdma.so) are injected into list of options loaded from protocol layer (server.so and client.so). The client and brick volfile expects the transport options to be in client and server xlator sections. Signed-off-by: Prashanth Pai <ppai@redhat.com>
984e82b
to
4a241a8
Compare
"tls": {"tls", | ||
[]api.VolumeOption{ | ||
{Name: "server.transport.socket.ssl-enabled", OnValue: "on"}, | ||
{Name: "client.transport.socket.ssl-enabled", OnValue: "on"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should possibly try to get the socket.ssl-*
options renamed to socket.tls-*
. Makes this more the option more consistent.
This change explicitly adds 'ssl-allow' options to the server xlator's options table so that glusterd2 can see it as a settable option. This change also marks 'auth.allow' and 'auth.reject' options as a settable. Glusterd2 doesn't maintain a separate volume options table. Glusterd2 dynamically loads shared objects of xlators to read their option table and other information. Glusterd2 reads 'xlator_api_t' if available. If that's not available, it falls back to reading just the options table directly. In glusterd2, volume set operations are performed by users on keys of the format <xlator>.<option-name>. Glusterd2 uses xlator name set in 'xlator_api_t.identifier'. If that's not present it will use the shared object's file name as xlator name. Hence, it is important for 'xlator_api_t.identifier' to be set properly, and in this case, the proper value is "server". This name shall be used by users as prefix while setting volume options implemented in server xlator. The name will also be used in volfile. A user in glusterd2 can authorize a client over TLS as follows: $ glustercli volume set <volname> server.ssl-allow <client1-CN>[,<clientN-CN>] gd2 References: gluster/glusterd2#971 gluster/glusterd2#214 gluster/glusterd2#967 Updates: bz#1193929 Change-Id: I59ef58acb8d51917e6365a83be03e79ae7c5ad17 Signed-off-by: Prashanth Pai <ppai@redhat.com>
This change enables setting up TLS for client to bricks communication.
Unlike glusterd1 which requires two separate options -
client.ssl
andserver.ssl
to be turned on, turning TLS on for a volume in glusterd2is a single volume set operation. TLS can be enabled for a volume as
follows:
To achieve this, when xlator shared ojects are loaded during startup,
options present in transport layer (socket.so and rdma.so) are injected
into list of options loaded from protocol layer (server.so and
client.so). The client and brick volfile expects the transport options
to be in client and server xlator sections.
This PR also tests that client authorization works as expected which can be used as follows:
This is dependent on: https://review.gluster.org/#/c/20472
Other fixes:
Closes #214
Closes #971