This repository has been archived by the owner on Mar 26, 2020. It is now read-only.
Add TLS support for client-bricks communication #967
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
prashanthpai
requested review from
kshlm and
aravindavk
and removed request for
kshlm
|
Tested as follows: Setting up certs # openssl genrsa -out /etc/ssl/glusterfs.key 2048
# openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj /CN=Anyone -out /etc/ssl/glusterfs.pem
# cp /etc/ssl/glusterfs.pem /etc/ssl/glusterfs.caEnabling TLS for a volume glustercli volume set test --advanced tls on$ glustercli volume info test
Volume Name: test
Type: Distribute
Volume ID: 12eb8aa0-8c2a-4aeb-b957-aba2d74f58b3
State: Created
Transport-type: tcp
Options:
client.transport.socket.ssl-enabled: on
server.transport.socket.ssl-enabled: on
Number of Bricks: 1
Brick1: 127.0.0.1:/export/brick1/dataThis shall be added to |
rishubhjain
reviewed
Jul 6, 2018
| @@ -43,7 +43,7 @@ func optionSetValidate(c transaction.TxnCtx) error { | |||
| return err | |||
| } | |||
|
|
|||
| if err := validateXlatorOptions(req.Options, &volinfo); err != nil { | |||
| if err := validateXlatorOptions(options, &volinfo); err != nil { | |||
| return fmt.Errorf("Validation failed for volume option:: %s", err.Error()) | |||
There was a problem hiding this comment.
TRIVIAL : @prashanthpai @Madhu-1 Should this statement start with lower case as well? Not part of changes made in this PR though.
prashanthpai
force-pushed
the
issue-214-part1
branch
from
2dd63bf
to
fb0cf02
Compare
This comment has been minimized.
This comment has been minimized.
prashanthpai
force-pushed
the
issue-214-part1
branch
5 times, most recently
from
586016b
to
24f75e8
Compare
prashanthpai
force-pushed
the
issue-214-part1
branch
from
96048b8
to
db33521
Compare
gluster-ant
pushed a commit
to gluster/glusterfs
that referenced
this pull request
Jul 11, 2018
This change explicitly adds 'ssl-allow' options to the server xlator's options table so that glusterd2 can see it as a settable option. This change also marks 'auth.allow' and 'auth.reject' options as a settable. Glusterd2 doesn't maintain a separate volume options table. Glusterd2 dynamically loads shared objects of xlators to read their option table and other information. Glusterd2 reads 'xlator_api_t' if available. If that's not available, it falls back to reading just the options table directly. In glusterd2, volume set operations are performed by users on keys of the format <xlator>.<option-name>. Glusterd2 uses xlator name set in 'xlator_api_t.identifier'. If that's not present it will use the shared object's file name as xlator name. Hence, it is important for 'xlator_api_t.identifier' to be set properly, and in this case, the proper value is "server". This name shall be used by users as prefix while setting volume options implemented in server xlator. The name will also be used in volfile. A user in glusterd2 can authorize a client over TLS as follows: $ glustercli volume set <volname> server.ssl-allow <client1-CN>[,<clientN-CN>] gd2 References: gluster/glusterd2#971 gluster/glusterd2#214 gluster/glusterd2#967 Updates: bz#1193929 Change-Id: I59ef58acb8d51917e6365a83be03e79ae7c5ad17 Signed-off-by: Prashanth Pai <ppai@redhat.com>
prashanthpai
force-pushed
the
issue-214-part1
branch
from
db33521
to
984e82b
Compare
kshlm
reviewed
Jul 12, 2018
glusterd2/xlator/options/utils.go
Outdated
| } | ||
| graph = tmp[0] | ||
| xlator = tmp[1] | ||
| optName = k[len(graph)+1+len(xlator)+1:] |
There was a problem hiding this comment.
strings.Join(tmp[2:], ".") would be more readable here.
The options passed to validation function was the original group option present in the client request. This is incorrect and validation used to fail as group options aren't present in xlators. With this change, the expanded group options are passed to validation function. Signed-off-by: Prashanth Pai <ppai@redhat.com>
An empty default value for boolean type is to be treated as false. This will be used during resetting options to its default value. Signed-off-by: Prashanth Pai <ppai@redhat.com>
...that is used in setting volume options such as this one:
server.auth.addr.*.allow 127.0.0.1
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Volume set/reset options can be of one of these forms: <graph>.<xlator>.<option-name> <xlator>.<option-name> As xlator option name such as `transport.socket.ssl-enabled` can themselves contain dots, for the options.SplitKey() function it was hard to figure out which is graph and which is xlator. This change ensures that graph and xlator component are properly split for xlator options that contain dots. Signed-off-by: Prashanth Pai <ppai@redhat.com>
This change enables setting up TLS for client to bricks communication.
Unlike glusterd1 which requires two separate options - `client.ssl` and
`server.ssl` to be turned on, turning TLS on for a volume in glusterd2
is a single volume set operation. TLS can be enabled for a volume as
follows:
$ glustercli volume set <volname> --advanced tls on
To achieve this, when xlator shared ojects are loaded during startup,
options present in transport layer (socket.so and rdma.so) are injected
into list of options loaded from protocol layer (server.so and
client.so). The client and brick volfile expects the transport options
to be in client and server xlator sections.
Signed-off-by: Prashanth Pai <ppai@redhat.com>
prashanthpai
force-pushed
the
issue-214-part1
branch
from
984e82b
to
4a241a8
Compare
kshlm
approved these changes
Jul 12, 2018
| "tls": {"tls", | ||
| []api.VolumeOption{ | ||
| {Name: "server.transport.socket.ssl-enabled", OnValue: "on"}, | ||
| {Name: "client.transport.socket.ssl-enabled", OnValue: "on"}, |
There was a problem hiding this comment.
We should possibly try to get the socket.ssl-* options renamed to socket.tls-*. Makes this more the option more consistent.
amarts
pushed a commit
to amarts/glusterfs_fork
that referenced
this pull request
Sep 11, 2018
This change explicitly adds 'ssl-allow' options to the server xlator's options table so that glusterd2 can see it as a settable option. This change also marks 'auth.allow' and 'auth.reject' options as a settable. Glusterd2 doesn't maintain a separate volume options table. Glusterd2 dynamically loads shared objects of xlators to read their option table and other information. Glusterd2 reads 'xlator_api_t' if available. If that's not available, it falls back to reading just the options table directly. In glusterd2, volume set operations are performed by users on keys of the format <xlator>.<option-name>. Glusterd2 uses xlator name set in 'xlator_api_t.identifier'. If that's not present it will use the shared object's file name as xlator name. Hence, it is important for 'xlator_api_t.identifier' to be set properly, and in this case, the proper value is "server". This name shall be used by users as prefix while setting volume options implemented in server xlator. The name will also be used in volfile. A user in glusterd2 can authorize a client over TLS as follows: $ glustercli volume set <volname> server.ssl-allow <client1-CN>[,<clientN-CN>] gd2 References: gluster/glusterd2#971 gluster/glusterd2#214 gluster/glusterd2#967 Updates: bz#1193929 Change-Id: I59ef58acb8d51917e6365a83be03e79ae7c5ad17 Signed-off-by: Prashanth Pai <ppai@redhat.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change enables setting up TLS for client to bricks communication.
Unlike glusterd1 which requires two separate options -
client.sslandserver.sslto be turned on, turning TLS on for a volume in glusterd2is a single volume set operation. TLS can be enabled for a volume as
follows:
To achieve this, when xlator shared ojects are loaded during startup,
options present in transport layer (socket.so and rdma.so) are injected
into list of options loaded from protocol layer (server.so and
client.so). The client and brick volfile expects the transport options
to be in client and server xlator sections.
This PR also tests that client authorization works as expected which can be used as follows:
This is dependent on: https://review.gluster.org/#/c/20472
Other fixes:
Closes #214
Closes #971