Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
9.5. Authorizing a New Client
If your Red Hat Gluster Storage trusted storage pool is configured for network encryption, and you add a new client, you must ensure to authorize a new client to access the trusted storage pool.
9.5.1. Certificate Signed with a Common Certificate Authority
Copia collegamentoCollegamento copiato negli appunti!
Authorizing access to a volume for a new client is simple if the client has a certificate signed by a Certificate Authority already present in the
/etc/ssl/glusterfs.ca file.
- Generate the
glusterfs.keyprivate key andglusterfs.csrcertificate signing request. Send theglusterfs.csrto get it verified by CA and get theglusterfs.pemfrom the CA. Generate the private key and signed certificate for the new server and place the files in the appropriate locations using the steps listed at Section 9.1, “Prerequisites” . - Copy
/etc/ssl/glusterfs.cafile from another client and place it in the/etc/ssl/directory on the new client.. - Create
/var/lib/glusterd/secure-accessfile if management encryption is enabled in the trusted storage pool.touch /var/lib/glusterd/secure-access
# touch /var/lib/glusterd/secure-accessCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Set the list of common names of all the servers to access the volume. Be sure to include the common names of clients which will be allowed to access the volume.
gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'
# gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note
Thegluster volume setcommand does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume infocommand, append the new name to the list and set the option again usinggluster volume setcommand. - Mount the volume from the new client. For example, to manually mount a volume and access data using Native client, use the following command:
mount -t glusterfs server1:/test-volume /mnt/glusterfs
# mount -t glusterfs server1:/test-volume /mnt/glusterfsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
9.5.2. Self-signed Certificates
Copia collegamentoCollegamento copiato negli appunti!
Note
This procedure involves downtime as the volume has to be rendered offline.
To authorize a new client to access the Red Hat Gluster Storage trusted storage pool using self-signed certificate, perform the following.
- Generate the
glusterfs.keyprivate key andglusterfs.pemcertificate for the client, and place them at the appropriate locations on the client using the steps listed at Section 9.1, “Prerequisites” . - Copy
/etc/ssl/glusterfs.cafile from one of the clients, and add it to the new client. - Create the
/var/lib/glusterd/secure-accessfile on all the client, if the management encryption is enabled.touch /var/lib/glusterd/secure-access
# touch /var/lib/glusterd/secure-accessCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy
/etc/ssl/glusterfs.cafile from one of the existing servers, append the content of new client's certificate to it, and distribute the new CA file on all servers. - Set the list of common names for clients allowed to access the volume. Be sure to include the common names of all the servers.
gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'
# gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note
Thegluster volume setcommand does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume infocommand, append the new name to the list and set the option again usinggluster volume setcommand. - Restart the volume
gluster volume stop VOLNAME # gluster volume start VOLNAME
# gluster volume stop VOLNAME # gluster volume stop VOLNAME # gluster volume start VOLNAME# gluster volume start VOLNAMECopy to Clipboard Copied! Toggle word wrap Toggle overflow - If the management encryption is enabled, restart glusterd on all the servers.
- Mount the volume from the new client. For example, to manually mount a volume and access data using Native client, use the following command:
mount -t glusterfs server1:/test-volume /mnt/glusterfs
# mount -t glusterfs server1:/test-volume /mnt/glusterfsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}