红帽全球峰会此内容没有您所选择的语言版本。
22.5. Authorizing a New Client
If your Red Hat Gluster Storage trusted storage pool is configured for network encryption, and you add a new client, you must ensure to authorize a new client to access the trusted storage pool.
Authorizing access to a volume for a new client is simple if the client has a certificate signed by a Certificate Authority already present in the
/etc/ssl/glusterfs.ca file.
- Generate the
glusterfs.keyprivate key andglusterfs.csrcertificate signing request. Send theglusterfs.csrto get it verified by CA and get theglusterfs.pemfrom the CA. Generate the private key and signed certificate for the new server and place the files in the appropriate locations using the steps listed at Section 22.1, “Prerequisites” . - Copy
/etc/ssl/glusterfs.cafile from another client and place it in the/etc/ssl/directory on the new client.. - Create
/var/lib/glusterd/secure-accessfile if management encryption is enabled in the trusted storage pool.touch /var/lib/glusterd/secure-access
# touch /var/lib/glusterd/secure-accessCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Set the list of common names of all the servers to access the volume. Be sure to include the common names of clients which will be allowed to access the volume.
gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'
# gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note
Thegluster volume setcommand does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume infocommand, append the new name to the list and set the option again usinggluster volume setcommand. - Mount the volume from the new client. For example, to manually mount a volume and access data using Native client, use the following command:
mount -t glusterfs server1:/test-volume /mnt/glusterfs
# mount -t glusterfs server1:/test-volume /mnt/glusterfsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
22.5.2. Self-signed Certificates
复制链接链接已复制到粘贴板!
Note
This procedure involves downtime as the volume has to be rendered offline.
To authorize a new client to access the Red Hat Gluster Storage trusted storage pool using self-signed certificate, perform the following.
- Generate the
glusterfs.keyprivate key andglusterfs.pemcertificate for the client, and place them at the appropriate locations on the client using the steps listed at Section 22.1, “Prerequisites” . - Copy
/etc/ssl/glusterfs.cafile from one of the clients, and add it to the new client. - Create the
/var/lib/glusterd/secure-accessfile on all the client, if the management encryption is enabled.touch /var/lib/glusterd/secure-access
# touch /var/lib/glusterd/secure-accessCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy
/etc/ssl/glusterfs.cafile from one of the existing servers, append the content of new client's certificate to it, and distribute the new CA file on all servers. - Set the list of common names for clients allowed to access the volume. Be sure to include the common names of all the servers.
gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'
# gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note
Thegluster volume setcommand does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume infocommand, append the new name to the list and set the option again usinggluster volume setcommand.If you setauth.ssl-allowoption with*as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to*or provide common names of clients as well as the nodes in the trusted storage pool. - Restart the volume
gluster volume stop VOLNAME # gluster volume start VOLNAME
# gluster volume stop VOLNAME # gluster volume start VOLNAMECopy to Clipboard Copied! Toggle word wrap Toggle overflow - If the management encryption is enabled, restart glusterd on all the servers.
- Mount the volume from the new client. For example, to manually mount a volume and access data using Native client, use the following command:
mount -t glusterfs server1:/test-volume /mnt/glusterfs
# mount -t glusterfs server1:/test-volume /mnt/glusterfsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}