23.5. Authorizing a New Client

If your Red Hat Gluster Storage trusted storage pool is configured for network encryption, and you add a new client, you must ensure to authorize a new client to access the trusted storage pool.

23.5.1. Certificate Signed with a Common Certificate Authority

Authorizing access to a volume for a new client is simple if the client has a certificate signed by a Certificate Authority already present in the /etc/ssl/glusterfs.ca file.
  1. Generate the glusterfs.key private key and glusterfs.csr certificate signing request. Send the glusterfs.csr to get it verified by CA and get the glusterfs.pem from the CA. Generate the private key and signed certificate for the new server and place the files in the appropriate locations using the steps listed at Section 23.1, “Prerequisites” .
  2. Copy /etc/ssl/glusterfs.ca file from another client and place it in the /etc/ssl/ directory on the new client..
  3. Create /var/lib/glusterd/secure-access file if management encryption is enabled in the trusted storage pool.
    # touch /var/lib/glusterd/secure-access
  4. Set the list of common names of all the servers to access the volume. Be sure to include the common names of clients which will be allowed to access the volume.
    # gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'

    Note

    The gluster volume set command does not append to existing values of the options. To append the new name to the list, get the existing list using gluster volume info command, append the new name to the list and set the option again using gluster volume set command.
  5. Mount the volume from the new client. For example, to manually mount a volume and access data using Native client, use the following command:
    # mount -t glusterfs server1:/test-volume /mnt/glusterfs

23.5.2. Self-signed Certificates

Note

This procedure involves downtime as the volume has to be rendered offline.
To authorize a new client to access the Red Hat Gluster Storage trusted storage pool using self-signed certificate, perform the following.
  1. Generate the glusterfs.key private key and glusterfs.pem certificate for the client, and place them at the appropriate locations on the client using the steps listed at Section 23.1, “Prerequisites” .
  2. Copy /etc/ssl/glusterfs.ca file from one of the clients, and add it to the new client.
  3. Create the /var/lib/glusterd/secure-access file on all the client, if the management encryption is enabled.
    # touch /var/lib/glusterd/secure-access
  4. Copy /etc/ssl/glusterfs.ca file from one of the existing servers, append the content of new client's certificate to it, and distribute the new CA file on all servers.
  5. Set the list of common names for clients allowed to access the volume. Be sure to include the common names of all the servers.
    # gluster volume set VOLNAME auth.ssl-allow 'server1,server2,server3,client1,client2,client3'

    Note

    The gluster volume set command does not append to existing values of the options. To append the new name to the list, get the existing list using gluster volume info command, append the new name to the list and set the option again using gluster volume set command.
    If you set auth.ssl-allow option with * as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to * or provide common names of clients as well as the nodes in the trusted storage pool.
  6. Restart the volume
    # gluster volume stop VOLNAME # gluster volume start VOLNAME
  7. If the management encryption is enabled, restart glusterd on all the servers.
  8. Mount the volume from the new client. For example, to manually mount a volume and access data using Native client, use the following command:
    # mount -t glusterfs server1:/test-volume /mnt/glusterfs