Re: [Gluster-users] Dose Gluster 3.1 support authorisation control and how to do
Hi, HU Thank for your help. I tried to use your example(1 server ,1 Client) to test authentication function, it's work. But I tried to test it in replication mode (multi-node),FUSE mounting work, but NFS didn't. Any node can mount volume via NFS. And Following is my config. 26: volume gluster-new-volume-server 27: type protocol/server 28: option transport-type tcp 29: option auth.addr./mnt/gluster1.allow 10.18.14.240,10.18.14.248,10.18.14.241,10.18.14.242,10.18.14.243 30: subvolumes /mnt/gluster1 31: end-volume After starting volume, log showed below: +--+ [2011-01-11 01:07:54.188695] E [authenticate.c:235:gf_authenticate] auth: no authentication module is interested in accepting remote-client (null) [2011-01-11 01:07:54.188716] E [server-handshake.c:545:server_setvolume] gluster-new-volume-server: Cannot authenticate client from 127.0.0.1:1017 [2011-01-11 01:07:55.264728] I [server-handshake.c:535:server_setvolume] gluster-new-volume-server: accepted client from 10.18.14.241:995 [2011-01-11 01:07:55.267990] I [server-handshake.c:535:server_setvolume] gluster-new-volume-server: accepted client from 10.18.14.242:1012 [2011-01-11 01:07:55.272025] I [server-handshake.c:535:server_setvolume] gluster-new-volume-server: accepted client from 10.18.14.243:996 Do you know is it necessary to set 127.0.0.1 to allow list? And it can't use host real ip (10.18.14.240) ? But even if I used 127.0.0.1 to replace 10.18.14.240, NFS authentication control still not work. -Original message- From:HU Zhong hz02...@gmail.com To:wei.ch...@m2k.com.tw Cc:gluster-users gluster-users@gluster.org Date:Mon, 10 Jan 2011 11:36:00 +0800 Subject:Re: [Gluster-users] Dose Gluster 3.1 support authorisation control and how to do Hi, Cheng I think you did the configuration in the wrong place. Instead of /etc/glusterd/nfs/nfs-server.vol, you need to modify files under /etc/glusterd/vols/. As a simple example, consider a one-server-one-client system, both server and client are one machine(localhost, ip:192.168.4.112), and export directory /home/huz/share for sharing, the client wants to mount it on /home/huz/mnt. if i modify default configuration /etc/glusterd/vols/testvol/testvol.192.168.4.112.home-huz-share.vol from .. 26 volume testvol-server 27 type protocol/server 28 option transport-type tcp 29 option auth.addr./home/huz/share.allow * 30 subvolumes /home/huz/share 31 end-volume to .. 26 volume testvol-server 27 type protocol/server 28 option transport-type tcp 29 option auth.addr./home/huz/share.reject * 30 subvolumes /home/huz/share 31 end-volume the mount command will fail: $sudo mount -o mountproto=tcp -t nfs localhost:/testvol /home/huz/mnt mount.nfs: mounting localhost:/testvol failed, reason given by server: No such file or directory and the log shows that the authentication error. 11-01-10 11:09:58.203600] E [client-handshake.c:786:client_setvolume_cbk] testvol-client-0: SETVOLUME on remote-host failed: Authentication failed change reject to allow, the mount operation will be ok. you can configure you own ip rule. As for how to use ip auth and usrname/password auth, you can check the attachment. It's a documentation file under the directory doc of glusterfs src project. On Sun, 2011-01-09 at 22:31 +0800, 第二信箱 wrote: Hi, HU: Thanks for your help. I have the following environment: Gluster 3.1.1 Volume Name: gluster-volume Type: Distributed-Replicate Status: Started Number of Bricks: 2 x 2 = 4 Transport-type: tcp Bricks: Brick1: gluster1:/mnt/gluster1 Brick2: gluster2:/mnt/gluster2 Brick3: gluster3:/mnt/gluster3 Brick4: gluster4:/mnt/gluster4 I want to use authenticate module by your suggestion. The way I used below: 1. Stop Volume 2. Edit /etc/glusterd/nfs/nfs-server.vol on Brick1(Gluster1) 3. Modify and Add From volume nfs-server type nfs/server option nfs.dynamic-volumes on option rpc-auth.addr.gluster-volume.allow * option nfs3.gluster-volume.volume-id 907941d9-6950-425b- b3d5-4e43dd420d9e subvolumes gluster-volume end-volume to volume nfs-server type nfs/server option nfs.dynamic-volumes on option rpc-auth.addr.gluster-volume.allow 10.18.14.1 option auth.addr.gluster-volume.allow 10.18.14.1 option nfs3.gluster-volume.volume-id 907941d9-6950-425b-b3d5-4e43dd420d9e subvolumes gluster-volume end-volume 4.Start Volume -- But I still be able to mount volume from 10.18.14.2 by NFS. Anything I missed or be wrong? And I find A. After I started volume , nfs-server.vol was initialed to option rpc-auth.addr.gluster-volume.allow * . B. 4 nodes all have /etc/glusterd/nfs/nfs-server.vol , Should I Edit every .vol file on 4 nodes? -Original message- From:HU
Re: [Gluster-users] Dose Gluster 3.1 support authorisation control and how to do
Hi It seems that the node 10.18.14.240 runs both server and client. If not, write the server list and the client list here. As you can see in the log, the node other than above are all accepted by the server, so you can add both 10.18.14.240 and 127.0.0.1 to the ip-allowed list to see whether it works or not. On Tue, 2011-01-11 at 01:25 +0800, W.C Lee wrote: Hi, HU Thank for your help. I tried to use your example(1 server ,1 Client) to test authentication function, it's work. But I tried to test it in replication mode (multi-node),FUSE mounting work, but NFS didn't. Any node can mount volume via NFS. And Following is my config. 26: volume gluster-new-volume-server 27: type protocol/server 28: option transport-type tcp 29: option auth.addr./mnt/gluster1.allow 10.18.14.240,10.18.14.248,10.18.14.241,10.18.14.242,10.18.14.243 30: subvolumes /mnt/gluster1 31: end-volume After starting volume, log showed below: +--+ [2011-01-11 01:07:54.188695] E [authenticate.c:235:gf_authenticate] auth: no authentication module is interested in accepting remote-client (null) [2011-01-11 01:07:54.188716] E [server-handshake.c:545:server_setvolume] gluster-new-volume-server: Cannot authenticate client from 127.0.0.1:1017 [2011-01-11 01:07:55.264728] I [server-handshake.c:535:server_setvolume] gluster-new-volume-server: accepted client from 10.18.14.241:995 [2011-01-11 01:07:55.267990] I [server-handshake.c:535:server_setvolume] gluster-new-volume-server: accepted client from 10.18.14.242:1012 [2011-01-11 01:07:55.272025] I [server-handshake.c:535:server_setvolume] gluster-new-volume-server: accepted client from 10.18.14.243:996 Do you know is it necessary to set 127.0.0.1 to allow list? And it can't use host real ip (10.18.14.240) ? But even if I used 127.0.0.1 to replace 10.18.14.240, NFS authentication control still not work. -Original message- From:HU Zhong hz02...@gmail.com To:wei.ch...@m2k.com.tw Cc:gluster-users gluster-users@gluster.org Date:Mon, 10 Jan 2011 11:36:00 +0800 Subject:Re: [Gluster-users] Dose Gluster 3.1 support authorisation control and how to do Hi, Cheng I think you did the configuration in the wrong place. Instead of /etc/glusterd/nfs/nfs-server.vol, you need to modify files under /etc/glusterd/vols/. As a simple example, consider a one-server-one-client system, both server and client are one machine(localhost, ip:192.168.4.112), and export directory /home/huz/share for sharing, the client wants to mount it on /home/huz/mnt. if i modify default configuration /etc/glusterd/vols/testvol/testvol.192.168.4.112.home-huz-share.vol from .. 26 volume testvol-server 27 type protocol/server 28 option transport-type tcp 29 option auth.addr./home/huz/share.allow * 30 subvolumes /home/huz/share 31 end-volume to .. 26 volume testvol-server 27 type protocol/server 28 option transport-type tcp 29 option auth.addr./home/huz/share.reject * 30 subvolumes /home/huz/share 31 end-volume the mount command will fail: $sudo mount -o mountproto=tcp -t nfs localhost:/testvol /home/huz/mnt mount.nfs: mounting localhost:/testvol failed, reason given by server: No such file or directory and the log shows that the authentication error. 11-01-10 11:09:58.203600] E [client-handshake.c:786:client_setvolume_cbk] testvol-client-0: SETVOLUME on remote-host failed: Authentication failed change reject to allow, the mount operation will be ok. you can configure you own ip rule. As for how to use ip auth and usrname/password auth, you can check the attachment. It's a documentation file under the directory doc of glusterfs src project. On Sun, 2011-01-09 at 22:31 +0800, 第二信箱 wrote: Hi, HU: Thanks for your help. I have the following environment: Gluster 3.1.1 Volume Name: gluster-volume Type: Distributed-Replicate Status: Started Number of Bricks: 2 x 2 = 4 Transport-type: tcp Bricks: Brick1: gluster1:/mnt/gluster1 Brick2: gluster2:/mnt/gluster2 Brick3: gluster3:/mnt/gluster3 Brick4: gluster4:/mnt/gluster4 I want to use authenticate module by your suggestion. The way I used below: 1. Stop Volume 2. Edit /etc/glusterd/nfs/nfs-server.vol on Brick1(Gluster1) 3. Modify and Add From volume nfs-server type nfs/server option nfs.dynamic-volumes on option rpc-auth.addr.gluster-volume.allow * option nfs3.gluster-volume.volume-id 907941d9-6950-425b- b3d5-4e43dd420d9e subvolumes gluster-volume end-volume to volume nfs-server type nfs/server option nfs.dynamic-volumes on option rpc-auth.addr.gluster-volume.allow 10.18.14.1 option auth.addr.gluster-volume.allow 10.18.14.1
Re: [Gluster-users] Dose Gluster 3.1 support authorisation control and how to do
___ Gluster-users mailing list Gluster-users@gluster.org http://gluster.org/cgi-bin/mailman/listinfo/gluster-users
Re: [Gluster-users] Dose Gluster 3.1 support authorisation control and how to do
Hi, Cheng I think you did the configuration in the wrong place. Instead of /etc/glusterd/nfs/nfs-server.vol, you need to modify files under /etc/glusterd/vols/. As a simple example, consider a one-server-one-client system, both server and client are one machine(localhost, ip:192.168.4.112), and export directory /home/huz/share for sharing, the client wants to mount it on /home/huz/mnt. if i modify default configuration /etc/glusterd/vols/testvol/testvol.192.168.4.112.home-huz-share.vol from .. 26 volume testvol-server 27 type protocol/server 28 option transport-type tcp 29 option auth.addr./home/huz/share.allow * 30 subvolumes /home/huz/share 31 end-volume to .. 26 volume testvol-server 27 type protocol/server 28 option transport-type tcp 29 option auth.addr./home/huz/share.reject * 30 subvolumes /home/huz/share 31 end-volume the mount command will fail: $sudo mount -o mountproto=tcp -t nfs localhost:/testvol /home/huz/mnt mount.nfs: mounting localhost:/testvol failed, reason given by server: No such file or directory and the log shows that the authentication error. 11-01-10 11:09:58.203600] E [client-handshake.c:786:client_setvolume_cbk] testvol-client-0: SETVOLUME on remote-host failed: Authentication failed change reject to allow, the mount operation will be ok. you can configure you own ip rule. As for how to use ip auth and usrname/password auth, you can check the attachment. It's a documentation file under the directory doc of glusterfs src project. On Sun, 2011-01-09 at 22:31 +0800, 第二信箱 wrote: Hi, HU: Thanks for your help. I have the following environment: Gluster 3.1.1 Volume Name: gluster-volume Type: Distributed-Replicate Status: Started Number of Bricks: 2 x 2 = 4 Transport-type: tcp Bricks: Brick1: gluster1:/mnt/gluster1 Brick2: gluster2:/mnt/gluster2 Brick3: gluster3:/mnt/gluster3 Brick4: gluster4:/mnt/gluster4 I want to use authenticate module by your suggestion. The way I used below: 1. Stop Volume 2. Edit /etc/glusterd/nfs/nfs-server.vol on Brick1(Gluster1) 3. Modify and Add From volume nfs-server type nfs/server option nfs.dynamic-volumes on option rpc-auth.addr.gluster-volume.allow * option nfs3.gluster-volume.volume-id 907941d9-6950-425b- b3d5-4e43dd420d9e subvolumes gluster-volume end-volume to volume nfs-server type nfs/server option nfs.dynamic-volumes on option rpc-auth.addr.gluster-volume.allow 10.18.14.1 option auth.addr.gluster-volume.allow 10.18.14.1 option nfs3.gluster-volume.volume-id 907941d9-6950-425b-b3d5-4e43dd420d9e subvolumes gluster-volume end-volume 4.Start Volume -- But I still be able to mount volume from 10.18.14.2 by NFS. Anything I missed or be wrong? And I find A. After I started volume , nfs-server.vol was initialed to option rpc-auth.addr.gluster-volume.allow * . B. 4 nodes all have /etc/glusterd/nfs/nfs-server.vol , Should I Edit every .vol file on 4 nodes? -Original message- From:HU Zhong hz02...@gmail.com To:wei.ch...@m2k.com.tw Cc:gluster-users gluster-users@gluster.org Date:Fri, 07 Jan 2011 21:17:14 +0800 Subject:Re: [Gluster-users] Dose Gluster 3.1 support authorisation control and how to do Hi, Cheng There are 2 types of authenticate module that you can config: 1. IP address 2. login user/password please check this site: http://www.gluster.com/community/documentation/index.php/Translators/protocol/server On Fri, 2011-01-07 at 17:07 +0800, 第二信箱 wrote: ___ Gluster-users mailing list Gluster-users@gluster.org http://gluster.org/cgi-bin/mailman/listinfo/gluster-users * Authentication is provided by two modules addr and login. Login based authentication uses username/password from client for authentication. Each module returns either ACCEPT, REJCET or DONT_CARE. DONT_CARE is returned if the input authentication information to the module is not concerned to its working. The theory behind authentication is that none of the auth modules should return REJECT and atleast one of them should return ACCEPT * Currently all the authentication related information is passed un-encrypted over the network from client to server. * options provided in protocol/client: * for username/password based authentication: option username username option password password * client can have only one set of username/password * for addr based authentication: * no options required in protocol/client. Client has to bind to privileged port (port 1024 ) which means the process in which protocol/client is loaded has to be run as root
[Gluster-users] Dose Gluster 3.1 support authorisation control and how to do
___ Gluster-users mailing list Gluster-users@gluster.org http://gluster.org/cgi-bin/mailman/listinfo/gluster-users
Re: [Gluster-users] Dose Gluster 3.1 support authorisation control and how to do
Hi, Cheng There are 2 types of authenticate module that you can config: 1. IP address 2. login user/password please check this site: http://www.gluster.com/community/documentation/index.php/Translators/protocol/server On Fri, 2011-01-07 at 17:07 +0800, 第二信箱 wrote: ___ Gluster-users mailing list Gluster-users@gluster.org http://gluster.org/cgi-bin/mailman/listinfo/gluster-users ___ Gluster-users mailing list Gluster-users@gluster.org http://gluster.org/cgi-bin/mailman/listinfo/gluster-users