Security concerns with glusterfs?
Solution 1:
TL,DR: Adding servers to the cluster (called pool) is safe, because a 3rd party cannot join an existing cluster on it's own, it needs to be invited from within. But make sure to restrict which clients can mount the volumes and encrypt the connections.
There was no questions asked. I did nothing to tell server2 to allow server1 to add it to the cluster.
I had this question myself so I went to take a look at the documentation.
When you are creating a new cluster, you start on one server and add others using gluster peer probe OTHER_SERVER
. Additional security isn't strictly required, because you are adding new, uninitialized glusterfs servers. (Unless you leave a freshly installed, uninitialized gluster running with public access - then you are in trouble).
So what prevents an attacker from joining your existing cluster? The key is the following paragraph:
Once this pool has been established, only trusted members may probe new servers into the pool. A new server cannot probe the pool, it must be probed from the pool. (source)
As the documentation says, a 3rd party/adversary cannot join your cluster, it needs to be invited from within.
Note that clients do not need to be in the pool to mount the volumes.
Gluster also provides other security mechanisms to restrict access to data and to mitigate against related attacks:
- IP allow/deny on volume level,
gluster volume set VOL_NAME auth.allow IP1,IP2
- TLS - transport encryption as well as using identities from certificates instead of IP addresses for authorization (not enabled by default and out of scope of this answer, see link)
So if the volumes are not meant to be public:
- use encrypted and authenticated links between servers and servers-clients (Gluster TLS/IPSec/VPN)
- with a firewall setup that does not allow any connections from the outside
- and use
auth.allow
(auth.ssl-allow
for TLS) for finer control on the volume level.
Solution 2:
Your Gluster servers should be on their own, firewalled off section of your infrastructure. They are not intended to be exposed to the public internet.
Solution 3:
I agree that this is insane: security is an add-on to glusterfs. As pointed out by @ceejayoz, glusterfs is designed to only be run on a physically secured and isolated network.
Fortunately, glusterfs has added on ssl support, which is sadly almost completely undocumented. Presumably using ssl will make things better, although since it's undocumented it's hard to say for certain. What documentation exists is in this blog. Sadly, it only gives a sequence of steps.