Hi, It looks like for NFS you have to change nfs.rpc-auth-allow, not auth.allow (which is for access by API). Docs for nfs.rpc-auth-allow states that "By default, all clients are disallowed", but in fact the option has "all" as default value. Regarding auth.allow and information disclosure using FUSE - glusterd is not secure by design (https://www.gluster.org/pipermail/gluster-users/2016-July/027299.html). So, iptables may be the option.
-- Dmitry Glushenok Jet Infosystems > 23 сент. 2016 г., в 13:06, Kevin Lemonnier <[email protected]> написал(а): > > Hi, > > Using GlusterFS 3.7.15 on Debian 8 I'm trying to limit access using > auth.allow on my volume. > I have 3 nodes in replication with both a public interface and a private > interface on each. > Gluster uses the private IPs to communicate, but I noticed it was possible to > mount the volume > from the internet (that's bad ..) so I googled a bit. auth.allow, if I > understand it correctly, > should allow me to limit access of the volume to a list of IPs, is that > correct ? > > I ran gluster volume set VMs auth.allow 10.10.0.* and it said success (it > does appear in the info), > but I can still mount the volume from the internet. It works only using NFS > because using fuse it's > trying to use the private adresses, which won't work on the internet, but it > still gets the volume > config and the nodes names anyway. > > Should I do something specific after setting auth.allow ? > > Here is the volume info : > > Volume Name: VMs > Type: Replicate > Volume ID: d0ee13f2-055c-4f37-9c75-527d5e86b78d > Status: Started > Number of Bricks: 1 x 3 = 3 > Transport-type: tcp > Bricks: > Brick1: ips1adm.clientname:/mnt/storage/VMs > Brick2: ips2adm.clientname:/mnt/storage/VMs > Brick3: ips3adm.clientname:/mnt/storage/VMs > Options Reconfigured: > auth.allow: 10.10.0.* > network.ping-timeout: 15 > cluster.data-self-heal-algorithm: full > features.shard-block-size: 64MB > features.shard: on > performance.stat-prefetch: off > performance.io-cache: off > performance.read-ahead: off > performance.quick-read: off > cluster.eager-lock: enable > network.remote-dio: enable > cluster.server-quorum-type: server > cluster.quorum-type: auto > performance.readdir-ahead: on > > > -- > Kevin Lemonnier > PGP Fingerprint : 89A5 2283 04A0 E6E9 0111 > _______________________________________________ > Gluster-users mailing list > [email protected] > http://www.gluster.org/mailman/listinfo/gluster-users _______________________________________________ Gluster-users mailing list [email protected] http://www.gluster.org/mailman/listinfo/gluster-users
