From a36ca890382edffa0c11f364b4f207cfcc92bde0 Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Tue, 19 Feb 2019 12:32:02 -0800
Subject: [PATCH] Created Security Overview (markdown)

---
 Security-Overview.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 Security-Overview.md

diff --git a/Security-Overview.md b/Security-Overview.md
new file mode 100644
index 0000000..fe4dc7c
--- /dev/null
+++ b/Security-Overview.md
@@ -0,0 +1,19 @@
+# Overview
+There are a few things to secure the SeaweedFS system:
+1. Secure GRPC operations server via mutual TLS
+1. Secure file upload/delete to volume server
+
+Not covered, yet:
+1. master server http access
+1. filer server http access
+
+# Securing Volume Servers
+Since SeaweedFS is a distributed system with many volume servers, the volume servers have the risk of being changed without proper access control.
+
+There are 2 ways to change volume servers: 
+1. Administrative operations via GRPC
+1. File upload, update, and delete operations.
+
+To control administrative operations, mutual TLS can be enabled for all GRPC calls.
+
+To control file upload/update/delete operations, Json Web Token (JWT) is used to control access for each file id.