gitlab-com-seaweedfs/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2024-01-19 02:48:24 +00:00
Code Issues Projects Releases Wiki Activity

Updated Security Overview (markdown)

Chris Lu 2019-02-19 21:04:36 -08:00
parent 7004dc290d
commit adb5ca367d
1 changed files with 2 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
Security-Overview.md

@ -8,46 +8,7 @@ We will address the volume servers first. The following items are not covered, y
# Generate `security.toml` file
The first step is generating `security.toml` file via
```
$ weed scaffold -config=security
# Put this file to one of the location, with descending priority
# ./security.toml
# $HOME/.seaweedfs/security.toml
# /etc/seaweedfs/security.toml
# this file is read by master, volume server, and filer
# the jwt signing key is read by master and volume server
# a jwt expires in 10 seconds
[jwt.signing]
key = ""
# volume server also uses grpc that should be secured.
# all grpc tls authentications are mutual
[grpc]
ca = ""
[grpc.volume]
cert = ""
key = ""
[grpc.master]
cert = ""
key = ""
[grpc.filer]
cert = ""
key = ""
# use this for any place needs a grpc client
# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
[grpc.client]
cert = ""
key = ""
```
See [[Security Configuration]]
Servers in SeaweedFS usually support 2 kinds of operations: gRPC and REST.
@ -59,21 +20,7 @@ The following operations are implemented via gRPC.
* delete operations from filer or other clients (mount, s3, filer.copy, filer.replicate, etc) to volume servers
* requests from clients to filer
All gRPC operations can optionally be secured via mutual TLS, by customizing the `security.toml` file.
The following command is what I used to generate the private key and certificate files, using https://github.com/square/certstrap , or just `go get github.com/square/certstrap`
```
certstrap init --common-name "SeaweedFS CA"
certstrap request-cert --common-name volume01
certstrap request-cert --common-name master01
certstrap request-cert --common-name filer01
certstrap request-cert --common-name client01
certstrap sign --CA "SeaweedFS CA" volume01
certstrap sign --CA "SeaweedFS CA" master01
certstrap sign --CA "SeaweedFS CA" filer01
certstrap sign --CA "SeaweedFS CA" client01
```
All gRPC operations can optionally be secured via mutual TLS, by customizing the `security.toml` file. See [[Security Configuration]].
# Securing Volume Servers