From adb5ca367d064793fe40922261c2e4e1940f42af Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Tue, 19 Feb 2019 21:04:36 -0800 Subject: [PATCH] Updated Security Overview (markdown) --- Security-Overview.md | 57 ++------------------------------------------ 1 file changed, 2 insertions(+), 55 deletions(-) diff --git a/Security-Overview.md b/Security-Overview.md index db31136..8f9859b 100644 --- a/Security-Overview.md +++ b/Security-Overview.md @@ -8,46 +8,7 @@ We will address the volume servers first. The following items are not covered, y # Generate `security.toml` file -The first step is generating `security.toml` file via -``` -$ weed scaffold -config=security - -# Put this file to one of the location, with descending priority -# ./security.toml -# $HOME/.seaweedfs/security.toml -# /etc/seaweedfs/security.toml -# this file is read by master, volume server, and filer - -# the jwt signing key is read by master and volume server -# a jwt expires in 10 seconds -[jwt.signing] -key = "" - -# volume server also uses grpc that should be secured. - -# all grpc tls authentications are mutual -[grpc] -ca = "" - -[grpc.volume] -cert = "" -key = "" - -[grpc.master] -cert = "" -key = "" - -[grpc.filer] -cert = "" -key = "" - -# use this for any place needs a grpc client -# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload" -[grpc.client] -cert = "" -key = "" - -``` +See [[Security Configuration]] Servers in SeaweedFS usually support 2 kinds of operations: gRPC and REST. @@ -59,21 +20,7 @@ The following operations are implemented via gRPC. * delete operations from filer or other clients (mount, s3, filer.copy, filer.replicate, etc) to volume servers * requests from clients to filer -All gRPC operations can optionally be secured via mutual TLS, by customizing the `security.toml` file. - -The following command is what I used to generate the private key and certificate files, using https://github.com/square/certstrap , or just `go get github.com/square/certstrap` - -``` -certstrap init --common-name "SeaweedFS CA" -certstrap request-cert --common-name volume01 -certstrap request-cert --common-name master01 -certstrap request-cert --common-name filer01 -certstrap request-cert --common-name client01 -certstrap sign --CA "SeaweedFS CA" volume01 -certstrap sign --CA "SeaweedFS CA" master01 -certstrap sign --CA "SeaweedFS CA" filer01 -certstrap sign --CA "SeaweedFS CA" client01 -``` +All gRPC operations can optionally be secured via mutual TLS, by customizing the `security.toml` file. See [[Security Configuration]]. # Securing Volume Servers