diff --git a/Security-Overview.md b/Security-Overview.md index 9fc9787..0d4396a 100644 --- a/Security-Overview.md +++ b/Security-Overview.md @@ -6,6 +6,49 @@ We will address the volume servers first. The following items are not covered, y 1. master server http REST services 1. filer server http REST services +# Generate `security.toml` file + +The first step is generating `security.toml` file via +``` +$ weed scaffold -config=security + +# Put this file to one of the location, with descending priority +# ./security.toml +# $HOME/.seaweedfs/security.toml +# /etc/seaweedfs/security.toml +# this file is read by master, volume server, and filer + +# the jwt signing key is read by master and volume server +# a jwt expires in 10 seconds +[jwt.signing] +key = "" + +# volume server also uses grpc that should be secured. + +# all grpc tls authentications are mutual +[grpc] +ca = "" + +[grpc.volume] +cert = "" +key = "" + +[grpc.master] +cert = "" +key = "" + +[grpc.filer] +cert = "" +key = "" + +# use this for any place needs a grpc client +# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload" +[grpc.client] +cert = "" +key = "" + +``` + Servers in SeaweedFS usually support 2 kinds of operations: gRPC and REST. # Securing gRPC operations @@ -16,7 +59,21 @@ The following operations are implemented via gRPC. * delete operations from filer or other clients (mount, s3, filer.copy, filer.replicate, etc) to volume servers * requests from clients to filer -All gRPC operations can optionally be secured via mutual TLS, by customizing the `weed scaffold -config=security` generated `security.toml` file. +All gRPC operations can optionally be secured via mutual TLS, by customizing the `security.toml` file. + +The following command is what I used to generate the private key and certificate files, using https://github.com/square/certstrap , or just `go get github.com/square/certstrap` + +``` +certstrap init --common-name "SeaweedFS CA" +certstrap request-cert --common-name volume01 +certstrap request-cert --common-name master01 +certstrap request-cert --common-name filer01 +certstrap request-cert --common-name client01 +certstrap sign --CA "SeaweedFS CA" volume01 +certstrap sign --CA "SeaweedFS CA" master01 +certstrap sign --CA "SeaweedFS CA" filer01 +certstrap sign --CA "SeaweedFS CA" client01 +``` # Securing Volume Servers