mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-01-19 02:48:24 +00:00
Updated Security Overview (markdown)
parent
dca3f3d86e
commit
fd2ee712ef
|
@ -6,6 +6,49 @@ We will address the volume servers first. The following items are not covered, y
|
||||||
1. master server http REST services
|
1. master server http REST services
|
||||||
1. filer server http REST services
|
1. filer server http REST services
|
||||||
|
|
||||||
|
# Generate `security.toml` file
|
||||||
|
|
||||||
|
The first step is generating `security.toml` file via
|
||||||
|
```
|
||||||
|
$ weed scaffold -config=security
|
||||||
|
|
||||||
|
# Put this file to one of the location, with descending priority
|
||||||
|
# ./security.toml
|
||||||
|
# $HOME/.seaweedfs/security.toml
|
||||||
|
# /etc/seaweedfs/security.toml
|
||||||
|
# this file is read by master, volume server, and filer
|
||||||
|
|
||||||
|
# the jwt signing key is read by master and volume server
|
||||||
|
# a jwt expires in 10 seconds
|
||||||
|
[jwt.signing]
|
||||||
|
key = ""
|
||||||
|
|
||||||
|
# volume server also uses grpc that should be secured.
|
||||||
|
|
||||||
|
# all grpc tls authentications are mutual
|
||||||
|
[grpc]
|
||||||
|
ca = ""
|
||||||
|
|
||||||
|
[grpc.volume]
|
||||||
|
cert = ""
|
||||||
|
key = ""
|
||||||
|
|
||||||
|
[grpc.master]
|
||||||
|
cert = ""
|
||||||
|
key = ""
|
||||||
|
|
||||||
|
[grpc.filer]
|
||||||
|
cert = ""
|
||||||
|
key = ""
|
||||||
|
|
||||||
|
# use this for any place needs a grpc client
|
||||||
|
# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
|
||||||
|
[grpc.client]
|
||||||
|
cert = ""
|
||||||
|
key = ""
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
Servers in SeaweedFS usually support 2 kinds of operations: gRPC and REST.
|
Servers in SeaweedFS usually support 2 kinds of operations: gRPC and REST.
|
||||||
|
|
||||||
# Securing gRPC operations
|
# Securing gRPC operations
|
||||||
|
@ -16,7 +59,21 @@ The following operations are implemented via gRPC.
|
||||||
* delete operations from filer or other clients (mount, s3, filer.copy, filer.replicate, etc) to volume servers
|
* delete operations from filer or other clients (mount, s3, filer.copy, filer.replicate, etc) to volume servers
|
||||||
* requests from clients to filer
|
* requests from clients to filer
|
||||||
|
|
||||||
All gRPC operations can optionally be secured via mutual TLS, by customizing the `weed scaffold -config=security` generated `security.toml` file.
|
All gRPC operations can optionally be secured via mutual TLS, by customizing the `security.toml` file.
|
||||||
|
|
||||||
|
The following command is what I used to generate the private key and certificate files, using https://github.com/square/certstrap , or just `go get github.com/square/certstrap`
|
||||||
|
|
||||||
|
```
|
||||||
|
certstrap init --common-name "SeaweedFS CA"
|
||||||
|
certstrap request-cert --common-name volume01
|
||||||
|
certstrap request-cert --common-name master01
|
||||||
|
certstrap request-cert --common-name filer01
|
||||||
|
certstrap request-cert --common-name client01
|
||||||
|
certstrap sign --CA "SeaweedFS CA" volume01
|
||||||
|
certstrap sign --CA "SeaweedFS CA" master01
|
||||||
|
certstrap sign --CA "SeaweedFS CA" filer01
|
||||||
|
certstrap sign --CA "SeaweedFS CA" client01
|
||||||
|
```
|
||||||
|
|
||||||
# Securing Volume Servers
|
# Securing Volume Servers
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue