-
Hi there, I want to place some basic restrictions on CubeFS so that machines with access to my local network can't wipe my entire cluster by simply talking to my Master/Resource Manager node. I followed the directions in the old ChubaoFS documentation (which should likely be merged into the current CubeFS docs, or at least the portions about authnode) and successfully got authnode up and running including TLS certificates, but despite doing this when I use cfs-cli:
I have access to all CLI options and can delete volumes and do all kinds of stuff with zero authentication. How do I lock that down? It's the main thing stopping me from rolling out CubeFS properly! |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 8 replies
-
This pull request appears to contain the necessary code to make this work 😲 It was merged, but the changes don't appear in v3.3.1 yet. |
Beta Was this translation helpful? Give feedback.
-
I was able to take the branch "release-3.3.1" and cherry pick #1857 onto it, then make a custom CubeFS build. I'm now at the stage where I have a HA master and HA authnode setup, with TLS and everything working. Clients can only do major operations (or any sort of change really) when authenticated with a valid key now. However, when I attempt to add datanodes, it claims that the key for "DatanodeService" doesn't exist, even though I created it through the cfs-authtool the same way I created the keys for the master (following the old ChubaoFS docs). |
Beta Was this translation helpful? Give feedback.
-
Logs and details below. The main issue is a key not exists error.
Config of my datanode.json:
|
Beta Was this translation helpful? Give feedback.
-
@leonrayang any thoughts? |
Beta Was this translation helpful? Give feedback.
-
@Zorlin The authnode documentation will be merged as soon as possible :) |
Beta Was this translation helpful? Give feedback.
@Zorlin hi, the key of datanode may be not stored in authnode. Please check it by using getKey api as follows:
cfs-authtool api -https -host=10.7.1.151:8443 -ticketfile=ticket_admin.json -data=data_datanode.json -output=key_datanode.json AuthService getkey
And if the key is actually not in authnode, just create key by authtool again.