Revision 992fd37d
| b/doc/security.rst | ||
|---|---|---|
| 33 | 33 |
- Communication between nodes is encrypted using SSL/TLS. A common key |
| 34 | 34 |
and certificate combo is shared between all nodes of the cluster. At |
| 35 | 35 |
this time, no CA is used. |
| 36 |
- The Ganeti node daemon will accept RPC requests from any host within
|
|
| 37 |
the cluster with the correct certificate, and the operations it will
|
|
| 36 |
- The Ganeti node daemon will accept RPC requests from any host that is
|
|
| 37 |
master candidate within the cluster, and the operations it will
|
|
| 38 | 38 |
do as a result of these requests are: |
| 39 | 39 |
|
| 40 | 40 |
- running commands under the ``/etc/ganeti/hooks`` directory |
| ... | ... | |
| 42 | 42 |
- overwrite a defined list of files on the host |
| 43 | 43 |
|
| 44 | 44 |
As you can see, as soon as a node is joined, it becomes equal to all |
| 45 |
other nodes in the cluster, and the security of the cluster is |
|
| 45 |
other nodes in the cluster wrt to SSH and equal to all non-master |
|
| 46 |
candidate nodes wrt to RPC, and the security of the cluster is |
|
| 46 | 47 |
determined by the weakest node. |
| 47 | 48 |
|
| 48 | 49 |
Note that only the SSH key will allow other machines to run any command |
| ... | ... | |
| 100 | 101 |
the cluster-wide shared SSH key. |
| 101 | 102 |
|
| 102 | 103 |
RPC communication between the master and nodes is protected using |
| 103 |
SSL/TLS encryption. Both the client and the server must have the |
|
| 104 |
cluster-wide shared SSL/TLS certificate and verify it when establishing |
|
| 105 |
the connection by comparing fingerprints. We decided not to use a CA to |
|
| 106 |
simplify the key handling. |
|
| 104 |
SSL/TLS encryption. The server must have must have the cluster-wide |
|
| 105 |
shared SSL/TLS certificate. When acting as a client, the nodes use an |
|
| 106 |
individual SSL/TLS certificate. On incoming requests, the server checks |
|
| 107 |
whether the client's certificate is that of a master candidate by |
|
| 108 |
verifying its finterprint to a list of known master candidate |
|
| 109 |
certificates. We decided not to use a CA (yet) to simplify the key |
|
| 110 |
handling. |
|
| 107 | 111 |
|
| 108 | 112 |
The DRBD traffic is not protected by encryption, as DRBD does not |
| 109 | 113 |
support this. It's therefore recommended to implement host-level |
Also available in: Unified diff