Did you know?
This document is an attempt to describe less-documented behaviours and features
of GlusterFS that an admin always wanted to know but was too shy or busy to
ask.
Trusted Volfiles
Observant admins would have wondered why there are two similar volume files for
every volume, namely trusted--fuse.vol and -fuse.vol. To
appreciate this one needs to know about the IP address/hostname based access
restriction schemes available in GlusterFS. They are "auth-allow" and
"auth-reject". The "auth-allow" and "auth-reject" options take a comma
separated list of IP addresses/hostnames as value. "auth-allow" allows access
only to clients running on machines whose IP address/hostname are on this
list. It is highly likely for an admin to configure the "auth-allow" option
without including the list of nodes in the cluster. One would expect this to
work. Previously, in this configuration (internal) clients such as
gluster-nfs, glustershd etc., running in the trusted storage pool, would be
denied access to the volume. This is undesirable and counter-intuitive. The
work around was to add the IP address/hostnames of all the nodes in the trusted
storage pool to the "auth-allow" list. This is bad for a reasonably large
number of nodes. To fix this, an alternate authentication mechanism for nodes
in the storage pool was introduced. Following is a brief explanation of how
this works.
The volume file with trusted prefix in its name (i.e trusted-volfile) has a
username and password option in the client xlator. The trusted-volfile is used
only by mount processes running in the trusted storage pool (hence the name).
The username and password, when present, allow "mount" (and other glusterfs)
processes to access the brick processes even if the node they are running on is
not explicitly added in "auth-allow" addresses. 'Regular' mount processes,
running on nodes outside the trusted storage pool, use the non-trusted-volfile.
The important thing to note is that "trusted" in this context only implied
belonging to the trusted storage pool.