<div dir="ltr">Hi Andrew,<br>comments are inlined.<br><br><div class="gmail_quote">On Fri, Oct 17, 2008 at 12:35 PM, Andrew McGill <span dir="ltr"><<a href="mailto:list2008@lunch.za.net" target="_blank">list2008@lunch.za.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">When I set up a server volume with this configuration with both IP and<br>
user/password authentication, access to the volume is permitted based on the<br>
source IP address only.<br>
<br>
Is there a way of requiring both IP address AND user/password authentication?<br>
(IP authentication is insecure, since it can be spoofed from the local<br>
network, but login authentication is worse, since it can be used.) (I<br>
suspect the answer is no at the moment, judging by the code...)</blockquote><div><br>yes, its possible to configure so that both IP and password based authentication are required. For more details look into glusterfs-src/doc/authentication.txt<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
As a more general question, can multiple authentication methods be required<br>
for a server?<br>
<br>
# config snippet ...<br>
<br>
volume server<br>
type protocol/server<br>
option transport-type tcp/server<br>
subvolumes brick<br>
<br>
option auth.ip.brick.allow <a href="http://192.168.0.19" target="_blank">192.168.0.19</a> # Allow access to "brick" volume<br>
option auth.login.brick.allow john<br>
option auth.login.joe.password bigsecret<br>
end-volume<br>
</blockquote><div><br>option auth.ip.brick.reject !<a href="http://192.168.0.19" target="_blank">192.168.0.19</a> #reject all clients other than <a href="http://192.168.0.19" target="_blank">192.168.0.19</a><br>option auth.login.brick.allow john<br>
option auth.login.joe.password bigsecret<br><br>authentication works on the principle that "In order to allow access to a client, none of the authentication methods configured should reject the client and atleast one of the methods should accept the client"<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<br>
_______________________________________________<br>
Gluster-users mailing list<br>
<a href="mailto:Gluster-users@gluster.org" target="_blank">Gluster-users@gluster.org</a><br>
<a href="http://zresearch.com/cgi-bin/mailman/listinfo/gluster-users" target="_blank">http://zresearch.com/cgi-bin/mailman/listinfo/gluster-users</a><br>
</blockquote></div><br>regards,<br clear="all"><br>-- <br>Raghavendra G<br><br>
</div>