Hi, Cheng I think you did the configuration in the wrong place. Instead of /etc/glusterd/nfs/nfs-server.vol, you need to modify files under /etc/glusterd/vols/. As a simple example, consider a one-server-one-client system, both server and client are one machine(localhost, ip:192.168.4.112), and export directory /home/huz/share for sharing, the client wants to mount it on /home/huz/mnt. if i modify default configuration /etc/glusterd/vols/testvol/testvol.192.168.4.112.home-huz-share.vol from ...... 26 volume testvol-server 27 type protocol/server 28 option transport-type tcp 29 option auth.addr./home/huz/share.allow * 30 subvolumes /home/huz/share 31 end-volume to ...... 26 volume testvol-server 27 type protocol/server 28 option transport-type tcp 29 option auth.addr./home/huz/share.reject * 30 subvolumes /home/huz/share 31 end-volume the mount command will fail: $sudo mount -o mountproto=tcp -t nfs localhost:/testvol /home/huz/mnt mount.nfs: mounting localhost:/testvol failed, reason given by server: No such file or directory and the log shows that the authentication error. 11-01-10 11:09:58.203600] E [client-handshake.c:786:client_setvolume_cbk] testvol-client-0: SETVOLUME on remote-host failed: Authentication failed change "reject" to "allow", the mount operation will be ok. you can configure you own ip rule. As for how to use ip auth and usrname/password auth, you can check the attachment. It's a documentation file under the directory "doc" of glusterfs src project. On Sun, 2011-01-09 at 22:31 +0800, ???? wrote: > Hi, HU: > Thanks for your help. > > I have the following environment: > Gluster 3.1.1 > Volume Name: gluster-volume > Type: Distributed-Replicate > Status: Started > Number of Bricks: 2 x 2 = 4 > Transport-type: tcp > Bricks: > Brick1: gluster1:/mnt/gluster1 > Brick2: gluster2:/mnt/gluster2 > Brick3: gluster3:/mnt/gluster3 > Brick4: gluster4:/mnt/gluster4 > > > I want to use authenticate module by your suggestion. > The way I used below: > 1. Stop Volume > 2. Edit /etc/glusterd/nfs/nfs-server.vol on Brick1(Gluster1) > 3. Modify and Add From > volume nfs-server > type nfs/server > option nfs.dynamic-volumes on > option rpc-auth.addr.gluster-volume.allow * > option nfs3.gluster-volume.volume-id 907941d9-6950-425b- > b3d5-4e43dd420d9e > subvolumes gluster-volume > end-volume > > to > > volume nfs-server > type nfs/server > option nfs.dynamic-volumes on > option rpc-auth.addr.gluster-volume.allow 10.18.14.1 > option auth.addr.gluster-volume.allow 10.18.14.1 > option nfs3.gluster-volume.volume-id > 907941d9-6950-425b-b3d5-4e43dd420d9e > subvolumes gluster-volume > end-volume > > 4.Start Volume > > --> But I still be able to mount volume from 10.18.14.2 by NFS. > > Anything I missed or be wrong? > > And I find > > A. After I started volume , nfs-server.vol was initialed to option > rpc-auth.addr.gluster-volume.allow * . > B. 4 nodes all have /etc/glusterd/nfs/nfs-server.vol , Should I Edit > every .vol file on 4 nodes? > > > > > > > -----Original message----- > From:HU Zhong <hz02ruc at gmail.com> > To:wei.cheng at m2k.com.tw > Cc:gluster-users <gluster-users at gluster.org> > Date:Fri, 07 Jan 2011 21:17:14 +0800 > Subject:Re: Dose Gluster 3.1 support authorisation > control and how to do > > Hi, Cheng > > There are 2 types of authenticate module that you can config: > 1. IP address > 2. login user/password > > please check this site: > http://www.gluster.com/community/documentation/index.php/Translators/protocol/server > > > On Fri, 2011-01-07 at 17:07 +0800, ???? wrote: > > _______________________________________________ > > Gluster-users mailing list > > Gluster-users at gluster.org > > http://gluster.org/cgi-bin/mailman/listinfo/gluster-users > > -------------- next part -------------- * Authentication is provided by two modules addr and login. Login based authentication uses username/password from client for authentication. Each module returns either ACCEPT, REJCET or DONT_CARE. DONT_CARE is returned if the input authentication information to the module is not concerned to its working. The theory behind authentication is that "none of the auth modules should return REJECT and atleast one of them should return ACCEPT" * Currently all the authentication related information is passed un-encrypted over the network from client to server. ---------------------------------------------------------------------------------------------------- * options provided in protocol/client: * for username/password based authentication: option username <username> option password <password> * client can have only one set of username/password * for addr based authentication: * no options required in protocol/client. Client has to bind to privileged port (port < 1024 ) which means the process in which protocol/client is loaded has to be run as root. ---------------------------------------------------------------------------------------------------- * options provided in protocol/server: * for username/password based authentication: option auth.login.<brick>.allow [comma seperated list of usernames using which clients can connect to volume <brick>] option auth.login.<username>.password <password> #specify password <password> for username <username> * for addr based authentication: option auth.addr.<brick>.allow [comma seperated list of ip-addresses/unix-paths from which clients are allowed to connect to volume <brick>] option auth.addr.<brick>.reject [comma seperated list of ip-addresses/unix-paths from which clients are not allowed to connect to volume <brick>] * negation operator '!' is used to invert the sense of matching. Eg., option auth.addr.brick.allow !a.b.c.d #do not allow client from a.b.c.d to connect to volume brick option auth.addr.brick.reject !w.x.y.z #allow client from w.x.y.z to connect to volume brick * wildcard '*' can be used to match any ip-address/unix-path ---------------------------------------------------------------------------------------------------- * Usecases: * username/password based authentication only protocol/client: option username foo option password foo-password option remote-subvolume foo-brick protocol/server: option auth.login.foo-brick.allow foo,who #,other users allowed to connect to foo-brick option auth.login.foo.password foo-password option auth.login.who.password who-password * in protocol/server, dont specify ip from which client is connecting in auth.addr.foo-brick.reject list **************************************************************************************************** * ip based authentication only protocol/client: option remote-subvolume foo-brick * Client is connecting from a.b.c.d protocol/server: option auth.addr.foo-brick.allow a.b.c.d,e.f.g.h,i.j.k.l #, other ip addresses from which clients are allowed to connect to foo-brick **************************************************************************************************** * ip and username/password based authentication * allow only "user foo from a.b.c.d" protocol/client: option username foo option password foo-password option remote-subvolume foo-brick protocol/server: option auth.login.foo-brick.allow foo option auth.login.foo.password foo-password option auth.addr.foo-brick.reject !a.b.c.d * allow only "user foo" from a.b.c.d i.e., only user foo is allowed from a.b.c.d, but anyone is allowed from ip addresses other than a.b.c.d protocol/client: option username foo option password foo-password option remote-subvolume foo-brick protocol/server: option auth.login.foo-brick.allow foo option auth.login.foo.password foo-password option auth.addr.foo-brick.allow !a.b.c.d * reject only "user shoo from a.b.c.d" protcol/client: option remote-subvolume shoo-brick protocol/server: # observe that no "option auth.login.shoo-brick.allow shoo" given # Also other users from a.b.c.d have to be explicitly allowed using auth.login.shoo-brick.allow ... option auth.addr.shoo-brick.allow !a.b.c.d * reject only "user shoo" from a.b.c.d i.e., user shoo from a.b.c.d has to be rejected. * same as reject only "user shoo from a.b.c.d" above, but rules have to be added whether to allow ip addresses (and users from those ips) other than a.b.c.d **************************************************************************************************** * ip or username/password based authentication * allow user foo or clients from a.b.c.d protocol/client: option remote-subvolume foo-brick protocol/server: option auth.login.foo-brick.allow foo option auth.login.foo.password foo-password option auth.addr.foo-brick.allow a.b.c.d * reject user shoo or clients from a.b.c.d protocol/client: option remote-subvolume shoo-brick protocol/server: option auth.login.shoo-brick.allow <usernames other than shoo> #for each username mentioned in the above <usernames other than shoo> list, specify password as below option auth.login.<username other than shoo>.password password option auth.addr.shoo-brick.reject a.b.c.d