Authentication

It is highly recommended to secure the BeeGFS installation by enabling connection based authentication.

A pre-shared secret can be configured using the connAuthFile option in the configuration files of all BeeGFS daemons and clients. By doing so requests are only accepted from connections that can provide the pre-shared secret. In that option you can set the path to a file that can be of any type containing the secret.

Example:

  1. Create a file which contains a shared secret

    $ dd if=/dev/random of=/etc/beegfs/connauthfile bs=128
    
  2. Ensure the file is only readable by the root user:

    $ chown root:root /etc/beegfs/connauthfile
    $ chmod 400 /etc/beegfs/connauthfile
    
  3. Copy the file to all host in the cluster (mgmtd, meta, storage, client, mon).

  4. Edit all configuration files of all services you are currently using (incl. helperd/mon) on all host in the cluster and configure the connAuthFile=/etc/beegfs/connauthfile with the absolute path/filename to the file which contains a shared secret.

  5. Restart the services

    $ systemctl restart beegfs-mgmtd.service
    $ systemctl restart beegfs-meta.service
    $ systemctl restart beegfs-storage.service
    $ systemctl restart beegfs-client.service
    $ systemctl restart beegfs-mon.service
    

After all services have correctly restarted no client without the shared secret file can connect the cluster. Without the shared secret file, the management daemon will log (log level 4):

Accepted new connection from 192.168.133.7:36082 [SockFD: 32]
Rejecting message from unauthenticated peer: 192.168.133.7:36082
Problem encountered during processing of a message. Disconnecting: 192.168.133.7:36082

Changing the secret in an already secured cluster

In order to exchange the connauthsecret on an already configured/secured cluster, just replace the secret file on all nodes with a new one, as described in the steps above.