Authentication

It is highly recommended to secure your BeeGFS installation by enabling connection-based authentication using a shared secret. To start successfully, all server services and clients must be configured in one of the following two ways:

• Enable authentication by distributing a shared secret to all nodes and setting the connAuthFile parameter in each service/client configuration file. Starting with BeeGFS 8, by default, services and clients expect the secret at /etc/beegfs/conn.auth, so it is typically sufficient to simply install the secret at this path on all nodes and everything will “just work”.

• Disable authentication explicitly by setting connDisableAuthentication=true in all service and client configuration files, and setting auth-disable=true in the Management Service configuration.

If neither a connAuthFile nor the disable flags are set correctly, services will fail to start.

Setting up connection based authentication

1. Create a file which contains a shared secret

   $ dd if=/dev/random of=/etc/beegfs/conn.auth bs=128 count=1
   

2. Ensure the file is only readable by the root user:

   $ chown root:root /etc/beegfs/conn.auth
   $ chmod 400 /etc/beegfs/conn.auth
   

   Note

   On nodes where the beegfs-tools package is installed and you want non-root users to be able to run a subset of beegfs commands, configure the conn.auth file to be owned by user “root” and group “beegfs” (chown root:beegfs /etc/beegfs/conn.auth). The “beegfs” system group is created automatically during package installation.

   This setup enables non-root users in the “beegfs” group to run commands that inspect the file system (e.g., listing nodes or storage pools), check their own quota/usage information, and view file system entries they have access to based on standard Linux permissions.

   Non-root access is generally read-only. One exception is when the metadata server has the sysAllowUserSetPattern option enabled, which allows non-root users to configure striping on entries they are allowed to access.

3. Copy the file to all hosts in the cluster (mgmtd, meta, storage, client, mon).

4. If this is a new BeeGFS 8 installation, the default configuration files for all services and clients will already have the authentication file path set to /etc/beegfs/conn.auth.

   If you are enabling connection authentication for the first time, in your management configuration file set auth-file = "/etc/beegfs/conn.auth" and for all other clients and servers (including beegfs-mon) set connAuthFile=/etc/beegfs/conn.auth.

5. Restart the services so the change takes effect:

   $ systemctl restart beegfs-mgmtd.service
   $ systemctl restart beegfs-meta.service
   $ systemctl restart beegfs-storage.service
   $ systemctl restart beegfs-client.service
   $ systemctl restart beegfs-mon.service
   

After all services have correctly restarted no client without the shared secret file can connect the cluster. Without the shared secret file, the management daemon will log the following when log-level = "debug":

Received message from unauthenticated stream from 192.168.133.7:36082

Changing the secret in an already secured cluster

In order to exchange the secret on an already configured/secured cluster, just replace the conn.auth file on all nodes with a new one, as described in the steps above.