Authentication

It is highly recommended to secure the BeeGFS installation by enabling connection based authentication. Services will not start if no connAuthFile is configured. To run a system without connection authentication, connDisableAuthentication must be set to true in all service configuration files and auth-disable must be set to true in the Management Service configuration file.

A pre-shared secret can be configured using the connAuthFile option in the configuration files of all BeeGFS daemons and clients. By doing so requests are only accepted from connections that can provide the pre-shared secret. The option accepts a path to a file that contains the secret.

Example:

  1. Create a file which contains a shared secret

    $ dd if=/dev/random of=/etc/beegfs/conn.auth bs=128 count=1

  2. Ensure the file is only readable by the root user:

    $ chown root:root /etc/beegfs/conn.auth
$ chmod 400 /etc/beegfs/conn.auth

    Note

    On nodes where the beegfs-tools package is installed and you want non-root users to be able to run beegfs commands, configure the conn.auth file to be owned by user “root” and group “beegfs” (chown root:beegfs /etc/beegfs/conn.auth). The “beegfs” system group is automatically created when installing beegfs-tools.

  3. Copy the file to all hosts in the cluster (mgmtd, meta, storage, client, mon).

  4. Edit all configuration files of all services you are currently using (incl. mon) on all host in the cluster and configure the connAuthFile=/etc/beegfs/conn.auth with the absolute path/filename to the file which contains a shared secret. On the management service, if you use the default file path, you don’t to make any changes.

  5. Restart the services

    $ systemctl restart beegfs-mgmtd.service
$ systemctl restart beegfs-meta.service
$ systemctl restart beegfs-storage.service
$ systemctl restart beegfs-client.service
$ systemctl restart beegfs-mon.service

After all services have correctly restarted no client without the shared secret file can connect the cluster. Without the shared secret file, the management daemon will log the following when log-level = "debug":

Received message from unauthenticated stream from 192.168.133.7:36082

Changing the secret in an already secured cluster

In order to exchange the secret on an already configured/secured cluster, just replace the conn.auth file on all nodes with a new one, as described in the steps above.