Cluster Users¶
A cluster can be accessed remotely via any daemon secure socket. The cluster access can be abstracted via:
- A floating IP address, usually handled by a system/svc/vip failover service
- A Round Robin DNS record grouping all or a subset of the cluster nodes
- A Round Robin DNS record grouping a set of cluster floating IP addresses
Accessing a cluster via the secure socket requires:
- the client to present a trusted x509 certificate.
- the user object to exist on the cluster.
- the certificate CN must match the usr object name (cn=usr1, obj path=system/usr/usr1).
The cluster can generate the certificates, or an external PKI can be trusted by the cluster.
Requirements¶
Set an appropriate cluster name in cluster.conf, then
export CLUSTERNAME=$(om cluster get --kw cluster.name)
Note
Changing the cluster name once the cluster is setup and used is hard.
Configure for external PKI¶
Store the Certificate Authority certificate chain in a secret.
om system/sec/ca-external create
om system/sec/ca-external add --key certificate_chain --from ~/ca_crt_chain.pem
Create the Certificate for the TLS listener as a secret.
om system/sec/cert-$CLUSTERNAME create
om system/sec/cert-$CLUSTERNAME gen cert
Make the external CA sign this certificate and load the resulting certificate key.
om system/sec/cert-$CLUSTERNAME create --kw cn=vip.$CLUSTERNAME.mycorp
om system/sec/cert-$CLUSTERNAME decode --key certificate_signing_request >~/$CLUSTERNAME.csr
#### signing procedure ####
om system/sec/cert-clu add --key certificate --from ~/$CLUSTERNAME_crt.pem
om system/sec/cert-clu add --key certificate_chain --from ~/$CLUSTERNAME_crt_chain.pem
Declare this Certificate Authority for the TLS listener.
om cluster set --kw cluster.ca=system/sec/ca-external
If available, declare the Certificate Revokation List location, so the listener can refuse revoked certificates before their expiration.
om cluster set --kw cluster.crl=http://crl.mycorp
Configure for internal PKI¶
Create the CA certificate.
om system/sec/ca-$CLUSTERNAME create
om system/sec/ca-$CLUSTERNAME set \
--kw o=mycorp \
--kw c=fr \
--kw email=admin@mycorp
om system/sec/ca-$CLUSTERNAME gen cert
Create the Certificate for the TLS listener as a secret.
om system/sec/cert-$CLUSTERNAME create \
--kw ca=system/sec/ca-$CLUSTERNAME \
--kw cn=vip.$CLUSTERNAME.mycorp
om system/sec/cert-$CLUSTERNAME gen cert
Create Users¶
om system/usr/root create
om system/usr/usr1 create
If the system/sec/ca-$CLUSTERNAME
exists, the created users will automatically get populated with certificate_chain
, certificate
and private_key
keys.
The client certificate data can be extracted with:
om system/usr/usr1 decode --key certificate_chain
om system/usr/usr1 decode --key certificate
om system/usr/usr1 decode --key private_key
Grant privileges¶
om system/usr/root set --kw grant+=root
om system/usr/usr1 set --kw grant+=squatter
om system/usr/usr1 set --kw grant+=admin:ns1
om system/usr/usr1 set --kw 'grant+=guest:*'
See also