Configuration and Security

Switching a cluster to HTTPS

View as Markdown

Here’s a quick sequence with detailed comments inline.

But first:

Operational note: As with any cluster-wide configuration change that rebuilds cluster metadata (e.g., cluster map a.k.a. Smap), it is good practice to periodically back up cluster-level metadata (BMD, Smap, configuration). This is not specific to HTTP <=> HTTPS.

From HTTP to HTTPS

This assumes that X.509 certificate already exists and the (HTTP-based) cluster is up and running. All we need to do at this point is switch it to HTTPS.

1# step 1: reconfigure cluster to use HTTPS
2$ ais config cluster net.http.use_https true
3
4# step 2: add information related to certs
5$ ais config cluster net.http.skip_verify true
6$ ais config cluster net.http.server_key <path-to-cert>/cert.key
7$ ais config cluster net.http.server_crt <path-to-cert>/cert.crt
8
9# step 3: shutdown
10$ ais cluster shutdown
11
12# step 4: remove cluster map - all copies at all possible locations, for example:
13$ find ~/.ais* -type f -name ".ais.smap" | xargs rm
14
15# step 5: restart
16$ make kill cli deploy <<< $'6\n6\n4\ny\ny\nn\n'
17
18# step 6: optionally, run aisloader
19$ AIS_ENDPOINT=https://localhost:8080 aisloader -bucket=ais://nnn -cleanup=false -numworkers=8 -pctput=0 -randomproxy
20
21# step 7: optionally, reconfigure CLI to skip X.509 verification:
22$ ais config cli set cluster.skip_verify_crt true
23
24# step 8: run CLI
25$ AIS_ENDPOINT=https://127.0.0.1:8080 ais show cluster
26
27$ AIS_ENDPOINT=https://127.0.0.1:8080 ais archive gen-shards "ais://abc/shard-{001..999}.tar.lz4"
28Shards created: 999/999 [==============================================================] 100 %
29
30$ export AIS_ENDPOINT=https://localhost:8080
31
32$ ais ls ais://abc --summary
33NAME           PRESENT         OBJECTS         SIZE (apparent, objects, remote)        USAGE(%)
34ais://abc      yes             999 0           5.86MiB 5.20MiB 0B                      0%
35...
36...

NOTE: localhost:8080 (above) can be replaced with any legitimate (http or https) address of any AIS gateway. The latter may - but not necessarily have to - be specified with the environment variable AIS ENDPOINT.

From HTTPS back to HTTP

1# step 1: disable HTTPS
2$ AIS_ENDPOINT=https://127.0.0.1:8080 ais config cluster net.http.use_https false
3
4# step 2: shutdown (notice that we are still using HTTPS endpoint)
5$ AIS_ENDPOINT=https://127.0.0.1:8080 ais cluster shutdown -y
6
7# step 3: remove cluster maps
8$ find ~/.ais* -type f -name ".ais.smap" | xargs rm
9
10# step 4: restart
11$ make kill cli deploy <<< $'6\n6\n4\ny\ny\nn\n'
12
13# step 5: and use
14$ ais show cluster