How do I give access to specific directories to specific client machines?

[arseni-mourzenko]

Hi. I would like to have some advice about the following situation.

I have a number of virtual machines that need to persist data. Let's call them client1, client2, ⋯ clientN. I also have a dedicated machine that stores this persistent data, and has a number of NFS endpoints, with /etc/exports that looks like this:

/example/vm/app1 192.168.0.10/32(ro,no_subtree_check)
/example/vm/app2 192.168.0.11/32(ro,no_subtree_check)
/example/vm/app3 192.168.0.12/31(ro,no_subtree_check)
               ⋮
/example/vm/appN 192.168.0.114/31(ro,no_subtree_check)

Notice the /31: for instance, /example/vm/app3 may be accessed by both client3 (192.168.0.12) and client4 (192.168.0.13).

I want to stop using NFS, and rely on GlusterFS instead. What mechanism should I use, in GlusterFS, to restrict the access to some client machines for the given directories? In other words, what should I do, in order to allow client3 and client4 to access /example/vm/app3, but not, for instance, /example/vm/app1?

GlusterFS makes it possible with auth.ssl-allow option to allow or deny access to given volumes for a given client, identified by its SSL certificate,. The problem is that this access is global: either the client has access to the entire volume, or not.

It also has support for ACLs for individual directories., but the ACLs rely on user names, and not SSL certificates. In other words, if a given machine is compromised, nothing prevents an attacker from creating an account with a given name to access specific directories.

What should I do?