How to restrict GlusterFS client access

Restricting client access in GlusterFS limits which hosts can mount a volume, reducing exposure to unauthorized reads and writes across reachable networks. A tight allowlist also helps contain the impact of leaked mount commands and misrouted traffic.

Native GlusterFS mounts download a volume file during the mount process, and the cluster evaluates access rules before serving that configuration. Volume options like auth.allow and auth.reject accept hostnames, IP addresses, and CIDR ranges, applying the same policy across the trusted pool.

Access rules are evaluated at mount time, so existing mounts can remain active until unmounted. NAT or proxies can change the source address seen by the cluster, and hostname-based entries rely on consistent name resolution across nodes. For certificate-based client control, enable TLS and use auth.ssl-allow instead of IP-based rules.

Steps to restrict GlusterFS client access:

List volumes to confirm the target name.

$ sudo gluster volume list
volume1
volume2

Set the auth.allow allowlist for the volume.
```
$ sudo gluster volume set volume1 auth.allow 10.0.0.0/24,10.0.0.21
volume set: success
```
A wrong auth.allow value blocks new mount attempts until corrected from a node in the trusted pool.

Separate multiple entries with commas. Avoid spaces. Prefer IP/CIDR entries when DNS consistency is uncertain.

Verify the allowlist value for the volume.

$ sudo gluster volume get volume1 auth.allow
Option         Value
------         -----
auth.allow     10.0.0.0/24,10.0.0.21

Clear the allowlist with sudo gluster volume reset volume1 auth.allow.

Mount the volume from an approved client to confirm access control.
```
$ sudo mount -t glusterfs node1:/volume1 /mnt/volume1
```
Related: How to access GlusterFS volume from Linux

Confirm the volume is mounted on the client.

$ df -h /mnt/volume1
Filesystem      Size  Used Avail Use% Mounted on
node1:/volume1  1.0T  120G  880G  13% /mnt/volume1

Attempt the mount from an unapproved client to confirm it is denied.
```
$ sudo mount -t glusterfs node1:/volume1 /mnt/volume1
mount.glusterfs: Volume file download failed: Permission denied
```
Denied mount attempts can also be reviewed in server logs under /var/log/glusterfs.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.