TL,DR: Adding servers to the cluster (called pool) is safe, because a 3rd party cannot join an existing cluster on it’s own, it needs to be invited from within. But make sure to restrict which clients can mount the volumes and encrypt the connections.
There was no questions asked. I did nothing to tell server2 to allow server1 to add it to the cluster.
I had this question myself so I went to take a look at the documentation.
When you are creating a new cluster, you start on one server and add others using gluster peer probe OTHER_SERVER. Additional security isn’t strictly required, because you are adding new, uninitialized glusterfs servers. (Unless you leave a freshly installed, uninitialized gluster running with public access – then you are in trouble).
So what prevents an attacker from joining your existing cluster? The key is the following paragraph:
Once this pool has been established, only trusted members may probe new servers into the pool. A new server cannot probe the pool, it must be probed from the pool. (source)
As the documentation says, a 3rd party/adversary cannot join your cluster, it needs to be invited from within.
Note that clients do not need to be in the pool to mount the volumes.
Gluster also provides other security mechanisms to restrict access to data and to mitigate against related attacks:
- IP allow/deny on volume level,
gluster volume set VOL_NAME auth.allow IP1,IP2 - TLS – transport encryption as well as using identities from certificates instead of IP addresses for authorization (not enabled by default and out of scope of this answer, see link)
So if the volumes are not meant to be public:
- use encrypted and authenticated links between servers and servers-clients (Gluster TLS/IPSec/VPN)
- with a firewall setup that does not allow any connections from the outside
- and use
auth.allow(auth.ssl-allowfor TLS) for finer control on the volume level.