summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMohammed Rafi KC <rkavunga@redhat.com>2018-04-02 12:20:47 +0530
committerShyamsundar Ranganathan <srangana@redhat.com>2018-04-24 12:49:02 +0000
commit420577300f1f8f28e5c4784f291f2c14e7311fb1 (patch)
treedfdde3c07db152e302caacd13d1856961d37a3a0
parent961883e065f80125e5db648e7c214677b2390736 (diff)
server/auth: add option for strict authentication
When this option is enabled, we will check for a matching username and password, if not found then the connection will be rejected. This also does a checksum validation of volfile The option is invalid when SSL/TLS is in use, at which point the SSL/TLS certificate user name is used to validate and hence authorize the right user. This expects TLS allow rules to be setup correctly rather than the default *. This option is not settable, as a result this cannot be enabled for volumes using the CLI. This is used with the shared storage volume, to restrict access to the same in non-SSL/TLS environments to the gluster peers only. Tested: ./tests/bugs/protocol/bug-1321578.t ./tests/features/ssl-authz.t - Ran tests on volumes with and without strict auth checking (as brick vol file needed to be edited to test, or rather to enable the option) - Ran tests on volumes to ensure existing mounts are disconnected when we enable strict checking Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 fixes: bz#1570428 Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> Signed-off-by: ShyamsundarR <srangana@redhat.com>
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volgen.c16
-rw-r--r--xlators/protocol/auth/login/src/login.c51
-rw-r--r--xlators/protocol/server/src/authenticate.h4
-rw-r--r--xlators/protocol/server/src/server-handshake.c2
-rw-r--r--xlators/protocol/server/src/server.c18
-rw-r--r--xlators/protocol/server/src/server.h2
6 files changed, 81 insertions, 12 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
index 81d99388f2a..f788b8f20c8 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
@@ -2239,6 +2239,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
char *password = NULL;
char key[1024] = {0};
char *ssl_user = NULL;
+ char *volname = NULL;
char *address_family_data = NULL;
if (!graph || !volinfo || !set_dict || !brickinfo)
@@ -2314,6 +2315,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
if (ret)
return -1;
+ volname = volinfo->is_snap_volume ?
+ volinfo->parent_volname : volinfo->volname;
+
+
+ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
+ memset (key, 0, sizeof (key));
+ snprintf (key, sizeof (key), "strict-auth-accept");
+
+ ret = xlator_set_option (xl, key, "true");
+ if (ret)
+ return -1;
+ }
+
if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
memset (key, 0, sizeof (key));
snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
@@ -5675,7 +5689,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
- client_type != GF_CLIENT_TRUSTED) {
+ client_type != GF_CLIENT_TRUSTED) {
/*
* shared storage volume cannot be mounted from non trusted
* nodes. So we are not creating volfiles for non-trusted
diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
index e799dd22c1f..da10d0b5cdc 100644
--- a/xlators/protocol/auth/login/src/login.c
+++ b/xlators/protocol/auth/login/src/login.c
@@ -11,6 +11,16 @@
#include <fnmatch.h>
#include "authenticate.h"
+/* Note on strict_auth
+ * - Strict auth kicks in when authentication is using the username, password
+ * in the volfile to login
+ * - If enabled, auth is rejected if the username and password is not matched
+ * or is not present
+ * - When using SSL names, this is automatically strict, and allows only those
+ * names that are present in the allow list, IOW strict auth checking has no
+ * implication when using SSL names
+*/
+
auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
{
auth_result_t result = AUTH_DONT_CARE;
@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
char *tmp = NULL;
char *username_cpy = NULL;
gf_boolean_t using_ssl = _gf_false;
+ gf_boolean_t strict_auth = _gf_false;
username_data = dict_get (input_params, "ssl-name");
if (username_data) {
@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
using_ssl = _gf_true;
}
else {
+ ret = dict_get_str_boolean (config_params, "strict-auth-accept",
+ _gf_false);
+ if (ret == -1)
+ strict_auth = _gf_false;
+ else
+ strict_auth = ret;
+
username_data = dict_get (input_params, "username");
if (!username_data) {
- gf_log ("auth/login", GF_LOG_DEBUG,
- "username not found, returning DONT-CARE");
+ if (strict_auth) {
+ gf_log ("auth/login", GF_LOG_DEBUG,
+ "username not found, strict auth"
+ " configured returning REJECT");
+ result = AUTH_REJECT;
+ } else {
+ gf_log ("auth/login", GF_LOG_DEBUG,
+ "username not found, returning"
+ " DONT-CARE");
+ }
goto out;
}
password_data = dict_get (input_params, "password");
if (!password_data) {
- gf_log ("auth/login", GF_LOG_WARNING,
- "password not found, returning DONT-CARE");
+ if (strict_auth) {
+ gf_log ("auth/login", GF_LOG_DEBUG,
+ "password not found, strict auth"
+ " configured returning REJECT");
+ result = AUTH_REJECT;
+ } else {
+ gf_log ("auth/login", GF_LOG_WARNING,
+ "password not found, returning"
+ " DONT-CARE");
+ }
goto out;
}
password = data_to_str (password_data);
@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
using_ssl ? "ssl-allow" : "allow");
if (-1 == ret) {
- gf_log ("auth/login", GF_LOG_WARNING,
+ gf_log ("auth/login", GF_LOG_ERROR,
"asprintf failed while setting search string, "
- "returning DONT-CARE");
+ "returning REJECT");
+ result = AUTH_REJECT;
goto out;
}
@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
* ssl-allow=* case as well) authorization is effectively
* disabled, though authentication and encryption are still
* active.
+ *
+ * Read NOTE on strict_auth above.
*/
- if (using_ssl) {
+ if (using_ssl || strict_auth) {
result = AUTH_REJECT;
}
username_cpy = gf_strdup (allow_user->data);
diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
index 3f80231ee0a..5f92183fb12 100644
--- a/xlators/protocol/server/src/authenticate.h
+++ b/xlators/protocol/server/src/authenticate.h
@@ -37,10 +37,8 @@ typedef struct {
volume_opt_list_t *vol_opt;
} auth_handle_t;
-auth_result_t gf_authenticate (dict_t *input_params,
- dict_t *config_params,
- dict_t *auth_modules);
int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
void gf_auth_fini (dict_t *auth_modules);
+auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);
#endif /* _AUTHENTICATE_H */
diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
index 64267f2aef9..30b4fc46844 100644
--- a/xlators/protocol/server/src/server-handshake.c
+++ b/xlators/protocol/server/src/server-handshake.c
@@ -626,7 +626,7 @@ server_setvolume (rpcsvc_request_t *req)
ret = dict_get_str (params, "volfile-key",
&volfile_key);
if (ret)
- gf_msg_debug (this->name, 0, "failed to set "
+ gf_msg_debug (this->name, 0, "failed to get "
"'volfile-key'");
ret = _validate_volfile_checksum (this, volfile_key,
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 4739c4560a6..a478ebd666d 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -888,6 +888,10 @@ do_rpc:
goto out;
}
+ GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
+ options, bool, out);
+
+
GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
bool, out);
@@ -1118,6 +1122,14 @@ init (xlator_t *this)
"Failed to initialize group cache.");
goto out;
}
+
+ ret = dict_get_str_boolean (this->options, "strict-auth-accept",
+ _gf_false);
+ if (ret == -1)
+ conf->strict_auth_enabled = _gf_false;
+ else
+ conf->strict_auth_enabled = ret;
+
ret = dict_get_str_boolean (this->options, "dynamic-auth",
_gf_true);
if (ret == -1)
@@ -1672,5 +1684,11 @@ struct volume_options options[] = {
"transport connection immediately in response to "
"*.allow | *.reject volume set options."
},
+ { .key = {"strict-auth-accept"},
+ .type = GF_OPTION_TYPE_BOOL,
+ .default_value = "off",
+ .description = "strict-auth-accept reject connection with out"
+ "a valid username and password."
+ },
{ .key = {NULL} },
};
diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
index 0b37eb1414a..7eea2917ae3 100644
--- a/xlators/protocol/server/src/server.h
+++ b/xlators/protocol/server/src/server.h
@@ -24,6 +24,7 @@
#include "client_t.h"
#include "gidcache.h"
#include "defaults.h"
+#include "authenticate.h"
#define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */
#define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol"
@@ -105,6 +106,7 @@ struct server_conf {
* false, when child is down */
gf_lock_t itable_lock;
+ gf_boolean_t strict_auth_enabled;
};
typedef struct server_conf server_conf_t;