summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPrashanth Pai <ppai@redhat.com>2018-07-06 16:10:40 +0530
committerAmar Tumballi <amarts@redhat.com>2018-07-11 04:08:29 +0000
commitaf6c6429f9743f287baaad68f8e3d56ed7390d1b (patch)
treeba1af0771255d901387b9057fa5dd7d40f5b57c9
parente57cbae0bcc3d8649b869eda5ec20f3c6a6d34f0 (diff)
server: Set ssl-allow option in options table and rename ID
This change explicitly adds 'ssl-allow' options to the server xlator's options table so that glusterd2 can see it as a settable option. This change also marks 'auth.allow' and 'auth.reject' options as a settable. Glusterd2 doesn't maintain a separate volume options table. Glusterd2 dynamically loads shared objects of xlators to read their option table and other information. Glusterd2 reads 'xlator_api_t' if available. If that's not available, it falls back to reading just the options table directly. In glusterd2, volume set operations are performed by users on keys of the format <xlator>.<option-name>. Glusterd2 uses xlator name set in 'xlator_api_t.identifier'. If that's not present it will use the shared object's file name as xlator name. Hence, it is important for 'xlator_api_t.identifier' to be set properly, and in this case, the proper value is "server". This name shall be used by users as prefix while setting volume options implemented in server xlator. The name will also be used in volfile. A user in glusterd2 can authorize a client over TLS as follows: $ glustercli volume set <volname> server.ssl-allow <client1-CN>[,<clientN-CN>] gd2 References: https://github.com/gluster/glusterd2/issues/971 https://github.com/gluster/glusterd2/issues/214 https://github.com/gluster/glusterd2/pull/967 Updates: bz#1193929 Change-Id: I59ef58acb8d51917e6365a83be03e79ae7c5ad17 Signed-off-by: Prashanth Pai <ppai@redhat.com>
-rw-r--r--xlators/protocol/server/src/server.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 80ea3e68fbb..35c14a39c6c 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -1751,6 +1751,7 @@ struct volume_options server_options[] = {
.setkey = "auth.addr.{{ brick.path }}.allow",
.default_value = "*",
.type = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST,
+ .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC,
.description = "Allow a comma separated list of addresses and/or "
"hostnames to connect to the server. Option "
"auth.reject overrides this option. By default, all "
@@ -1759,11 +1760,22 @@ struct volume_options server_options[] = {
{ .key = {"auth.addr.*.reject", "auth.reject"},
.setkey = "auth.addr.{{ brick.path }}.reject",
.type = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST,
+ .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC,
.description = "Reject a comma separated list of addresses and/or "
"hostnames to connect to the server. This option "
"overrides the auth.allow option. By default, all"
" connections are allowed."
},
+ { .key = {"ssl-allow"},
+ .setkey = "auth.login.{{ brick.path }}.ssl-allow",
+ .default_value = "*",
+ .type = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST,
+ .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC,
+ .description = "Allow a comma separated list of common names (CN) of"
+ "the clients that are allowed to access the server."
+ "By default, all TLS authenticated clients are"
+ "allowed to access the server."
+ },
/* This is not a valid path w.r.t daemons, hence it's string */
{ .key = {"auth-path"},
.type = GF_OPTION_TYPE_STR,
@@ -1838,5 +1850,5 @@ xlator_api_t xlator_api = {
.fops = &server_fops,
.cbks = &server_cbks,
.options = server_options,
- .identifier = "server-protocol",
+ .identifier = "server",
};