summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMohit Agrawal <moagrawa@redhat.com>2017-03-30 14:45:59 +0530
committerRaghavendra G <rgowdapp@redhat.com>2017-04-10 01:10:28 -0400
commitc7ba4b2b1a1cca6f217083ff9c1f01f23c9ca171 (patch)
tree0402f58b5f1bbfc9692e74f4bcbae89384aceb8b
parent656bf04955936319de4b8711debcc9931a7c778e (diff)
cli/auth : auth.allow and auth.reject does not accept FQDN/host name
Problem : At the time of set FQDN name to "auth.allow/auth.reject" through gluster cli,it does not accept FQDN/host name. Solution: Condition needs to be update in verify_host_name and gf_auth to accept FQDN/host name. Fix : Change the condition to accept FQDN/host Name. To verify the patch followed below procedure 1) Try to set FQDN name for auth.allow or auth.reject parameter gluster v set myvol auth.reject <fqdn name> It gives error "fqdn-name" is not a valid internet-address-list 2) After apply the patch it does not give any error. 3) To verify auth.allow/reject try to mount volume on some client. Change-Id: Ieb76cbb93d43323fd29c7ca04efe3790edb4281b BUG: 1321578 Signed-off-by: Mohit Agrawal <moagrawa@redhat.com> Reviewed-on: https://review.gluster.org/15086 Smoke: Gluster Build System <jenkins@build.gluster.org> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Niels de Vos <ndevos@redhat.com> Reviewed-by: Atin Mukherjee <amukherj@redhat.com> Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
-rw-r--r--tests/bugs/protocol/bug-1321578.t37
-rw-r--r--xlators/protocol/auth/addr/src/addr.c39
2 files changed, 68 insertions, 8 deletions
diff --git a/tests/bugs/protocol/bug-1321578.t b/tests/bugs/protocol/bug-1321578.t
new file mode 100644
index 00000000000..160fc408fba
--- /dev/null
+++ b/tests/bugs/protocol/bug-1321578.t
@@ -0,0 +1,37 @@
+#!/bin/bash
+. $(dirname $0)/../../include.rc
+. $(dirname $0)/../../volume.rc
+
+check_mounted () {
+ df | grep $1 | wc -l
+}
+
+
+TEST glusterd
+TEST $CLI volume create $V0 $H0:$B0/$V0
+
+# Set auth.allow to dummy hostname so it *doesn't* include ourselves.
+TEST $CLI volume set $V0 auth.allow example.org
+TEST $CLI volume start $V0
+
+# "System getspec" will include the username and password if the request comes
+# from a server (which we are). Unfortunately, this will cause authentication
+# to succeed in auth.login regardless of whether auth.addr is working properly
+# or not, which is useless to us. To get a proper test, strip out those lines.
+$CLI system getspec $V0 | sed -e /username/d -e /password/d > fubar.vol
+
+# This mount should fail because auth.allow doesn't include us.
+TEST $GFS -f fubar.vol $M0
+
+# If we had DONT_EXPECT_WITHIN we could use that, but we don't.
+sleep 10
+EXPECT 0 check_mounted $M0
+
+# Set auth.allow to include us. This mount should therefore succeed.
+TEST $CLI volume set $V0 auth.allow $H0
+
+TEST $GFS -f fubar.vol $M0
+sleep 10
+EXPECT 1 check_mounted $M0
+
+cleanup
diff --git a/xlators/protocol/auth/addr/src/addr.c b/xlators/protocol/auth/addr/src/addr.c
index 7ccbb577f48..cafcf28f1e9 100644
--- a/xlators/protocol/auth/addr/src/addr.c
+++ b/xlators/protocol/auth/addr/src/addr.c
@@ -44,6 +44,7 @@ gf_auth (dict_t *input_params, dict_t *config_params)
char peer_addr[UNIX_PATH_MAX] = {0,};
char *type = NULL;
gf_boolean_t allow_insecure = _gf_false;
+ int length = 0;
name = data_to_str (dict_get (input_params, "remote-subvolume"));
if (!name) {
@@ -158,11 +159,22 @@ gf_auth (dict_t *input_params, dict_t *config_params)
addr_str++;
}
- match = fnmatch (addr_str, peer_addr, 0);
- if (negate ? match : !match) {
- result = AUTH_REJECT;
- goto out;
+ length = strlen(addr_str);
+ if ((addr_str[0] != '*') &&
+ valid_host_name (addr_str, length)) {
+ match = gf_is_same_address(addr_str, peer_addr);
+ if (match) {
+ result = AUTH_REJECT;
+ goto out;
+ }
+ } else {
+ match = fnmatch (addr_str, peer_addr, 0);
+ if (negate ? match : !match) {
+ result = AUTH_REJECT;
+ goto out;
+ }
}
+
addr_str = strtok_r (NULL, ADDR_DELIMITER, &tmp);
}
GF_FREE (addr_cpy);
@@ -185,11 +197,22 @@ gf_auth (dict_t *input_params, dict_t *config_params)
addr_str++;
}
- match = fnmatch (addr_str, peer_addr, 0);
- if (negate ? match : !match) {
- result = AUTH_ACCEPT;
- goto out;
+ length = strlen(addr_str);
+ if ((addr_str[0] != '*') &&
+ valid_host_name (addr_str, length)) {
+ match = gf_is_same_address(addr_str, peer_addr);
+ if (match) {
+ result = AUTH_ACCEPT;
+ goto out;
+ }
+ } else {
+ match = fnmatch (addr_str, peer_addr, 0);
+ if (negate ? match : !match) {
+ result = AUTH_ACCEPT;
+ goto out;
+ }
}
+
addr_str = strtok_r (NULL, ADDR_DELIMITER, &tmp);
}
}