summaryrefslogtreecommitdiffstats
path: root/rpc
diff options
context:
space:
mode:
authorRajesh Amaravathi <rajesh@redhat.com>2013-06-04 17:58:34 +0530
committerVijay Bellur <vbellur@redhat.com>2013-06-26 23:00:00 -0700
commite00fb417781931454dfb51f3eac803f44d5b6eca (patch)
tree85f05332e2c028aa1c07a2440fcde8b07a49fd35 /rpc
parent8404ec28e4216de1783ea6fe19c79789378250a9 (diff)
nfs/auth: reject mounts if getaddrinfo fails
When nfs.addr-namelookup is turned on, if the getaddrinfo call fails while authenticating client's ip/hostname, the mount request is denied Change-Id: I744f1c6b9c7aae91b9363bba6c6987b42f7f0cc9 BUG: 947055 Signed-off-by: Rajesh Amaravathi <rajesh@redhat.com> Reviewed-on: http://review.gluster.org/5143 Reviewed-by: Jeff Darcy <jdarcy@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com>
Diffstat (limited to 'rpc')
-rw-r--r--rpc/rpc-lib/src/rpcsvc.c51
1 files changed, 48 insertions, 3 deletions
diff --git a/rpc/rpc-lib/src/rpcsvc.c b/rpc/rpc-lib/src/rpcsvc.c
index 7efb2e1fbb7..d6f5e754d88 100644
--- a/rpc/rpc-lib/src/rpcsvc.c
+++ b/rpc/rpc-lib/src/rpcsvc.c
@@ -2116,6 +2116,9 @@ rpcsvc_auth_check (dict_t *options, char *volname,
char *hostname = NULL;
char *ip = NULL;
char client_ip[RPCSVC_PEER_STRLEN] = {0};
+ char *allow_str = NULL;
+ char *reject_str = NULL;
+ char *srchstr = NULL;
if (!options || !volname || !trans)
return ret;
@@ -2127,12 +2130,52 @@ rpcsvc_auth_check (dict_t *options, char *volname,
return RPCSVC_AUTH_REJECT;
}
- get_host_name (client_ip, &ip);
+ /* Accept if its the default case: Allow all, Reject none
+ * The default volfile always contains a 'allow *' rule
+ * for each volume. If allow rule is missing (which implies
+ * there is some bad volfile generating code doing this), we
+ * assume no one is allowed mounts, and thus, we reject mounts.
+ */
+ ret = gf_asprintf (&srchstr, "rpc-auth.addr.%s.allow", volname);
+ if (ret == -1) {
+ gf_log (GF_RPCSVC, GF_LOG_ERROR, "asprintf failed");
+ return RPCSVC_AUTH_REJECT;
+ }
+
+ ret = dict_get_str (options, srchstr, &allow_str);
+ GF_FREE (srchstr);
+ if (ret < 0)
+ return RPCSVC_AUTH_REJECT;
+
+ ret = gf_asprintf (&srchstr, "rpc-auth.addr.%s.reject", volname);
+ if (ret == -1) {
+ gf_log (GF_RPCSVC, GF_LOG_ERROR, "asprintf failed");
+ return RPCSVC_AUTH_REJECT;
+ }
+
+ ret = dict_get_str (options, srchstr, &reject_str);
+ GF_FREE (srchstr);
+ if (reject_str == NULL && !strcmp ("*", allow_str))
+ return RPCSVC_AUTH_ACCEPT;
+
+ /* Non-default rule, authenticate */
+ if (!get_host_name (client_ip, &ip))
+ ip = client_ip;
/* addr-namelookup disabled by default */
ret = dict_get_str_boolean (options, "rpc-auth.addr.namelookup", 0);
- if (ret == _gf_true)
- gf_get_hostname_from_ip (ip, &hostname);
+ if (ret == _gf_true) {
+ ret = gf_get_hostname_from_ip (ip, &hostname);
+ if (ret) {
+ if (hostname)
+ GF_FREE (hostname);
+ /* failed to get hostname, but hostname auth
+ * is enabled, so authentication will not be
+ * 100% correct. reject mounts
+ */
+ return RPCSVC_AUTH_REJECT;
+ }
+ }
accept = rpcsvc_transport_peer_check_allow (options, volname,
ip, hostname);
@@ -2140,6 +2183,8 @@ rpcsvc_auth_check (dict_t *options, char *volname,
reject = rpcsvc_transport_peer_check_reject (options, volname,
ip, hostname);
+ if (hostname)
+ GF_FREE (hostname);
return rpcsvc_combine_allow_reject_volume_check (accept, reject);
}