diff options
author | Mohammed Rafi KC <rkavunga@redhat.com> | 2018-04-02 12:20:47 +0530 |
---|---|---|
committer | Shyamsundar Ranganathan <srangana@redhat.com> | 2018-04-24 12:52:25 +0000 |
commit | 92cc124298c068942ba049c2ccaa95b8c5b5294d (patch) | |
tree | 5b74049a686991f2bc42ee1e16c2c0125533065a /xlators/mgmt | |
parent | fa8e792ac3ee4b30768a3b4b1e303d8fb083eb7a (diff) |
server/auth: add option for strict authenticationv4.0.2
When this option is enabled, we will check for a matching
username and password, if not found then the connection will
be rejected. This also does a checksum validation of volfile
The option is invalid when SSL/TLS is in use, at which point
the SSL/TLS certificate user name is used to validate and
hence authorize the right user. This expects TLS allow rules
to be setup correctly rather than the default *.
This option is not settable, as a result this cannot be enabled
for volumes using the CLI. This is used with the shared storage
volume, to restrict access to the same in non-SSL/TLS environments
to the gluster peers only.
Tested:
./tests/bugs/protocol/bug-1321578.t
./tests/features/ssl-authz.t
- Ran tests on volumes with and without strict auth
checking (as brick vol file needed to be edited to test,
or rather to enable the option)
- Ran tests on volumes to ensure existing mounts are
disconnected when we enable strict checking
Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
fixes: bz#1570432
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
Signed-off-by: ShyamsundarR <srangana@redhat.com>
Diffstat (limited to 'xlators/mgmt')
-rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volgen.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c index 9fe3b4e16ce..c6d0255badd 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.c +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c @@ -2447,6 +2447,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, char *password = NULL; char key[1024] = {0}; char *ssl_user = NULL; + char *volname = NULL; char *address_family_data = NULL; if (!graph || !volinfo || !set_dict || !brickinfo) @@ -2522,6 +2523,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, if (ret) return -1; + volname = volinfo->is_snap_volume ? + volinfo->parent_volname : volinfo->volname; + + + if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) { + memset (key, 0, sizeof (key)); + snprintf (key, sizeof (key), "strict-auth-accept"); + + ret = xlator_set_option (xl, key, "true"); + if (ret) + return -1; + } + if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) { memset (key, 0, sizeof (key)); snprintf (key, sizeof (key), "auth.login.%s.ssl-allow", @@ -6068,7 +6082,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo, if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && - client_type != GF_CLIENT_TRUSTED) { + client_type != GF_CLIENT_TRUSTED) { /* * shared storage volume cannot be mounted from non trusted * nodes. So we are not creating volfiles for non-trusted |