summaryrefslogtreecommitdiffstats
path: root/xlators/protocol/auth
diff options
context:
space:
mode:
authorMohammed Rafi KC <rkavunga@redhat.com>2018-04-02 12:20:47 +0530
committerShyamsundarR <srangana@redhat.com>2018-04-20 16:44:06 -0400
commitbca55ab1bfcd2889f8387ba8bcab27766e1b94ac (patch)
tree8c105a7e716fd249292f2b5d0ce7f66d8518e7bb /xlators/protocol/auth
parent3dbb6b5d6093357ed430fba4cc17ac2d8eb99b32 (diff)
server/auth: add option for strict authentication
When this option is enabled, we will check for a matching username and password, if not found then the connection will be rejected. This also does a checksum validation of volfile The option is invalid when SSL/TLS is in use, at which point the SSL/TLS certificate user name is used to validate and hence authorize the right user. This expects TLS allow rules to be setup correctly rather than the default *. This option is not settable, as a result this cannot be enabled for volumes using the CLI. This is used with the shared storage volume, to restrict access to the same in non-SSL/TLS environments to the gluster peers only. Tested: ./tests/bugs/protocol/bug-1321578.t ./tests/features/ssl-authz.t - Ran tests on volumes with and without strict auth checking (as brick vol file needed to be edited to test, or rather to enable the option) - Ran tests on volumes to ensure existing mounts are disconnected when we enable strict checking Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 fixes: bz#1568844 Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> Signed-off-by: ShyamsundarR <srangana@redhat.com>
Diffstat (limited to 'xlators/protocol/auth')
-rw-r--r--xlators/protocol/auth/login/src/login.c51
1 files changed, 44 insertions, 7 deletions
diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
index 9ee8a0c7a7b..0403858d98f 100644
--- a/xlators/protocol/auth/login/src/login.c
+++ b/xlators/protocol/auth/login/src/login.c
@@ -11,6 +11,16 @@
#include <fnmatch.h>
#include "authenticate.h"
+/* Note on strict_auth
+ * - Strict auth kicks in when authentication is using the username, password
+ * in the volfile to login
+ * - If enabled, auth is rejected if the username and password is not matched
+ * or is not present
+ * - When using SSL names, this is automatically strict, and allows only those
+ * names that are present in the allow list, IOW strict auth checking has no
+ * implication when using SSL names
+*/
+
auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
{
auth_result_t result = AUTH_DONT_CARE;
@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
char *tmp = NULL;
char *username_cpy = NULL;
gf_boolean_t using_ssl = _gf_false;
+ gf_boolean_t strict_auth = _gf_false;
username_data = dict_get (input_params, "ssl-name");
if (username_data) {
@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
using_ssl = _gf_true;
}
else {
+ ret = dict_get_str_boolean (config_params, "strict-auth-accept",
+ _gf_false);
+ if (ret == -1)
+ strict_auth = _gf_false;
+ else
+ strict_auth = ret;
+
username_data = dict_get (input_params, "username");
if (!username_data) {
- gf_log ("auth/login", GF_LOG_DEBUG,
- "username not found, returning DONT-CARE");
+ if (strict_auth) {
+ gf_log ("auth/login", GF_LOG_DEBUG,
+ "username not found, strict auth"
+ " configured returning REJECT");
+ result = AUTH_REJECT;
+ } else {
+ gf_log ("auth/login", GF_LOG_DEBUG,
+ "username not found, returning"
+ " DONT-CARE");
+ }
goto out;
}
password_data = dict_get (input_params, "password");
if (!password_data) {
- gf_log ("auth/login", GF_LOG_WARNING,
- "password not found, returning DONT-CARE");
+ if (strict_auth) {
+ gf_log ("auth/login", GF_LOG_DEBUG,
+ "password not found, strict auth"
+ " configured returning REJECT");
+ result = AUTH_REJECT;
+ } else {
+ gf_log ("auth/login", GF_LOG_WARNING,
+ "password not found, returning"
+ " DONT-CARE");
+ }
goto out;
}
password = data_to_str (password_data);
@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
using_ssl ? "ssl-allow" : "allow");
if (-1 == ret) {
- gf_log ("auth/login", GF_LOG_WARNING,
+ gf_log ("auth/login", GF_LOG_ERROR,
"asprintf failed while setting search string, "
- "returning DONT-CARE");
+ "returning REJECT");
+ result = AUTH_REJECT;
goto out;
}
@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
* ssl-allow=* case as well) authorization is effectively
* disabled, though authentication and encryption are still
* active.
+ *
+ * Read NOTE on strict_auth above.
*/
- if (using_ssl) {
+ if (using_ssl || strict_auth) {
result = AUTH_REJECT;
}
username_cpy = gf_strdup (allow_user->data);