diff options
author | Mohammed Rafi KC <rkavunga@redhat.com> | 2018-04-02 12:20:47 +0530 |
---|---|---|
committer | ShyamsundarR <srangana@redhat.com> | 2018-04-22 18:13:37 -0400 |
commit | b50d7aead1c2a7893dc0f4281bf7fc8027e2dacb (patch) | |
tree | 982e6db9b74ba3524ec13e88479b06a3f0f4b33c /xlators/protocol/server/src/server.c | |
parent | 401e1b7136c0d534cec356b0b0d7b029ec1f0a34 (diff) |
server/auth: add option for strict authentication
When this option is enabled, we will check for a matching
username and password, if not found then the connection will
be rejected. This also does a checksum validation of volfile
The option is invalid when SSL/TLS is in use, at which point
the SSL/TLS certificate user name is used to validate and
hence authorize the right user. This expects TLS allow rules
to be setup correctly rather than the default *.
This option is not settable, as a result this cannot be enabled
for volumes using the CLI. This is used with the shared storage
volume, to restrict access to the same in non-SSL/TLS environments
to the gluster peers only.
Tested:
./tests/bugs/protocol/bug-1321578.t
./tests/features/ssl-authz.t
- Ran tests on volumes with and without strict auth
checking (as brick vol file needed to be edited to test,
or rather to enable the option)
- Ran tests on volumes to ensure existing mounts are
disconnected when we enable strict checking
Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
fixes: bz#1570430
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
Signed-off-by: ShyamsundarR <srangana@redhat.com>
Diffstat (limited to 'xlators/protocol/server/src/server.c')
-rw-r--r-- | xlators/protocol/server/src/server.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c index 6fcbbd6060d..4884413cc85 100644 --- a/xlators/protocol/server/src/server.c +++ b/xlators/protocol/server/src/server.c @@ -886,6 +886,10 @@ do_rpc: goto out; } + GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled, + options, bool, out); + + GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options, bool, out); @@ -1118,6 +1122,14 @@ init (xlator_t *this) "Failed to initialize group cache."); goto out; } + + ret = dict_get_str_boolean (this->options, "strict-auth-accept", + _gf_false); + if (ret == -1) + conf->strict_auth_enabled = _gf_false; + else + conf->strict_auth_enabled = ret; + ret = dict_get_str_boolean (this->options, "dynamic-auth", _gf_true); if (ret == -1) @@ -1748,5 +1760,11 @@ struct volume_options options[] = { "transport connection immediately in response to " "*.allow | *.reject volume set options." }, + { .key = {"strict-auth-accept"}, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "off", + .description = "strict-auth-accept reject connection with out" + "a valid username and password." + }, { .key = {NULL} }, }; |