summaryrefslogtreecommitdiffstats
path: root/xlators/protocol/server
diff options
context:
space:
mode:
authorMohammed Rafi KC <rkavunga@redhat.com>2018-04-02 12:20:47 +0530
committerShyamsundar Ranganathan <srangana@redhat.com>2018-04-24 12:52:25 +0000
commit92cc124298c068942ba049c2ccaa95b8c5b5294d (patch)
tree5b74049a686991f2bc42ee1e16c2c0125533065a /xlators/protocol/server
parentfa8e792ac3ee4b30768a3b4b1e303d8fb083eb7a (diff)
server/auth: add option for strict authenticationv4.0.2
When this option is enabled, we will check for a matching username and password, if not found then the connection will be rejected. This also does a checksum validation of volfile The option is invalid when SSL/TLS is in use, at which point the SSL/TLS certificate user name is used to validate and hence authorize the right user. This expects TLS allow rules to be setup correctly rather than the default *. This option is not settable, as a result this cannot be enabled for volumes using the CLI. This is used with the shared storage volume, to restrict access to the same in non-SSL/TLS environments to the gluster peers only. Tested: ./tests/bugs/protocol/bug-1321578.t ./tests/features/ssl-authz.t - Ran tests on volumes with and without strict auth checking (as brick vol file needed to be edited to test, or rather to enable the option) - Ran tests on volumes to ensure existing mounts are disconnected when we enable strict checking Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 fixes: bz#1570432 Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> Signed-off-by: ShyamsundarR <srangana@redhat.com>
Diffstat (limited to 'xlators/protocol/server')
-rw-r--r--xlators/protocol/server/src/authenticate.h4
-rw-r--r--xlators/protocol/server/src/server-handshake.c2
-rw-r--r--xlators/protocol/server/src/server.c18
-rw-r--r--xlators/protocol/server/src/server.h2
4 files changed, 22 insertions, 4 deletions
diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
index 3f80231ee0a..5f92183fb12 100644
--- a/xlators/protocol/server/src/authenticate.h
+++ b/xlators/protocol/server/src/authenticate.h
@@ -37,10 +37,8 @@ typedef struct {
volume_opt_list_t *vol_opt;
} auth_handle_t;
-auth_result_t gf_authenticate (dict_t *input_params,
- dict_t *config_params,
- dict_t *auth_modules);
int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
void gf_auth_fini (dict_t *auth_modules);
+auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);
#endif /* _AUTHENTICATE_H */
diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
index de90a6b8eda..38d248374f0 100644
--- a/xlators/protocol/server/src/server-handshake.c
+++ b/xlators/protocol/server/src/server-handshake.c
@@ -693,7 +693,7 @@ server_setvolume (rpcsvc_request_t *req)
ret = dict_get_str (params, "volfile-key",
&volfile_key);
if (ret)
- gf_msg_debug (this->name, 0, "failed to set "
+ gf_msg_debug (this->name, 0, "failed to get "
"'volfile-key'");
ret = _validate_volfile_checksum (this, volfile_key,
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 1e491217c33..ab6ae70ce46 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -742,6 +742,10 @@ do_rpc:
goto out;
}
+ GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
+ options, bool, out);
+
+
GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
bool, out);
@@ -1005,6 +1009,14 @@ server_init (xlator_t *this)
"Failed to initialize group cache.");
goto out;
}
+
+ ret = dict_get_str_boolean (this->options, "strict-auth-accept",
+ _gf_false);
+ if (ret == -1)
+ conf->strict_auth_enabled = _gf_false;
+ else
+ conf->strict_auth_enabled = ret;
+
ret = dict_get_str_boolean (this->options, "dynamic-auth",
_gf_true);
if (ret == -1)
@@ -1710,6 +1722,12 @@ struct volume_options server_options[] = {
.op_version = {GD_OP_VERSION_3_7_5},
.flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC
},
+ { .key = {"strict-auth-accept"},
+ .type = GF_OPTION_TYPE_BOOL,
+ .default_value = "off",
+ .description = "strict-auth-accept reject connection with out"
+ "a valid username and password."
+ },
{ .key = {NULL} },
};
diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
index 393219bf290..852cd65590e 100644
--- a/xlators/protocol/server/src/server.h
+++ b/xlators/protocol/server/src/server.h
@@ -24,6 +24,7 @@
#include "client_t.h"
#include "gidcache.h"
#include "defaults.h"
+#include "authenticate.h"
#define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */
#define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol"
@@ -128,6 +129,7 @@ struct server_conf {
* tweeked */
struct _child_status *child_status;
gf_lock_t itable_lock;
+ gf_boolean_t strict_auth_enabled;
};
typedef struct server_conf server_conf_t;