server/auth: add option for strict authentication

When this option is enabled, we will check for a matching username and password, if not found then the connection will be rejected. This also does a checksum validation of volfile The option is invalid when SSL/TLS is in use, at which point the SSL/TLS certificate user name is used to validate and hence authorize the right user. This expects TLS allow rules to be setup correctly rather than the default *. This option is not settable, as a result this cannot be enabled for volumes using the CLI. This is used with the shared storage volume, to restrict access to the same in non-SSL/TLS environments to the gluster peers only. Tested: ./tests/bugs/protocol/bug-1321578.t ./tests/features/ssl-authz.t - Ran tests on volumes with and without strict auth checking (as brick vol file needed to be edited to test, or rather to enable the option) - Ran tests on volumes to ensure existing mounts are disconnected when we enable strict checking Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 fixes: bz#1568844 Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> Signed-off-by: ShyamsundarR <srangana@redhat.com>
author: Mohammed Rafi KC <rkavunga@redhat.com> 2018-04-02 12:20:47 +0530
committer: ShyamsundarR <srangana@redhat.com> 2018-04-20 16:44:06 -0400
commit: bca55ab1bfcd2889f8387ba8bcab27766e1b94ac (patch)
tree: 8c105a7e716fd249292f2b5d0ce7f66d8518e7bb /xlators/protocol/server
parent: 3dbb6b5d6093357ed430fba4cc17ac2d8eb99b32 (diff)
4 files changed, 22 insertions, 4 deletions
diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
index 3f80231ee0a..5f92183fb12 100644
--- a/xlators/protocol/server/src/authenticate.h
+++ b/xlators/protocol/server/src/authenticate.h
@@ -37,10 +37,8 @@ typedef struct {
         volume_opt_list_t *vol_opt;
 } auth_handle_t;
 
-auth_result_t gf_authenticate (dict_t *input_params,
-                               dict_t *config_params,
-                               dict_t *auth_modules);
 int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
 void gf_auth_fini (dict_t *auth_modules);
+auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);
 
 #endif /* _AUTHENTICATE_H */
diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
index 08f76de9748..af63a0f15d9 100644
--- a/xlators/protocol/server/src/server-handshake.c
+++ b/xlators/protocol/server/src/server-handshake.c
@@ -716,7 +716,7 @@ server_setvolume (rpcsvc_request_t *req)
                         ret = dict_get_str (params, "volfile-key",
                                             &volfile_key);
                         if (ret)
-                                gf_msg_debug (this->name, 0, "failed to set "
+                                gf_msg_debug (this->name, 0, "failed to get "
                                               "'volfile-key'");
 
                         ret = _validate_volfile_checksum (this, volfile_key,
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 87a03d23c3f..254a5ca6c62 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -798,6 +798,10 @@ do_rpc:
                 goto out;
         }
 
+        GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
+                          options, bool, out);
+
+
         GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
                         bool, out);
 
@@ -1062,6 +1066,14 @@ server_init (xlator_t *this)
                         "Failed to initialize group cache.");
                 goto out;
         }
+
+        ret = dict_get_str_boolean (this->options, "strict-auth-accept",
+                                    _gf_false);
+        if (ret == -1)
+                conf->strict_auth_enabled = _gf_false;
+        else
+                conf->strict_auth_enabled = ret;
+
         ret = dict_get_str_boolean (this->options, "dynamic-auth",
                         _gf_true);
         if (ret == -1)
@@ -1793,6 +1805,12 @@ struct volume_options server_options[] = {
           .op_version = {GD_OP_VERSION_3_7_5},
           .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC
         },
+        { .key   = {"strict-auth-accept"},
+          .type  = GF_OPTION_TYPE_BOOL,
+          .default_value = "off",
+          .description   = "strict-auth-accept reject connection with out"
+                           "a valid username and password."
+        },
         { .key   = {NULL} },
 };
 
diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
index ea1fbf92919..88aaa263018 100644
--- a/xlators/protocol/server/src/server.h
+++ b/xlators/protocol/server/src/server.h
@@ -24,6 +24,7 @@
 #include "client_t.h"
 #include "gidcache.h"
 #include "defaults.h"
+#include "authenticate.h"
 
 #define DEFAULT_BLOCK_SIZE         4194304   /* 4MB */
 #define DEFAULT_VOLUME_FILE_PATH   CONFDIR "/glusterfs.vol"
@@ -128,6 +129,7 @@ struct server_conf {
                                             * tweeked */
         struct _child_status    *child_status;
         gf_lock_t               itable_lock;
+        gf_boolean_t            strict_auth_enabled;
 };
 typedef struct server_conf server_conf_t;
author	Mohammed Rafi KC <rkavunga@redhat.com>	2018-04-02 12:20:47 +0530
committer	ShyamsundarR <srangana@redhat.com>	2018-04-20 16:44:06 -0400
commit	bca55ab1bfcd2889f8387ba8bcab27766e1b94ac (patch)
tree	8c105a7e716fd249292f2b5d0ce7f66d8518e7bb /xlators/protocol/server
parent	3dbb6b5d6093357ed430fba4cc17ac2d8eb99b32 (diff)