summaryrefslogtreecommitdiffstats
path: root/xlators/protocol
diff options
context:
space:
mode:
authorPrasanna Kumar Kalever <prasanna.kalever@redhat.com>2015-08-21 00:08:23 +0530
committerRaghavendra G <rgowdapp@redhat.com>2015-10-13 09:05:37 -0700
commitb8ba012da0cf276329025e30b36f43624548f7f1 (patch)
treee84232d67a63f56e01fa638ee063bf48e9b788c5 /xlators/protocol
parent1a1b00fcd0ec199d19652d8fceb9465cc4edf189 (diff)
server/protocol: option for dynamic authorization of client permissions
problem: assuming gluster volume is already mounted (for gfapi: say client transport connection has already established), now if somebody change the volume permissions say *.allow | *.reject for a client, gluster should allow/terminate the client connection based on the fresh set of volume options immediately, but in existing scenario neither we have any option to set this behaviour nor we take any action until and unless we remount the volume manually solution: Introduce 'dynamic-auth' option (default: on). If 'dynamic-auth' is 'on' gluster will perform dynamic authentication to allow/terminate client transport connection immediately in response to *.allow | *.reject volume set options, thus if volume permissions have changed for a particular client (say client is added to auth.reject list), his transport connection to gluster volume will be terminated immediately. Backport of: > Change-Id: I6243a6db41bf1e0babbf050a8e4f8620732e00d8 > BUG: 1245380 > Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> > Reviewed-on: http://review.gluster.org/12229 > Tested-by: NetBSD Build System <jenkins@build.gluster.org> > Reviewed-by: Raghavendra G <rgowdapp@redhat.com> > (cherry picked from commit 84e90b756566bc211535a8627ed16d4231110ade) Change-Id: If7e5c9be912412ea388391ef406ee2c8bedb26b8 BUG: 1271065 Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> Reviewed-on: http://review.gluster.org/12343 Tested-by: NetBSD Build System <jenkins@build.gluster.org> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
Diffstat (limited to 'xlators/protocol')
-rw-r--r--xlators/protocol/server/src/server-handshake.c2
-rw-r--r--xlators/protocol/server/src/server.c55
-rw-r--r--xlators/protocol/server/src/server.h4
3 files changed, 57 insertions, 4 deletions
diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
index 89e0c1a0e13..af079798804 100644
--- a/xlators/protocol/server/src/server-handshake.c
+++ b/xlators/protocol/server/src/server-handshake.c
@@ -603,6 +603,8 @@ server_setvolume (rpcsvc_request_t *req)
conf->auth_modules);
if (ret == AUTH_ACCEPT) {
+ /* Store options received from client side */
+ req->trans->clnt_options = dict_ref(params);
gf_msg (this->name, GF_LOG_INFO, 0, PS_MSG_CLIENT_ACCEPTED,
"accepted client from %s (version: %s)",
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 619290643f3..41832322851 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -725,6 +725,7 @@ reconfigure (xlator_t *this, dict_t *options)
server_conf_t *conf =NULL;
rpcsvc_t *rpc_conf;
rpcsvc_listener_t *listeners;
+ rpc_transport_t *xprt = NULL;
int inode_lru_limit;
gf_boolean_t trace;
data_t *data;
@@ -793,6 +794,7 @@ reconfigure (xlator_t *this, dict_t *options)
/* logging already done in validate_auth_options function. */
goto out;
}
+
dict_foreach (this->options, _delete_auth_opt, this->options);
dict_foreach (options, _copy_auth_opt, this->options);
@@ -820,8 +822,41 @@ reconfigure (xlator_t *this, dict_t *options)
goto out;
}
- (void) rpcsvc_set_allow_insecure (rpc_conf, options);
- (void) rpcsvc_set_root_squash (rpc_conf, options);
+ ret = rpcsvc_auth_reconf (rpc_conf, options);
+ if (ret == -1) {
+ gf_log (GF_RPCSVC, GF_LOG_ERROR,
+ "Failed to reconfigure authentication");
+ goto out;
+ }
+
+ GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
+ bool, out);
+
+ if (conf->dync_auth) {
+ pthread_mutex_lock (&conf->mutex);
+ {
+ list_for_each_entry (xprt, &conf->xprt_list, list) {
+ /* check for client authorization */
+ ret = gf_authenticate (xprt->clnt_options,
+ options, conf->auth_modules);
+ if (ret == AUTH_ACCEPT) {
+ gf_msg (this->name, GF_LOG_TRACE, 0,
+ PS_MSG_CLIENT_ACCEPTED,
+ "authorized client, hence we "
+ "continue with this connection");
+ } else {
+ gf_msg (this->name, GF_LOG_INFO,
+ EACCES,
+ PS_MSG_AUTHENTICATE_ERROR,
+ "unauthorized client, hence "
+ "terminating the connection %s",
+ xprt->peerinfo.identifier);
+ rpc_transport_disconnect(xprt);
+ }
+ }
+ }
+ pthread_mutex_unlock (&conf->mutex);
+ }
ret = rpcsvc_set_outstanding_rpc_limit (rpc_conf, options,
RPCSVC_DEFAULT_OUTSTANDING_RPC_LIMIT);
@@ -972,6 +1007,12 @@ init (xlator_t *this)
"Failed to initialize group cache.");
goto out;
}
+ ret = dict_get_str_boolean (this->options, "dynamic-auth",
+ _gf_true);
+ if (ret == -1)
+ conf->dync_auth = _gf_true;
+ else
+ conf->dync_auth = ret;
/* RPC related */
conf->rpc = rpcsvc_init (this, this->ctx, this->options, 0);
@@ -1378,7 +1419,6 @@ struct volume_options options[] = {
"requests from a client. 0 means no limit (can "
"potentially run out of memory)"
},
-
{ .key = {"manage-gids"},
.type = GF_OPTION_TYPE_BOOL,
.default_value = "off",
@@ -1399,6 +1439,13 @@ struct volume_options options[] = {
" responses faster, depending on available processing"
" power. Range 1-32 threads."
},
-
+ { .key = {"dynamic-auth"},
+ .type = GF_OPTION_TYPE_BOOL,
+ .default_value = "on",
+ .description = "When 'on' perform dynamic authentication of volume "
+ "options in order to allow/terminate client "
+ "transport connection immediately in response to "
+ "*.allow | *.reject volume set options."
+ },
{ .key = {NULL} },
};
diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
index 1055b72dad5..37a1367c14c 100644
--- a/xlators/protocol/server/src/server.h
+++ b/xlators/protocol/server/src/server.h
@@ -68,6 +68,10 @@ struct server_conf {
* configured */
gf_boolean_t parent_up;
+ gf_boolean_t dync_auth; /* if set authenticate dynamically,
+ * in case if volume set options
+ * (say *.allow | *.reject) are
+ * tweeked */
};
typedef struct server_conf server_conf_t;