glusterd: Authenticate management handshake requests

Backport of 371bb42 glusterd: Authenticate management handshake requests from master. Management handshake requests, which are used to validate op-version supported by the peers, are now only allowed if, - the glusterd doesn't have any other peer, or - the request was sent by another peer. This prevents the op-version of a peer being changed because of a connection attempt by an invalid peer. BUG: 1144978 Change-Id: I5a909dad37e9873efe8b75dad41b7af71ce91c3d Signed-off-by: Kaushal M <kaushal@redhat.com> Reviewed-on: http://review.gluster.org/8819 Reviewed-by: Atin Mukherjee <amukherj@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
author: Kaushal M <kaushal@redhat.com> 2014-06-19 15:31:46 +0530
committer: Vijay Bellur <vbellur@redhat.com> 2014-09-24 00:00:13 -0700
commit: b0f98446d5b465c3fc88569396fe3c6b5793aed5 (patch)
tree: e0c18c46c9d346092fb6eb83ce774fd8303f25be /xlators
parent: c4440ab8c7417a3bcaadf1cb150476d5ff6a1325 (diff)
3 files changed, 67 insertions, 0 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-handshake.c b/xlators/mgmt/glusterd/src/glusterd-handshake.c
index da3a01c99f8..7971f12bdac 100644
--- a/xlators/mgmt/glusterd/src/glusterd-handshake.c
+++ b/xlators/mgmt/glusterd/src/glusterd-handshake.c
@@ -881,6 +881,43 @@ out:
         return ret;
 }
 
+/* Validate if glusterd can serve the management handshake request
+ *
+ * Requests are allowed if,
+ *  - glusterd has no peers, or
+ *  - the request came from a known peer
+ */
+gf_boolean_t
+gd_validate_mgmt_hndsk_req (rpcsvc_request_t *req)
+{
+        int                  ret                         = -1;
+        char                 hostname[UNIX_PATH_MAX + 1] = {0,};
+        glusterd_peerinfo_t *peer                        = NULL;
+        xlator_t            *this                        = NULL;
+
+        this = THIS;
+        GF_ASSERT (this);
+
+        if (!glusterd_have_peers ())
+                return _gf_true;
+
+        /* If you cannot get the hostname, you cannot authenticate */
+        ret = glusterd_remote_hostname_get (req, hostname, sizeof (hostname));
+        if (ret)
+                return _gf_false;
+
+        peer = glusterd_peerinfo_find (NULL, hostname);
+        if (peer == NULL) {
+                ret = -1;
+                gf_log (this->name, GF_LOG_ERROR, "Rejecting management "
+                        "handshake request from unknown peer %s",
+                        req->trans->peerinfo.identifier);
+                return _gf_false;
+        }
+
+        return _gf_true;
+}
+
 int
 __glusterd_mgmt_hndsk_versions (rpcsvc_request_t *req)
 {
@@ -895,6 +932,12 @@ __glusterd_mgmt_hndsk_versions (rpcsvc_request_t *req)
         this = THIS;
         conf = this->private;
 
+        /* Check if we can service the request */
+        if (!gd_validate_mgmt_hndsk_req (req)) {
+                ret = -1;
+                goto out;
+        }
+
         ret = xdr_to_generic (req->msg[0], &args,
                               (xdrproc_t)xdr_gf_mgmt_hndsk_req);
         if (ret < 0) {
@@ -979,6 +1022,12 @@ __glusterd_mgmt_hndsk_versions_ack (rpcsvc_request_t *req)
         this = THIS;
         conf = this->private;
 
+        /* Check if we can service the request */
+        if (!gd_validate_mgmt_hndsk_req (req)) {
+                ret = -1;
+                goto out;
+        }
+
         ret = xdr_to_generic (req->msg[0], &args,
                               (xdrproc_t)xdr_gf_mgmt_hndsk_req);
         if (ret < 0) {
diff --git a/xlators/mgmt/glusterd/src/glusterd-utils.c b/xlators/mgmt/glusterd/src/glusterd-utils.c
index 50a99643616..bee17e50c51 100644
--- a/xlators/mgmt/glusterd/src/glusterd-utils.c
+++ b/xlators/mgmt/glusterd/src/glusterd-utils.c
@@ -13620,3 +13620,18 @@ out:
         GF_FREE (mnt_pt);
         return ret;
 }
+
+
+gf_boolean_t
+glusterd_have_peers ()
+{
+        xlator_t        *this = NULL;
+        glusterd_conf_t *conf = NULL;
+
+        this = THIS;
+        GF_ASSERT (this);
+        conf = this->private;
+        GF_ASSERT (conf);
+
+        return !list_empty (&conf->peers);
+}
+\ No newline at end of file
diff --git a/xlators/mgmt/glusterd/src/glusterd-utils.h b/xlators/mgmt/glusterd/src/glusterd-utils.h
index 2e06c2a6341..987f00cc91a 100644
--- a/xlators/mgmt/glusterd/src/glusterd-utils.h
+++ b/xlators/mgmt/glusterd/src/glusterd-utils.h
@@ -900,4 +900,7 @@ glusterd_update_fs_label (glusterd_brickinfo_t *brickinfo);
 void
 gd_get_snap_conf_values_if_present (dict_t *opts, uint64_t *sys_hard_limit,
                                     uint64_t *sys_soft_limit);
+
+gf_boolean_t
+glusterd_have_peers ();
 #endif
author	Kaushal M <kaushal@redhat.com>	2014-06-19 15:31:46 +0530
committer	Vijay Bellur <vbellur@redhat.com>	2014-09-24 00:00:13 -0700
commit	b0f98446d5b465c3fc88569396fe3c6b5793aed5 (patch)
tree	e0c18c46c9d346092fb6eb83ce774fd8303f25be /xlators
parent	c4440ab8c7417a3bcaadf1cb150476d5ff6a1325 (diff)