summaryrefslogtreecommitdiffstats
path: root/xlators
diff options
context:
space:
mode:
authorJeff Darcy <jdarcy@redhat.com>2015-01-06 10:03:49 -0500
committerVijay Bellur <vbellur@redhat.com>2015-01-09 10:04:11 -0800
commit548547b2e41c8e2cf79b929405cf18aecbdedebc (patch)
tree8dba5d41c08edf366244e6679157419c999b1762 /xlators
parent9408dc7b416ca80b3b8d8ecae2ef75c7e9cd21cd (diff)
transport: fix default behavior for SSL authorization
Previously, enabling SSL authentication/encryption but not authorization required explicitly setting ssl-allow=*. Now that same behavior is the default (i.e. when ssl-allow is not set). Also, there's no reason that a name used for *login* auth (typically a UUID for internal purposes or a human name when using SSL) should validate as an RFC-compliant host name or IP address. Therefore the validation only occurs when the auth type is "addr" (not "login" or anything else). Change-Id: I01485ff4f0ab37de4b182858235a5fb0cf4c3c7d BUG: 1179208 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/9397 Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Diffstat (limited to 'xlators')
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volume-set.c1
-rw-r--r--xlators/protocol/auth/login/src/login.c23
-rw-r--r--xlators/protocol/server/src/server.c6
3 files changed, 29 insertions, 1 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
index f4c6cff1220..a92bfffdb4f 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
@@ -963,6 +963,7 @@ struct volopt_map_entry glusterd_volopt_map[] = {
{ .key = "auth.ssl-allow",
.voltype = "protocol/server",
.option = "!ssl-allow",
+ .value = "*",
.type = NO_DOC,
.op_version = GD_OP_VERSION_3_6_0,
},
diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
index 56b93a9f9e9..b53c5ccba21 100644
--- a/xlators/protocol/auth/login/src/login.c
+++ b/xlators/protocol/auth/login/src/login.c
@@ -38,7 +38,6 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
gf_log ("auth/login", GF_LOG_INFO,
"connecting user name: %s", username_data->data);
using_ssl = _gf_true;
- result = AUTH_REJECT;
}
else {
username_data = dict_get (input_params, "username");
@@ -80,6 +79,28 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
if (allow_user) {
gf_log ("auth/login", GF_LOG_INFO,
"allowed user names: %s", allow_user->data);
+ /*
+ * There's a subtle difference between SSL and non-SSL behavior
+ * if we can't match anything in the "while" loop below.
+ * Intuitively, we should AUTH_REJECT if there's no match.
+ * However, existing code depends on allowing untrusted users
+ * to connect with *no credentials at all* by falling through
+ * the loop. They're still distinguished from trusted users
+ * who do provide a valid username and password (in fact that's
+ * pretty much the only thing we use non-SSL login auth for),
+ * but they are allowed to connect. It's wrong, but it's not
+ * worth changing elsewhere. Therefore, we do the sane thing
+ * only for SSL here.
+ *
+ * For SSL, if there's a list *you must be on it*. Note that
+ * if there's no list we don't care. In that case (and the
+ * ssl-allow=* case as well) authorization is effectively
+ * disabled, though authentication and encryption are still
+ * active.
+ */
+ if (using_ssl) {
+ result = AUTH_REJECT;
+ }
username_cpy = gf_strdup (allow_user->data);
if (!username_cpy)
goto out;
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 6f6be52ab15..0dfe19a16b4 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -380,6 +380,12 @@ _check_for_auth_option (dict_t *d, char *k, data_t *v,
if (!tail)
goto out;
+ if (strncmp(tail, "addr.", 5) != 0) {
+ gf_log (xl->name, GF_LOG_INFO,
+ "skip format check for non-addr auth option %s", k);
+ goto out;
+ }
+
/* fast fwd thru module type */
tail = strchr (tail, '.');
if (!tail)