diff options
Diffstat (limited to 'xlators/protocol/auth/login')
| -rw-r--r-- | xlators/protocol/auth/login/Makefile.am | 1 | ||||
| -rw-r--r-- | xlators/protocol/auth/login/src/Makefile.am | 13 | ||||
| -rw-r--r-- | xlators/protocol/auth/login/src/login.c | 210 |
3 files changed, 224 insertions, 0 deletions
diff --git a/xlators/protocol/auth/login/Makefile.am b/xlators/protocol/auth/login/Makefile.am new file mode 100644 index 00000000000..af437a64d6d --- /dev/null +++ b/xlators/protocol/auth/login/Makefile.am @@ -0,0 +1 @@ +SUBDIRS = src diff --git a/xlators/protocol/auth/login/src/Makefile.am b/xlators/protocol/auth/login/src/Makefile.am new file mode 100644 index 00000000000..9837437b11e --- /dev/null +++ b/xlators/protocol/auth/login/src/Makefile.am @@ -0,0 +1,13 @@ +auth_LTLIBRARIES = login.la +authdir = $(libdir)/glusterfs/$(PACKAGE_VERSION)/auth + +login_la_LDFLAGS = -module $(GF_XLATOR_LDFLAGS) + +login_la_SOURCES = login.c +login_la_LIBADD = $(top_builddir)/libglusterfs/src/libglusterfs.la + +AM_CPPFLAGS = $(GF_CPPFLAGS) -I$(top_srcdir)/libglusterfs/src \ + -I$(top_srcdir)/xlators/protocol/server/src \ + -I$(top_srcdir)/rpc/xdr/src -I$(top_builddir)/rpc/xdr/src + +AM_CFLAGS = -Wall $(GF_CFLAGS) diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c new file mode 100644 index 00000000000..64521267bfe --- /dev/null +++ b/xlators/protocol/auth/login/src/login.c @@ -0,0 +1,210 @@ +/* + Copyright (c) 2008-2012 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ + +#include <fnmatch.h> +#include "authenticate.h" + +/* Note on strict_auth + * - Strict auth kicks in when authentication is using the username, password + * in the volfile to login + * - If enabled, auth is rejected if the username and password is not matched + * or is not present + * - When using SSL names, this is automatically strict, and allows only those + * names that are present in the allow list, IOW strict auth checking has no + * implication when using SSL names + */ + +auth_result_t +gf_auth(dict_t *input_params, dict_t *config_params) +{ + auth_result_t result = AUTH_DONT_CARE; + int ret = 0; + data_t *allow_user = NULL; + data_t *username_data = NULL; + data_t *passwd_data = NULL; + data_t *password_data = NULL; + char *username = NULL; + char *password = NULL; + char *brick_name = NULL; + char *searchstr = NULL; + char *username_str = NULL; + char *tmp = NULL; + char *username_cpy = NULL; + gf_boolean_t using_ssl = _gf_false; + gf_boolean_t strict_auth = _gf_false; + + username_data = dict_get(input_params, "ssl-name"); + if (username_data) { + gf_log("auth/login", GF_LOG_INFO, "connecting user name: %s", + username_data->data); + using_ssl = _gf_true; + } else { + ret = dict_get_str_boolean(config_params, "strict-auth-accept", + _gf_false); + if (ret == -1) + strict_auth = _gf_false; + else + strict_auth = ret; + + username_data = dict_get(input_params, "username"); + if (!username_data) { + if (strict_auth) { + gf_log("auth/login", GF_LOG_DEBUG, + "username not found, strict auth" + " configured returning REJECT"); + result = AUTH_REJECT; + } else { + gf_log("auth/login", GF_LOG_DEBUG, + "username not found, returning" + " DONT-CARE"); + } + goto out; + } + password_data = dict_get(input_params, "password"); + if (!password_data) { + if (strict_auth) { + gf_log("auth/login", GF_LOG_DEBUG, + "password not found, strict auth" + " configured returning REJECT"); + result = AUTH_REJECT; + } else { + gf_log("auth/login", GF_LOG_WARNING, + "password not found, returning" + " DONT-CARE"); + } + goto out; + } + password = data_to_str(password_data); + } + username = data_to_str(username_data); + + brick_name = data_to_str(dict_get(input_params, "remote-subvolume")); + if (!brick_name) { + gf_log("auth/login", GF_LOG_ERROR, "remote-subvolume not specified"); + result = AUTH_REJECT; + goto out; + } + + ret = gf_asprintf(&searchstr, "auth.login.%s.%s", brick_name, + using_ssl ? "ssl-allow" : "allow"); + if (-1 == ret) { + gf_log("auth/login", GF_LOG_ERROR, + "asprintf failed while setting search string, " + "returning REJECT"); + result = AUTH_REJECT; + goto out; + } + + allow_user = dict_get(config_params, searchstr); + GF_FREE(searchstr); + + if (allow_user) { + gf_log("auth/login", GF_LOG_INFO, "allowed user names: %s", + allow_user->data); + /* + * There's a subtle difference between SSL and non-SSL behavior + * if we can't match anything in the "while" loop below. + * Intuitively, we should AUTH_REJECT if there's no match. + * However, existing code depends on allowing untrusted users + * to connect with *no credentials at all* by falling through + * the loop. They're still distinguished from trusted users + * who do provide a valid username and password (in fact that's + * pretty much the only thing we use non-SSL login auth for), + * but they are allowed to connect. It's wrong, but it's not + * worth changing elsewhere. Therefore, we do the sane thing + * only for SSL here. + * + * For SSL, if there's a list *you must be on it*. Note that + * if there's no list we don't care. In that case (and the + * ssl-allow=* case as well) authorization is effectively + * disabled, though authentication and encryption are still + * active. + * + * Read NOTE on strict_auth above. + */ + if (using_ssl || strict_auth) { + result = AUTH_REJECT; + } + username_cpy = gf_strdup(allow_user->data); + if (!username_cpy) + goto out; + + username_str = strtok_r(username_cpy, " ,", &tmp); + + /* + * We have to match a user's *authenticated* name to one in the + * list. If we're using SSL, they're already authenticated. + * Otherwise, they need a matching password to complete the + * process. + */ + while (username_str) { + if (!fnmatch(username_str, username, 0)) { + if (using_ssl) { + result = AUTH_ACCEPT; + break; + } + ret = gf_asprintf(&searchstr, "auth.login.%s.password", + username); + if (-1 == ret) { + gf_log("auth/login", GF_LOG_WARNING, + "asprintf failed while setting search string"); + goto out; + } + passwd_data = dict_get(config_params, searchstr); + GF_FREE(searchstr); + + if (!passwd_data) { + gf_log("auth/login", GF_LOG_ERROR, + "wrong username/password combination"); + result = AUTH_REJECT; + goto out; + } + + result = !((strcmp(data_to_str(passwd_data), password)) + ? AUTH_ACCEPT + : AUTH_REJECT); + if (result == AUTH_REJECT) + gf_log("auth/login", GF_LOG_ERROR, + "wrong password for user %s", username); + + break; + } + username_str = strtok_r(NULL, " ,", &tmp); + } + } + +out: + GF_FREE(username_cpy); + + return result; +} + +struct volume_options options[] = { + { + .key = {"auth.login.*.allow"}, + .type = GF_OPTION_TYPE_ANY, + .default_value = "*", + .description = "Username to be allowed access to the volume", + .op_version = {1}, + .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC, + .tags = {}, + /* option_validation_fn validate_fn; */ + }, + { + .key = {"auth.login.*.password"}, + .type = GF_OPTION_TYPE_ANY, + .default_value = "*", + .description = "Password for the allowed username", + .op_version = {1}, + .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC, + .tags = {}, + /* option_validation_fn validate_fn; */ + }, + {.key = {NULL}}}; |