From bbf83e34d78e064befe816edf71a9ee5c2c5c209 Mon Sep 17 00:00:00 2001 From: Atin Mukherjee Date: Mon, 20 Mar 2017 05:15:25 +0530 Subject: protocol : fix auth-allow regression One of the brick multiplexing patches (commit 1a95fc3) had some changes in gf_auth () & server_setvolume () functions which caused auth-allow feature to be broken. mount doesn't succeed even if it's part of the auth-allow list. This fix does the following: 1. Reintroduce the peer-info data back in gf_auth () so that fnmatch has valid input and it can decide on the result. 2. config-params dict should capture key values pairs for all the bricks in case brick multiplexing is on. In case brick multiplexing isn't enabled, then config-params should carry attributes from protocol/server such that all rpc auth related attributes stay in tact in the dictionary. >Reviewed-on: https://review.gluster.org/16920 >Tested-by: Jeff Darcy >Smoke: Gluster Build System >NetBSD-regression: NetBSD Build System >CentOS-regression: Gluster Build System >Reviewed-by: Jeff Darcy >Reviewed-by: MOHIT AGRAWAL >(cherry picked from commit 0bd58241143e91b683a3e5c4335aabf9eed537fe) Change-Id: I007c4c6d78620a896b8858a29459a77de8b52412 BUG: 1429117 Signed-off-by: Atin Mukherjee Reviewed-on: https://review.gluster.org/16967 Smoke: Gluster Build System NetBSD-regression: NetBSD Build System CentOS-regression: Gluster Build System Reviewed-by: Shyamsundar Ranganathan --- tests/bugs/protocol/bug-1433815-auth-allow.t | 39 ++++++++++++++++ xlators/protocol/auth/addr/src/addr.c | 61 +++++++++++++++++++++++++- xlators/protocol/server/src/server-handshake.c | 6 ++- 3 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 tests/bugs/protocol/bug-1433815-auth-allow.t diff --git a/tests/bugs/protocol/bug-1433815-auth-allow.t b/tests/bugs/protocol/bug-1433815-auth-allow.t new file mode 100644 index 00000000000..fa22ad8afd5 --- /dev/null +++ b/tests/bugs/protocol/bug-1433815-auth-allow.t @@ -0,0 +1,39 @@ +#!/bin/bash + +. $(dirname $0)/../../include.rc +. $(dirname $0)/../../volume.rc + +check_mounted () { + df | grep $1 | wc -l +} + +get_addresses () { + ip addr | sed -n '/.*inet \([0-9.]*\).*/s//\1/p' | tr '\n' ',' +} + +TEST glusterd +TEST $CLI volume create $V0 $H0:$B0/$V0 + +# Set auth.allow so it *doesn't* include ourselves. +TEST $CLI volume set $V0 auth.allow 1.2.3.4 +TEST $CLI volume start $V0 + +# "System getspec" will include the username and password if the request comes +# from a server (which we are). Unfortunately, this will cause authentication +# to succeed in auth.login regardless of whether auth.addr is working properly +# or not, which is useless to us. To get a proper test, strip out those lines. +$CLI system getspec $V0 | sed -e /username/d -e /password/d > fubar.vol + +# This mount should fail because auth.allow doesn't include us. +TEST $GFS -f fubar.vol $M0 +# If we had DONT_EXPECT_WITHIN we could use that, but we don't. +sleep 10 +EXPECT 0 check_mounted $M0 + +# Set auth.allow to include us. This mount should therefore succeed. +TEST $CLI volume set $V0 auth.allow "$(get_addresses)" +TEST $GFS -f fubar.vol $M0 +sleep 10 +EXPECT 1 check_mounted $M0 + +cleanup diff --git a/xlators/protocol/auth/addr/src/addr.c b/xlators/protocol/auth/addr/src/addr.c index 1b4557134f9..7ccbb577f48 100644 --- a/xlators/protocol/auth/addr/src/addr.c +++ b/xlators/protocol/auth/addr/src/addr.c @@ -30,14 +30,20 @@ gf_auth (dict_t *input_params, dict_t *config_params) int ret = 0; char *name = NULL; char *searchstr = NULL; + peer_info_t *peer_info = NULL; + data_t *peer_info_data = NULL; data_t *allow_addr = NULL; data_t *reject_addr = NULL; char *addr_str = NULL; char *tmp = NULL; char *addr_cpy = NULL; + char *service = NULL; + uint16_t peer_port = 0; char negate = 0; char match = 0; - char peer_addr[UNIX_PATH_MAX]; + char peer_addr[UNIX_PATH_MAX] = {0,}; + char *type = NULL; + gf_boolean_t allow_insecure = _gf_false; name = data_to_str (dict_get (input_params, "remote-subvolume")); if (!name) { @@ -85,6 +91,57 @@ gf_auth (dict_t *input_params, dict_t *config_params) goto out; } + peer_info_data = dict_get (input_params, "peer-info"); + if (!peer_info_data) { + gf_log ("auth/addr", GF_LOG_ERROR, + "peer-info not present"); + goto out; + } + + peer_info = data_to_ptr (peer_info_data); + + switch (((struct sockaddr *) &peer_info->sockaddr)->sa_family) { + case AF_INET_SDP: + case AF_INET: + case AF_INET6: + strcpy (peer_addr, peer_info->identifier); + service = strrchr (peer_addr, ':'); + *service = '\0'; + service++; + + ret = dict_get_str (config_params, "rpc-auth-allow-insecure", + &type); + if (ret == 0) { + ret = gf_string2boolean (type, &allow_insecure); + if (ret < 0) { + gf_log ("auth/addr", GF_LOG_WARNING, + "rpc-auth-allow-insecure option %s " + "is not a valid bool option", type); + goto out; + } + } + + peer_port = atoi (service); + if (peer_port >= PRIVILEGED_PORT_CEILING && !allow_insecure) { + gf_log ("auth/addr", GF_LOG_ERROR, + "client is bound to port %d which is not privileged", + peer_port); + result = AUTH_REJECT; + goto out; + } + break; + + case AF_UNIX: + strcpy (peer_addr, peer_info->identifier); + break; + + default: + gf_log ("authenticate/addr", GF_LOG_ERROR, + "unknown address family %d", + ((struct sockaddr *) &peer_info->sockaddr)->sa_family); + goto out; + } + if (reject_addr) { addr_cpy = gf_strdup (reject_addr->data); if (!addr_cpy) @@ -120,7 +177,7 @@ gf_auth (dict_t *input_params, dict_t *config_params) addr_str = strtok_r (addr_cpy, ADDR_DELIMITER, &tmp); while (addr_str) { - gf_log (name, GF_LOG_DEBUG, + gf_log (name, GF_LOG_INFO, "allowed = \"%s\", received addr = \"%s\"", addr_str, peer_addr); if (addr_str[0] == '!') { diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c index 249dde7de76..64267f2aef9 100644 --- a/xlators/protocol/server/src/server-handshake.c +++ b/xlators/protocol/server/src/server-handshake.c @@ -425,6 +425,10 @@ server_setvolume (rpcsvc_request_t *req) } this = req->svc->xl; + /* this is to ensure config_params is populated with the first brick + * details at first place if brick multiplexing is enabled + */ + config_params = dict_copy_with_ref (this->options, NULL); buf = memdup (args.dict.dict_val, args.dict.dict_len); if (buf == NULL) { @@ -484,7 +488,7 @@ server_setvolume (rpcsvc_request_t *req) goto fail; } - config_params = dict_copy_with_ref (xl->options, NULL); + config_params = dict_copy_with_ref (xl->options, config_params); conf = this->private; if (conf->parent_up == _gf_false) { -- cgit