From 026d59f04b4226c646c6bd9ac1018863057b02c1 Mon Sep 17 00:00:00 2001 From: Humble Devassy Chirammal Date: Mon, 6 Apr 2015 18:52:50 +0530 Subject: doc: cleanup parent doc directory Change-Id: I65fee850c30e437abef695d2804af74617cc45fe BUG: 1206539 Signed-off-by: Humble Devassy Chirammal Reviewed-on: http://review.gluster.org/10106 Reviewed-by: Lalatendu Mohanty Tested-by: Gluster Build System Reviewed-by: Humble Devassy Chirammal --- doc/TODO/quota.txt | 14 ------ doc/authentication.txt | 112 ------------------------------------------ doc/legacy/authentication.txt | 112 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+), 126 deletions(-) delete mode 100644 doc/TODO/quota.txt delete mode 100644 doc/authentication.txt create mode 100644 doc/legacy/authentication.txt (limited to 'doc') diff --git a/doc/TODO/quota.txt b/doc/TODO/quota.txt deleted file mode 100644 index f8ee1b7512c..00000000000 --- a/doc/TODO/quota.txt +++ /dev/null @@ -1,14 +0,0 @@ -* Add the quota config xattr to newly added brick -* Get directory size before enforcing quota limits on rename -* Xattr cleanup on disabling quota -* Heal limit-key while self-healing directories in dht -* Correct the statfs calculation when set limit is beyond actual disk - space. -* Use STACK_WIND_TAIL when quota is turned off to avoid using a frame. -* Parent gfid xattr self-healing in storage/posix. -* Failure of regression test related to Quota anonymous fd handling - handling. mkdir -p in the test-script was failing with EIO error -* Add GET_ANCESTRY test cases to posix pgfid regression test cases -* regression tests related to quota accounting covering all possible - cases of dht rename -* Build Ancestry in quota_update_size if parent is found to be NULL diff --git a/doc/authentication.txt b/doc/authentication.txt deleted file mode 100644 index 036a9df9908..00000000000 --- a/doc/authentication.txt +++ /dev/null @@ -1,112 +0,0 @@ - -* Authentication is provided by two modules addr and login. Login based authentication uses username/password from client for authentication. Each module returns either ACCEPT, REJCET or DONT_CARE. DONT_CARE is returned if the input authentication information to the module is not concerned to its working. The theory behind authentication is that "none of the auth modules should return REJECT and atleast one of them should return ACCEPT" - -* Currently all the authentication related information is passed un-encrypted over the network from client to server. - ----------------------------------------------------------------------------------------------------- -* options provided in protocol/client: - * for username/password based authentication: - option username - option password - * client can have only one set of username/password - * for addr based authentication: - * no options required in protocol/client. Client has to bind to privileged port (port < 1024 ) which means the process in which protocol/client is loaded has to be run as root. - ----------------------------------------------------------------------------------------------------- -* options provided in protocol/server: - * for username/password based authentication: - option auth.login..allow [comma separated list of usernames using which clients can connect to volume ] - option auth.login..password #specify password for username - * for addr based authentication: - option auth.addr..allow [comma separated list of ip-addresses/unix-paths from which clients are allowed to connect to volume ] - option auth.addr..reject [comma separated list of ip-addresses/unix-paths from which clients are not allowed to connect to volume ] - * negation operator '!' is used to invert the sense of matching. - Eg., option auth.addr.brick.allow !a.b.c.d #do not allow client from a.b.c.d to connect to volume brick - option auth.addr.brick.reject !w.x.y.z #allow client from w.x.y.z to connect to volume brick - * wildcard '*' can be used to match any ip-address/unix-path - ----------------------------------------------------------------------------------------------------- - -* Usecases: - -* username/password based authentication only - protocol/client: - option username foo - option password foo-password - option remote-subvolume foo-brick - - protocol/server: - option auth.login.foo-brick.allow foo,who #,other users allowed to connect to foo-brick - option auth.login.foo.password foo-password - option auth.login.who.password who-password - - * in protocol/server, dont specify ip from which client is connecting in auth.addr.foo-brick.reject list - -**************************************************************************************************** - -* ip based authentication only - protocol/client: - option remote-subvolume foo-brick - * Client is connecting from a.b.c.d - - protocol/server: - option auth.addr.foo-brick.allow a.b.c.d,e.f.g.h,i.j.k.l #, other ip addresses from which clients are allowed to connect to foo-brick - -**************************************************************************************************** -* ip and username/password based authentication - * allow only "user foo from a.b.c.d" - protocol/client: - option username foo - option password foo-password - option remote-subvolume foo-brick - - protocol/server: - option auth.login.foo-brick.allow foo - option auth.login.foo.password foo-password - option auth.addr.foo-brick.reject !a.b.c.d - - * allow only "user foo" from a.b.c.d i.e., only user foo is allowed from a.b.c.d, but anyone is allowed from ip addresses other than a.b.c.d - protocol/client: - option username foo - option password foo-password - option remote-subvolume foo-brick - - protocol/server: - option auth.login.foo-brick.allow foo - option auth.login.foo.password foo-password - option auth.addr.foo-brick.allow !a.b.c.d - - * reject only "user shoo from a.b.c.d" - protcol/client: - option remote-subvolume shoo-brick - - protocol/server: - # observe that no "option auth.login.shoo-brick.allow shoo" given - # Also other users from a.b.c.d have to be explicitly allowed using auth.login.shoo-brick.allow ... - option auth.addr.shoo-brick.allow !a.b.c.d - - * reject only "user shoo" from a.b.c.d i.e., user shoo from a.b.c.d has to be rejected. - * same as reject only "user shoo from a.b.c.d" above, but rules have to be added whether to allow ip addresses (and users from those ips) other than a.b.c.d - -**************************************************************************************************** - -* ip or username/password based authentication - - * allow user foo or clients from a.b.c.d - protocol/client: - option remote-subvolume foo-brick - - protocol/server: - option auth.login.foo-brick.allow foo - option auth.login.foo.password foo-password - option auth.addr.foo-brick.allow a.b.c.d - - * reject user shoo or clients from a.b.c.d - protocol/client: - option remote-subvolume shoo-brick - - protocol/server: - option auth.login.shoo-brick.allow - #for each username mentioned in the above list, specify password as below - option auth.login..password password - option auth.addr.shoo-brick.reject a.b.c.d diff --git a/doc/legacy/authentication.txt b/doc/legacy/authentication.txt new file mode 100644 index 00000000000..036a9df9908 --- /dev/null +++ b/doc/legacy/authentication.txt @@ -0,0 +1,112 @@ + +* Authentication is provided by two modules addr and login. Login based authentication uses username/password from client for authentication. Each module returns either ACCEPT, REJCET or DONT_CARE. DONT_CARE is returned if the input authentication information to the module is not concerned to its working. The theory behind authentication is that "none of the auth modules should return REJECT and atleast one of them should return ACCEPT" + +* Currently all the authentication related information is passed un-encrypted over the network from client to server. + +---------------------------------------------------------------------------------------------------- +* options provided in protocol/client: + * for username/password based authentication: + option username + option password + * client can have only one set of username/password + * for addr based authentication: + * no options required in protocol/client. Client has to bind to privileged port (port < 1024 ) which means the process in which protocol/client is loaded has to be run as root. + +---------------------------------------------------------------------------------------------------- +* options provided in protocol/server: + * for username/password based authentication: + option auth.login..allow [comma separated list of usernames using which clients can connect to volume ] + option auth.login..password #specify password for username + * for addr based authentication: + option auth.addr..allow [comma separated list of ip-addresses/unix-paths from which clients are allowed to connect to volume ] + option auth.addr..reject [comma separated list of ip-addresses/unix-paths from which clients are not allowed to connect to volume ] + * negation operator '!' is used to invert the sense of matching. + Eg., option auth.addr.brick.allow !a.b.c.d #do not allow client from a.b.c.d to connect to volume brick + option auth.addr.brick.reject !w.x.y.z #allow client from w.x.y.z to connect to volume brick + * wildcard '*' can be used to match any ip-address/unix-path + +---------------------------------------------------------------------------------------------------- + +* Usecases: + +* username/password based authentication only + protocol/client: + option username foo + option password foo-password + option remote-subvolume foo-brick + + protocol/server: + option auth.login.foo-brick.allow foo,who #,other users allowed to connect to foo-brick + option auth.login.foo.password foo-password + option auth.login.who.password who-password + + * in protocol/server, dont specify ip from which client is connecting in auth.addr.foo-brick.reject list + +**************************************************************************************************** + +* ip based authentication only + protocol/client: + option remote-subvolume foo-brick + * Client is connecting from a.b.c.d + + protocol/server: + option auth.addr.foo-brick.allow a.b.c.d,e.f.g.h,i.j.k.l #, other ip addresses from which clients are allowed to connect to foo-brick + +**************************************************************************************************** +* ip and username/password based authentication + * allow only "user foo from a.b.c.d" + protocol/client: + option username foo + option password foo-password + option remote-subvolume foo-brick + + protocol/server: + option auth.login.foo-brick.allow foo + option auth.login.foo.password foo-password + option auth.addr.foo-brick.reject !a.b.c.d + + * allow only "user foo" from a.b.c.d i.e., only user foo is allowed from a.b.c.d, but anyone is allowed from ip addresses other than a.b.c.d + protocol/client: + option username foo + option password foo-password + option remote-subvolume foo-brick + + protocol/server: + option auth.login.foo-brick.allow foo + option auth.login.foo.password foo-password + option auth.addr.foo-brick.allow !a.b.c.d + + * reject only "user shoo from a.b.c.d" + protcol/client: + option remote-subvolume shoo-brick + + protocol/server: + # observe that no "option auth.login.shoo-brick.allow shoo" given + # Also other users from a.b.c.d have to be explicitly allowed using auth.login.shoo-brick.allow ... + option auth.addr.shoo-brick.allow !a.b.c.d + + * reject only "user shoo" from a.b.c.d i.e., user shoo from a.b.c.d has to be rejected. + * same as reject only "user shoo from a.b.c.d" above, but rules have to be added whether to allow ip addresses (and users from those ips) other than a.b.c.d + +**************************************************************************************************** + +* ip or username/password based authentication + + * allow user foo or clients from a.b.c.d + protocol/client: + option remote-subvolume foo-brick + + protocol/server: + option auth.login.foo-brick.allow foo + option auth.login.foo.password foo-password + option auth.addr.foo-brick.allow a.b.c.d + + * reject user shoo or clients from a.b.c.d + protocol/client: + option remote-subvolume shoo-brick + + protocol/server: + option auth.login.shoo-brick.allow + #for each username mentioned in the above list, specify password as below + option auth.login..password password + option auth.addr.shoo-brick.reject a.b.c.d -- cgit