From bca55ab1bfcd2889f8387ba8bcab27766e1b94ac Mon Sep 17 00:00:00 2001 From: Mohammed Rafi KC Date: Mon, 2 Apr 2018 12:20:47 +0530 Subject: server/auth: add option for strict authentication When this option is enabled, we will check for a matching username and password, if not found then the connection will be rejected. This also does a checksum validation of volfile The option is invalid when SSL/TLS is in use, at which point the SSL/TLS certificate user name is used to validate and hence authorize the right user. This expects TLS allow rules to be setup correctly rather than the default *. This option is not settable, as a result this cannot be enabled for volumes using the CLI. This is used with the shared storage volume, to restrict access to the same in non-SSL/TLS environments to the gluster peers only. Tested: ./tests/bugs/protocol/bug-1321578.t ./tests/features/ssl-authz.t - Ran tests on volumes with and without strict auth checking (as brick vol file needed to be edited to test, or rather to enable the option) - Ran tests on volumes to ensure existing mounts are disconnected when we enable strict checking Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 fixes: bz#1568844 Signed-off-by: Mohammed Rafi KC Signed-off-by: ShyamsundarR --- xlators/mgmt/glusterd/src/glusterd-volgen.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'xlators/mgmt/glusterd/src/glusterd-volgen.c') diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c index 60014e02061..d1d9ac6b8ea 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.c +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c @@ -2472,6 +2472,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, char *password = NULL; char key[1024] = {0}; char *ssl_user = NULL; + char *volname = NULL; char *address_family_data = NULL; if (!graph || !volinfo || !set_dict || !brickinfo) @@ -2547,6 +2548,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, if (ret) return -1; + volname = volinfo->is_snap_volume ? + volinfo->parent_volname : volinfo->volname; + + + if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) { + memset (key, 0, sizeof (key)); + snprintf (key, sizeof (key), "strict-auth-accept"); + + ret = xlator_set_option (xl, key, "true"); + if (ret) + return -1; + } + if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) { memset (key, 0, sizeof (key)); snprintf (key, sizeof (key), "auth.login.%s.ssl-allow", @@ -6117,7 +6131,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo, if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && - client_type != GF_CLIENT_TRUSTED) { + client_type != GF_CLIENT_TRUSTED) { /* * shared storage volume cannot be mounted from non trusted * nodes. So we are not creating volfiles for non-trusted -- cgit