From 92cc124298c068942ba049c2ccaa95b8c5b5294d Mon Sep 17 00:00:00 2001
From: Mohammed Rafi KC <rkavunga@redhat.com>
Date: Mon, 2 Apr 2018 12:20:47 +0530
Subject: server/auth: add option for strict authentication

When this option is enabled, we will check for a matching
username and password, if not found then the connection will
be rejected. This also does a checksum validation of volfile

The option is invalid when SSL/TLS is in use, at which point
the SSL/TLS certificate user name is used to validate and
hence authorize the right user. This expects TLS allow rules
to be setup correctly rather than the default *.

This option is not settable, as a result this cannot be enabled
for volumes using the CLI. This is used with the shared storage
volume, to restrict access to the same in non-SSL/TLS environments
to the gluster peers only.

Tested:
  ./tests/bugs/protocol/bug-1321578.t
  ./tests/features/ssl-authz.t
  - Ran tests on volumes with and without strict auth
    checking (as brick vol file needed to be edited to test,
    or rather to enable the option)
  - Ran tests on volumes to ensure existing mounts are
    disconnected when we enable strict checking

Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
fixes: bz#1570432
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
Signed-off-by: ShyamsundarR <srangana@redhat.com>
---
 xlators/protocol/server/src/server.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'xlators/protocol/server/src/server.c')

diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 1e491217c33..ab6ae70ce46 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -742,6 +742,10 @@ do_rpc:
                 goto out;
         }
 
+        GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
+                          options, bool, out);
+
+
         GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
                         bool, out);
 
@@ -1005,6 +1009,14 @@ server_init (xlator_t *this)
                         "Failed to initialize group cache.");
                 goto out;
         }
+
+        ret = dict_get_str_boolean (this->options, "strict-auth-accept",
+                                    _gf_false);
+        if (ret == -1)
+                conf->strict_auth_enabled = _gf_false;
+        else
+                conf->strict_auth_enabled = ret;
+
         ret = dict_get_str_boolean (this->options, "dynamic-auth",
                         _gf_true);
         if (ret == -1)
@@ -1710,6 +1722,12 @@ struct volume_options server_options[] = {
           .op_version = {GD_OP_VERSION_3_7_5},
           .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC
         },
+        { .key   = {"strict-auth-accept"},
+          .type  = GF_OPTION_TYPE_BOOL,
+          .default_value = "off",
+          .description   = "strict-auth-accept reject connection with out"
+                           "a valid username and password."
+        },
         { .key   = {NULL} },
 };
 
-- 
cgit