From af6c6429f9743f287baaad68f8e3d56ed7390d1b Mon Sep 17 00:00:00 2001 From: Prashanth Pai Date: Fri, 6 Jul 2018 16:10:40 +0530 Subject: server: Set ssl-allow option in options table and rename ID This change explicitly adds 'ssl-allow' options to the server xlator's options table so that glusterd2 can see it as a settable option. This change also marks 'auth.allow' and 'auth.reject' options as a settable. Glusterd2 doesn't maintain a separate volume options table. Glusterd2 dynamically loads shared objects of xlators to read their option table and other information. Glusterd2 reads 'xlator_api_t' if available. If that's not available, it falls back to reading just the options table directly. In glusterd2, volume set operations are performed by users on keys of the format .. Glusterd2 uses xlator name set in 'xlator_api_t.identifier'. If that's not present it will use the shared object's file name as xlator name. Hence, it is important for 'xlator_api_t.identifier' to be set properly, and in this case, the proper value is "server". This name shall be used by users as prefix while setting volume options implemented in server xlator. The name will also be used in volfile. A user in glusterd2 can authorize a client over TLS as follows: $ glustercli volume set server.ssl-allow [,] gd2 References: https://github.com/gluster/glusterd2/issues/971 https://github.com/gluster/glusterd2/issues/214 https://github.com/gluster/glusterd2/pull/967 Updates: bz#1193929 Change-Id: I59ef58acb8d51917e6365a83be03e79ae7c5ad17 Signed-off-by: Prashanth Pai --- xlators/protocol/server/src/server.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'xlators/protocol/server/src/server.c') diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c index 80ea3e68fbb..35c14a39c6c 100644 --- a/xlators/protocol/server/src/server.c +++ b/xlators/protocol/server/src/server.c @@ -1751,6 +1751,7 @@ struct volume_options server_options[] = { .setkey = "auth.addr.{{ brick.path }}.allow", .default_value = "*", .type = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST, + .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC, .description = "Allow a comma separated list of addresses and/or " "hostnames to connect to the server. Option " "auth.reject overrides this option. By default, all " @@ -1759,11 +1760,22 @@ struct volume_options server_options[] = { { .key = {"auth.addr.*.reject", "auth.reject"}, .setkey = "auth.addr.{{ brick.path }}.reject", .type = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST, + .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC, .description = "Reject a comma separated list of addresses and/or " "hostnames to connect to the server. This option " "overrides the auth.allow option. By default, all" " connections are allowed." }, + { .key = {"ssl-allow"}, + .setkey = "auth.login.{{ brick.path }}.ssl-allow", + .default_value = "*", + .type = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST, + .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC, + .description = "Allow a comma separated list of common names (CN) of" + "the clients that are allowed to access the server." + "By default, all TLS authenticated clients are" + "allowed to access the server." + }, /* This is not a valid path w.r.t daemons, hence it's string */ { .key = {"auth-path"}, .type = GF_OPTION_TYPE_STR, @@ -1838,5 +1850,5 @@ xlator_api_t xlator_api = { .fops = &server_fops, .cbks = &server_cbks, .options = server_options, - .identifier = "server-protocol", + .identifier = "server", }; -- cgit