From b50d7aead1c2a7893dc0f4281bf7fc8027e2dacb Mon Sep 17 00:00:00 2001 From: Mohammed Rafi KC Date: Mon, 2 Apr 2018 12:20:47 +0530 Subject: server/auth: add option for strict authentication When this option is enabled, we will check for a matching username and password, if not found then the connection will be rejected. This also does a checksum validation of volfile The option is invalid when SSL/TLS is in use, at which point the SSL/TLS certificate user name is used to validate and hence authorize the right user. This expects TLS allow rules to be setup correctly rather than the default *. This option is not settable, as a result this cannot be enabled for volumes using the CLI. This is used with the shared storage volume, to restrict access to the same in non-SSL/TLS environments to the gluster peers only. Tested: ./tests/bugs/protocol/bug-1321578.t ./tests/features/ssl-authz.t - Ran tests on volumes with and without strict auth checking (as brick vol file needed to be edited to test, or rather to enable the option) - Ran tests on volumes to ensure existing mounts are disconnected when we enable strict checking Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 fixes: bz#1570430 Signed-off-by: Mohammed Rafi KC Signed-off-by: ShyamsundarR --- xlators/protocol/server/src/server.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'xlators/protocol/server/src/server.h') diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h index ea15b561be7..c128a3f0de4 100644 --- a/xlators/protocol/server/src/server.h +++ b/xlators/protocol/server/src/server.h @@ -24,6 +24,7 @@ #include "client_t.h" #include "gidcache.h" #include "defaults.h" +#include "authenticate.h" #define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */ #define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol" @@ -109,6 +110,7 @@ struct server_conf { * tweeked */ struct _child_status *child_status; gf_lock_t itable_lock; + gf_boolean_t strict_auth_enabled; }; typedef struct server_conf server_conf_t; -- cgit