summaryrefslogtreecommitdiffstats
path: root/glustolibs-gluster/glustolibs/gluster/auth_ops.py
blob: da8ac08277506ddf4588542fc91682d0aa47e6bd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
#  Copyright (C) 2017-2018  Red Hat, Inc. <http://www.redhat.com>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License along
#  with this program; if not, write to the Free Software Foundation, Inc.,
#  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

"""
    Description: This contains the gluster volume auth allow and
    reject operations
"""
from glusto.core import Glusto as g
from glustolibs.gluster.volume_ops import get_volume_options


def set_auth_allow(volname, server, auth_dict):
    """
    Set authentication for volumes or sub directories as required

    Args:
        volname(str): The name of volume in which auth.allow
            has to be set
        server(str): IP or hostname of one node
        auth_dict(dict): key-value pair of dirs and clients list
            Example: auth_dict = {'/d1':['10.70.37.172','10.70.37,173'],
                '/d3/subd1':['10.70.37.172','dhcp37-999.xyz.cdf.pqr.abc.com']}
            If authentication has to set on entire volume, use 'all' as key.
                auth_dict = {'all': ['10.70.37.172','10.70.37,173']}
                auth_dict = {'all': ['*']}
                'all' refers to entire volume
    Returns (bool):
        True if all the auth.allow set operation is success, else False
    """
    auth_cmds = []
    if not auth_dict:
        g.log.error("Authentication details are not provided")
        return False

    # If authentication has to be set on sub-dirs, convert the key-value pair
    # to gluster authentication set command format.
    if 'all' not in auth_dict:
        for key, value in auth_dict.iteritems():
            auth_cmds.append("%s(%s)" % (key, "|".join(value)))

        auth_cmd = ("gluster volume set %s auth.allow \"%s\""
                    % (volname, ",".join(auth_cmds)))

    # When authentication has to be set on entire volume, convert the
    # key-value pair to gluster authentication set command format
    else:
        auth_cmd = ("gluster volume set %s auth.allow \"%s\""
                    % (volname, ",".join(auth_dict["all"])))

    # Execute auth.allow setting on server.
    ret, _, _ = g.run(server, auth_cmd)
    if (not ret) and (verify_auth_allow(volname, server, auth_dict)):
        g.log.info("Authentication set and verified successfully.")
        return True
    return False


def verify_auth_allow(volname, server, auth_dict):
    """
    Verify authentication for volumes or sub directories as required

    Args:
        volname(str): The name of volume in which auth.allow
            has to be verified
        server(str): IP or hostname of one node
        auth_dict(dict): key-value pair of dirs and clients list
            Example: auth_dict = {'/d1':['10.70.37.172','10.70.37,173'],
                '/d3/subd1':['10.70.37.172','10.70.37.197']}
            If authentication is set on entire volume, use 'all' as key to
            verify.
                auth_dict = {'all': ['10.70.37.172','10.70.37,173']}
                auth_dict = {'all': ['*']}
                'all' refers to entire volume
    Returns (bool):
        True if the verification is success, else False
    """
    auth_details = []
    if not auth_dict:
        g.log.error("Authentication details are not provided")
        return False

    # Get the value of auth.allow option of the volume
    auth_clients_dict = get_volume_options(server, volname, "auth.allow")
    auth_clients = auth_clients_dict['auth.allow']

    # When authentication has to be verified on entire volume(not on sub-dirs)
    # check whether the required clients names are listed in auth.allow option
    if 'all' in auth_dict:
        clients_list = auth_clients.split(',')
        res = all(elem in clients_list for elem in auth_dict['all'])
        if not res:
            g.log.error("Authentication verification failed. auth.allow: %s",
                        auth_clients)
            return False
        g.log.info("Authentication verified successfully. auth.allow: %s",
                   auth_clients)
        return True

    # When authentication has to be verified on on sub-dirs, convert the key-
    # value pair to a format which matches the value of auth.allow option.
    for key, value in auth_dict.iteritems():
        auth_details.append("%s(%s)" % (key, "|".join(value)))

    # Check whether the required clients names are listed in auth.allow option
    for auth_detail in auth_details:
        if auth_detail not in auth_clients:
            g.log.error("Authentication verification failed. auth.allow: %s",
                        auth_clients)
            return False
    g.log.info("Authentication verified successfully. auth.allow: %s",
               auth_clients)
    return True


def verify_auth_reject(volname, server, auth_dict):
    """
    Verify auth reject for volumes or sub directories as required

    Args:
        volname(str): The name of volume in which auth.reject
            has to be verified.
        server(str): IP or hostname of one node
        auth_dict(dict): key-value pair of dirs and clients list
            Example: auth_dict = {'/d1':['10.70.37.172','10.70.37,173'],
                '/d3/subd1':['10.70.37.172','dhcp37-999.xyz.cdf.pqr.abc.com']}
            If authentication is set on entire volume, use 'all' as key to
            verify.
                auth_dict = {'all': ['10.70.37.172','10.70.37,173']}
                auth_dict = {'all': ['*']}
                'all' refer to entire volume
    Returns (bool):
        True if all the verification is success, else False
    """
    auth_details = []
    if not auth_dict:
        g.log.error("Authentication details are not provided")
        return False

    # Get the value of auth.reject option of the volume
    auth_clients_dict = get_volume_options(server, volname, "auth.reject")
    auth_clients = auth_clients_dict['auth.reject']

    # When authentication has to be verified on entire volume(not on sub-dirs)
    # check if the required clients names are listed in auth.reject option
    if 'all' in auth_dict:
        clients_list = auth_clients.split(',')
        res = all(elem in clients_list for elem in auth_dict['all'])
        if not res:
            g.log.error("Authentication verification failed. auth.reject: %s",
                        auth_clients)
            return False
        g.log.info("Authentication verified successfully. auth.reject: %s",
                   auth_clients)
        return True

    # When authentication has to be verified on on sub-dirs, convert the key-
    # value pair to a format which matches the value of auth.reject option.
    for key, value in auth_dict.iteritems():
        auth_details.append("%s(%s)" % (key, "|".join(value)))

    # Check if the required clients names are listed in auth.reject option
    for auth_detail in auth_details:
        if auth_detail not in auth_clients:
            g.log.error("Authentication verification failed. auth.reject: %s",
                        auth_clients)
            return False
    g.log.info("Authentication verified successfully. auth.reject: %s",
               auth_clients)
    return True


def set_auth_reject(volname, server, auth_dict):
    """
    Set auth reject for volumes or sub directories as required

    Args:
        volname(str): The name of volume in which auth.reject
                    has to be set
        server(str): IP or hostname of one node
        auth_dict(dict): key-value pair of dirs and clients list
            Example: auth_dict = {'/d1':['10.70.37.172','10.70.37,173'],
                '/d3/subd1':['10.70.37.172',''dh37-999.xyz.cdf.pqr.abc.com'']}
            If authentication has to set on entire volume, use 'all' as key.
                auth_dict = {'all': ['10.70.37.172','10.70.37,173']}
                auth_dict = {'all': ['*']}
                'all' refer to entire volume
    Returns (bool):
        True if the auth.reject set operation is success, else False
    """
    auth_cmds = []
    if not auth_dict:
        g.log.error("Authentication details are not provided")
        return False

    # If authentication has to be set on sub-dirs, convert the key-value pair
    # to gluster authentication set command format.
    if 'all' not in auth_dict:
        for key, value in auth_dict.iteritems():
            auth_cmds.append("%s(%s)" % (key, "|".join(value)))

            auth_cmd = ("gluster volume set %s auth.reject \"%s\""
                        % (volname, ",".join(auth_cmds)))

    # When authentication has to be set on entire volume, convert the
    # key-value pair to gluster authentication set command format.
    else:
        auth_cmd = ("gluster volume set %s auth.reject \"%s\""
                    % (volname, ",".join(auth_dict["all"])))

    # Execute auth.allow setting on server.
    ret, _, _ = g.run(server, auth_cmd)
    if (not ret) and (verify_auth_reject(volname, server, auth_dict)):
        g.log.info("Auth reject set and verified successfully.")
        return True
    return False