From bceb9586b96cbf3e0f1747affa6f56cfe29ac140 Mon Sep 17 00:00:00 2001

From: Mohammed Rafi KC <rkavunga@redhat.com>

Date: Mon, 2 Apr 2018 12:20:47 +0530

Subject: [PATCH 241/260] server/auth: add option for strict authentication

When this option is enabled, we will check for a matching

username and password, if not found then the connection will

be rejected. This also does a checksum validation of volfile

The option is invalid when SSL/TLS is in use, at which point

the SSL/TLS certificate user name is used to validate and

hence authorize the right user. This expects TLS allow rules

to be setup correctly rather than the default *.

This option is not settable, as a result this cannot be enabled

for volumes using the CLI. This is used with the shared storage

volume, to restrict access to the same in non-SSL/TLS environments

to the gluster peers only.

Tested:

  ./tests/bugs/protocol/bug-1321578.t

  ./tests/features/ssl-authz.t

  - Ran tests on volumes with and without strict auth

    checking (as brick vol file needed to be edited to test,

    or rather to enable the option)

  - Ran tests on volumes to ensure existing mounts are

    disconnected when we enable strict checking

backport of upstream https://review.gluster.org/#/c/19921/

>Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59

>fixes: bz#1570432

>Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>

>Signed-off-by: ShyamsundarR <srangana@redhat.com>

Change-Id: I7fd3194b91ba22d57b851a2a042ff16b9a616a5a

BUG: 1568969

Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>

Reviewed-on: https://code.engineering.redhat.com/gerrit/136709

Tested-by: RHGS Build Bot <nigelb@redhat.com>

Reviewed-by: Atin Mukherjee <amukherj@redhat.com>

---

 xlators/mgmt/glusterd/src/glusterd-volgen.c    | 16 +++++++-

 xlators/protocol/auth/login/src/login.c        | 51 ++++++++++++++++++++++----

 xlators/protocol/server/src/authenticate.h     |  4 +-

 xlators/protocol/server/src/server-handshake.c |  2 +-

 xlators/protocol/server/src/server.c           | 18 +++++++++

 xlators/protocol/server/src/server.h           |  2 +

 6 files changed, 81 insertions(+), 12 deletions(-)

diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c

index 1c43f24..3926bd3 100644

--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c

+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c

@@ -2341,6 +2341,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,

         char            *password = NULL;

         char            key[1024] = {0};

         char            *ssl_user = NULL;

+        char            *volname = NULL;

         char            *address_family_data = NULL;

         if (!graph || !volinfo || !set_dict || !brickinfo)

@@ -2416,6 +2417,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,

         if (ret)

                 return -1;

+        volname = volinfo->is_snap_volume ?

+                  volinfo->parent_volname : volinfo->volname;

+

+

+        if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {

+                memset (key, 0, sizeof (key));

+                snprintf (key, sizeof (key), "strict-auth-accept");

+

+                ret = xlator_set_option (xl, key, "true");

+                if (ret)

+                        return -1;

+        }

+

         if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {

                 memset (key, 0, sizeof (key));

                 snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",

@@ -5841,7 +5855,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,

         if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&

-             client_type != GF_CLIENT_TRUSTED) {

+            client_type != GF_CLIENT_TRUSTED) {

                 /*

                  * shared storage volume cannot be mounted from non trusted

                  * nodes. So we are not creating volfiles for non-trusted

diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c

index e799dd2..da10d0b 100644

--- a/xlators/protocol/auth/login/src/login.c

+++ b/xlators/protocol/auth/login/src/login.c

@@ -11,6 +11,16 @@

 #include <fnmatch.h>

 #include "authenticate.h"

+/* Note on strict_auth

+ * - Strict auth kicks in when authentication is using the username, password

+ *   in the volfile to login

+ * - If enabled, auth is rejected if the username and password is not matched

+ *   or is not present

+ * - When using SSL names, this is automatically strict, and allows only those

+ *   names that are present in the allow list, IOW strict auth checking has no

+ *   implication when using SSL names

+*/

+

 auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)

 {

         auth_result_t  result  = AUTH_DONT_CARE;

@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)

         char            *tmp            = NULL;

         char            *username_cpy   = NULL;

         gf_boolean_t    using_ssl       = _gf_false;

+        gf_boolean_t    strict_auth     = _gf_false;

         username_data = dict_get (input_params, "ssl-name");

         if (username_data) {

@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)

                 using_ssl = _gf_true;

         }

         else {

+                ret = dict_get_str_boolean (config_params, "strict-auth-accept",

+                                            _gf_false);

+                if (ret == -1)

+                        strict_auth = _gf_false;

+                else

+                        strict_auth = ret;

+

                 username_data = dict_get (input_params, "username");

                 if (!username_data) {

-                        gf_log ("auth/login", GF_LOG_DEBUG,

-                                "username not found, returning DONT-CARE");

+                        if (strict_auth) {

+                                gf_log ("auth/login", GF_LOG_DEBUG,

+                                        "username not found, strict auth"

+                                        " configured returning REJECT");

+                                result = AUTH_REJECT;

+                        } else {

+                                gf_log ("auth/login", GF_LOG_DEBUG,

+                                        "username not found, returning"

+                                        " DONT-CARE");

+                        }

                         goto out;

                 }

                 password_data = dict_get (input_params, "password");

                 if (!password_data) {

-                        gf_log ("auth/login", GF_LOG_WARNING,

-                                "password not found, returning DONT-CARE");

+                        if (strict_auth) {

+                                gf_log ("auth/login", GF_LOG_DEBUG,

+                                        "password not found, strict auth"

+                                        " configured returning REJECT");

+                                result = AUTH_REJECT;

+                        } else {

+                                gf_log ("auth/login", GF_LOG_WARNING,

+                                        "password not found, returning"

+                                        " DONT-CARE");

+                        }

                         goto out;

                 }

                 password = data_to_str (password_data);

@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)

         ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,

                            using_ssl ? "ssl-allow" : "allow");

         if (-1 == ret) {

-                gf_log ("auth/login", GF_LOG_WARNING,

+                gf_log ("auth/login", GF_LOG_ERROR,

                         "asprintf failed while setting search string, "

-                        "returning DONT-CARE");

+                        "returning REJECT");

+                result = AUTH_REJECT;

                 goto out;

         }

@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)

                  * ssl-allow=* case as well) authorization is effectively

                  * disabled, though authentication and encryption are still

                  * active.

+                 *

+                 * Read NOTE on strict_auth above.

                  */

-                if (using_ssl) {

+                if (using_ssl || strict_auth) {

                         result = AUTH_REJECT;

                 }

                 username_cpy = gf_strdup (allow_user->data);

diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h

index 3f80231..5f92183 100644

--- a/xlators/protocol/server/src/authenticate.h

+++ b/xlators/protocol/server/src/authenticate.h

@@ -37,10 +37,8 @@ typedef struct {

         volume_opt_list_t *vol_opt;

 } auth_handle_t;

-auth_result_t gf_authenticate (dict_t *input_params,

-                               dict_t *config_params,

-                               dict_t *auth_modules);

 int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);

 void gf_auth_fini (dict_t *auth_modules);

+auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);

 #endif /* _AUTHENTICATE_H */

diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c

index cbc93a3..fc63f2c 100644

--- a/xlators/protocol/server/src/server-handshake.c

+++ b/xlators/protocol/server/src/server-handshake.c

@@ -747,7 +747,7 @@ server_setvolume (rpcsvc_request_t *req)

                         ret = dict_get_str (params, "volfile-key",

                                             &volfile_key);

                         if (ret)

-                                gf_msg_debug (this->name, 0, "failed to set "

+                                gf_msg_debug (this->name, 0, "failed to get "

                                               "'volfile-key'");

                         ret = _validate_volfile_checksum (this, volfile_key,

diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c

index eed4295..6f20a06 100644

--- a/xlators/protocol/server/src/server.c

+++ b/xlators/protocol/server/src/server.c

@@ -943,6 +943,10 @@ do_rpc:

                 goto out;

         }

+        GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,

+                          options, bool, out);

+

+

         GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,

                         bool, out);

@@ -1183,6 +1187,14 @@ init (xlator_t *this)

                         "Failed to initialize group cache.");

                 goto out;

         }

+

+        ret = dict_get_str_boolean (this->options, "strict-auth-accept",

+                                    _gf_false);

+        if (ret == -1)

+                conf->strict_auth_enabled = _gf_false;

+        else

+                conf->strict_auth_enabled = ret;

+

         ret = dict_get_str_boolean (this->options, "dynamic-auth",

                         _gf_true);

         if (ret == -1)

@@ -1840,5 +1852,11 @@ struct volume_options options[] = {

                            "transport connection immediately in response to "

                            "*.allow | *.reject volume set options."

         },

+        { .key   = {"strict-auth-accept"},

+          .type  = GF_OPTION_TYPE_BOOL,

+          .default_value = "off",

+          .description   = "strict-auth-accept reject connection with out"

+                           "a valid username and password."

+        },

         { .key   = {NULL} },

 };

diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h

index af987aa..691c75b 100644

--- a/xlators/protocol/server/src/server.h

+++ b/xlators/protocol/server/src/server.h

@@ -24,6 +24,7 @@

 #include "client_t.h"

 #include "gidcache.h"

 #include "defaults.h"

+#include "authenticate.h"

 #define DEFAULT_BLOCK_SIZE         4194304   /* 4MB */

 #define DEFAULT_VOLUME_FILE_PATH   CONFDIR "/glusterfs.vol"

@@ -109,6 +110,7 @@ struct server_conf {

                                             * tweeked */

         struct _child_status    *child_status;

         gf_lock_t               itable_lock;

+        gf_boolean_t            strict_auth_enabled;

 };

 typedef struct server_conf server_conf_t;

-- 

1.8.3.1