|
 |
7c2869 |
From 16d6904d54e7409f95e9e893e131b6bf11f0e4c7 Mon Sep 17 00:00:00 2001
|
|
|
7c2869 |
From: Mohammed Rafi KC <rkavunga@redhat.com>
|
|
|
7c2869 |
Date: Mon, 2 Apr 2018 12:20:47 +0530
|
|
|
7c2869 |
Subject: [PATCH 653/653] server/auth: add option for strict authentication
|
|
|
7c2869 |
|
|
|
7c2869 |
When this option is enabled, we will check for a matching
|
|
|
7c2869 |
username and password, if not found then the connection will
|
|
|
7c2869 |
be rejected. This also deos a checksum validation of volfile
|
|
|
7c2869 |
|
|
|
7c2869 |
Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
|
|
|
7c2869 |
BUG: 1559331
|
|
|
7c2869 |
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
|
|
|
7c2869 |
Reviewed-on: https://code.engineering.redhat.com/gerrit/134591
|
|
|
7c2869 |
Reviewed-by: Pranith Kumar Karampuri <pkarampu@redhat.com>
|
|
|
7c2869 |
Reviewed-by: Mohit Agrawal <moagrawa@redhat.com>
|
|
|
7c2869 |
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
7c2869 |
Tested-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
7c2869 |
---
|
|
|
7c2869 |
xlators/mgmt/glusterd/src/glusterd-volgen.c | 15 ++++
|
|
|
7c2869 |
xlators/protocol/auth/login/src/login.c | 104 +++++++++++++++++--------
|
|
|
7c2869 |
xlators/protocol/server/src/authenticate.c | 32 ++++++--
|
|
|
7c2869 |
xlators/protocol/server/src/authenticate.h | 6 +-
|
|
|
7c2869 |
xlators/protocol/server/src/server-handshake.c | 4 +-
|
|
|
7c2869 |
xlators/protocol/server/src/server.c | 20 ++++-
|
|
|
7c2869 |
xlators/protocol/server/src/server.h | 4 +
|
|
|
7c2869 |
7 files changed, 136 insertions(+), 49 deletions(-)
|
|
|
7c2869 |
|
|
|
7c2869 |
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
|
|
|
7c2869 |
index fb7c91f..02e8393 100644
|
|
|
7c2869 |
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
|
|
|
7c2869 |
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
|
|
|
7c2869 |
@@ -2145,6 +2145,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
|
|
|
7c2869 |
char key[1024] = {0};
|
|
|
7c2869 |
char *ssl_user = NULL;
|
|
|
7c2869 |
char *value = NULL;
|
|
|
7c2869 |
+ char *volname = NULL;
|
|
|
7c2869 |
char *address_family_data = NULL;
|
|
|
7c2869 |
|
|
|
7c2869 |
if (!graph || !volinfo || !set_dict || !brickinfo)
|
|
|
7c2869 |
@@ -2220,6 +2221,20 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
|
|
|
7c2869 |
if (ret)
|
|
|
7c2869 |
return -1;
|
|
|
7c2869 |
|
|
|
7c2869 |
+ volname = volinfo->is_snap_volume ?
|
|
|
7c2869 |
+ volinfo->parent_volname : volinfo->volname;
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+ memset (key, 0, sizeof (key));
|
|
|
7c2869 |
+ snprintf (key, sizeof (key), "strict-auth-accept");
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+ ret = xlator_set_option (xl, key, "true");
|
|
|
7c2869 |
+ if (ret)
|
|
|
7c2869 |
+ return -1;
|
|
|
7c2869 |
+ }
|
|
|
7c2869 |
+
|
|
|
7c2869 |
if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
|
|
|
7c2869 |
memset (key, 0, sizeof (key));
|
|
|
7c2869 |
snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
|
|
|
7c2869 |
diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
|
|
|
7c2869 |
index e799dd2..e918d38 100644
|
|
|
7c2869 |
--- a/xlators/protocol/auth/login/src/login.c
|
|
|
7c2869 |
+++ b/xlators/protocol/auth/login/src/login.c
|
|
|
7c2869 |
@@ -11,45 +11,18 @@
|
|
|
7c2869 |
#include <fnmatch.h>
|
|
|
7c2869 |
#include "authenticate.h"
|
|
|
7c2869 |
|
|
|
7c2869 |
-auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
|
|
|
7c2869 |
-{
|
|
|
7c2869 |
+auth_result_t gf_authenticate_user (dict_t *input_params, dict_t *config_params,
|
|
|
7c2869 |
+ char *username, char *password,
|
|
|
7c2869 |
+ gf_boolean_t using_ssl) {
|
|
|
7c2869 |
auth_result_t result = AUTH_DONT_CARE;
|
|
|
7c2869 |
int ret = 0;
|
|
|
7c2869 |
data_t *allow_user = NULL;
|
|
|
7c2869 |
- data_t *username_data = NULL;
|
|
|
7c2869 |
data_t *passwd_data = NULL;
|
|
|
7c2869 |
- data_t *password_data = NULL;
|
|
|
7c2869 |
- char *username = NULL;
|
|
|
7c2869 |
- char *password = NULL;
|
|
|
7c2869 |
char *brick_name = NULL;
|
|
|
7c2869 |
char *searchstr = NULL;
|
|
|
7c2869 |
char *username_str = NULL;
|
|
|
7c2869 |
char *tmp = NULL;
|
|
|
7c2869 |
char *username_cpy = NULL;
|
|
|
7c2869 |
- gf_boolean_t using_ssl = _gf_false;
|
|
|
7c2869 |
-
|
|
|
7c2869 |
- username_data = dict_get (input_params, "ssl-name");
|
|
|
7c2869 |
- if (username_data) {
|
|
|
7c2869 |
- gf_log ("auth/login", GF_LOG_INFO,
|
|
|
7c2869 |
- "connecting user name: %s", username_data->data);
|
|
|
7c2869 |
- using_ssl = _gf_true;
|
|
|
7c2869 |
- }
|
|
|
7c2869 |
- else {
|
|
|
7c2869 |
- username_data = dict_get (input_params, "username");
|
|
|
7c2869 |
- if (!username_data) {
|
|
|
7c2869 |
- gf_log ("auth/login", GF_LOG_DEBUG,
|
|
|
7c2869 |
- "username not found, returning DONT-CARE");
|
|
|
7c2869 |
- goto out;
|
|
|
7c2869 |
- }
|
|
|
7c2869 |
- password_data = dict_get (input_params, "password");
|
|
|
7c2869 |
- if (!password_data) {
|
|
|
7c2869 |
- gf_log ("auth/login", GF_LOG_WARNING,
|
|
|
7c2869 |
- "password not found, returning DONT-CARE");
|
|
|
7c2869 |
- goto out;
|
|
|
7c2869 |
- }
|
|
|
7c2869 |
- password = data_to_str (password_data);
|
|
|
7c2869 |
- }
|
|
|
7c2869 |
- username = data_to_str (username_data);
|
|
|
7c2869 |
|
|
|
7c2869 |
brick_name = data_to_str (dict_get (input_params, "remote-subvolume"));
|
|
|
7c2869 |
if (!brick_name) {
|
|
|
7c2869 |
@@ -64,7 +37,8 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
|
|
|
7c2869 |
if (-1 == ret) {
|
|
|
7c2869 |
gf_log ("auth/login", GF_LOG_WARNING,
|
|
|
7c2869 |
"asprintf failed while setting search string, "
|
|
|
7c2869 |
- "returning DONT-CARE");
|
|
|
7c2869 |
+ "returning AUTH_STRICT_ACCEPT");
|
|
|
7c2869 |
+ result = AUTH_STRICT_ACCEPT;
|
|
|
7c2869 |
goto out;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
|
|
|
7c2869 |
@@ -84,7 +58,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
|
|
|
7c2869 |
* who do provide a valid username and password (in fact that's
|
|
|
7c2869 |
* pretty much the only thing we use non-SSL login auth for),
|
|
|
7c2869 |
* but they are allowed to connect. It's wrong, but it's not
|
|
|
7c2869 |
- * worth changing elsewhere. Therefore, we do the sane thing
|
|
|
7c2869 |
+ * worth changing elsewhere. Therefore, we do the same thing
|
|
|
7c2869 |
* only for SSL here.
|
|
|
7c2869 |
*
|
|
|
7c2869 |
* For SSL, if there's a list *you must be on it*. Note that
|
|
|
7c2869 |
@@ -92,13 +66,20 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
|
|
|
7c2869 |
* ssl-allow=* case as well) authorization is effectively
|
|
|
7c2869 |
* disabled, though authentication and encryption are still
|
|
|
7c2869 |
* active.
|
|
|
7c2869 |
+ *
|
|
|
7c2869 |
+ * If option strict-auth-accept is enabled, connection
|
|
|
7c2869 |
+ * will be rejected if you don't have any matching
|
|
|
7c2869 |
+ * username and password (password is only for non-ssl users).
|
|
|
7c2869 |
*/
|
|
|
7c2869 |
if (using_ssl) {
|
|
|
7c2869 |
result = AUTH_REJECT;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
username_cpy = gf_strdup (allow_user->data);
|
|
|
7c2869 |
- if (!username_cpy)
|
|
|
7c2869 |
+ if (!username_cpy) {
|
|
|
7c2869 |
+ if (!using_ssl)
|
|
|
7c2869 |
+ result = AUTH_STRICT_ACCEPT;
|
|
|
7c2869 |
goto out;
|
|
|
7c2869 |
+ }
|
|
|
7c2869 |
|
|
|
7c2869 |
username_str = strtok_r (username_cpy, " ,", &tmp);
|
|
|
7c2869 |
|
|
|
7c2869 |
@@ -120,6 +101,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
|
|
|
7c2869 |
if (-1 == ret) {
|
|
|
7c2869 |
gf_log ("auth/login", GF_LOG_WARNING,
|
|
|
7c2869 |
"asprintf failed while setting search string");
|
|
|
7c2869 |
+ result = AUTH_STRICT_ACCEPT;
|
|
|
7c2869 |
goto out;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
passwd_data = dict_get (config_params, searchstr);
|
|
|
7c2869 |
@@ -145,11 +127,65 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
|
|
|
7c2869 |
}
|
|
|
7c2869 |
username_str = strtok_r (NULL, " ,", &tmp);
|
|
|
7c2869 |
}
|
|
|
7c2869 |
+ } else {
|
|
|
7c2869 |
+ result = AUTH_STRICT_ACCEPT;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
-
|
|
|
7c2869 |
out:
|
|
|
7c2869 |
GF_FREE (username_cpy);
|
|
|
7c2869 |
+ return result;
|
|
|
7c2869 |
+}
|
|
|
7c2869 |
|
|
|
7c2869 |
+auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
|
|
|
7c2869 |
+{
|
|
|
7c2869 |
+ auth_result_t result = AUTH_DONT_CARE;
|
|
|
7c2869 |
+ auth_result_t ssl_result = AUTH_DONT_CARE;
|
|
|
7c2869 |
+ data_t *username_data = NULL;
|
|
|
7c2869 |
+ data_t *password_data = NULL;
|
|
|
7c2869 |
+ char *username = NULL;
|
|
|
7c2869 |
+ char *password = NULL;
|
|
|
7c2869 |
+ gf_boolean_t using_ssl = _gf_false;
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+ username_data = dict_get (input_params, "username");
|
|
|
7c2869 |
+ if (!username_data) {
|
|
|
7c2869 |
+ gf_log ("auth/login", GF_LOG_DEBUG,
|
|
|
7c2869 |
+ "username not found, returning AUTH_STRICT_ACCEPT");
|
|
|
7c2869 |
+ result = AUTH_STRICT_ACCEPT;
|
|
|
7c2869 |
+ goto out;
|
|
|
7c2869 |
+ }
|
|
|
7c2869 |
+ password_data = dict_get (input_params, "password");
|
|
|
7c2869 |
+ if (!password_data) {
|
|
|
7c2869 |
+ gf_log ("auth/login", GF_LOG_WARNING,
|
|
|
7c2869 |
+ "password not found, returning AUTH_STRICT_ACCEPT");
|
|
|
7c2869 |
+ result = AUTH_STRICT_ACCEPT;
|
|
|
7c2869 |
+ goto out;
|
|
|
7c2869 |
+ }
|
|
|
7c2869 |
+ password = data_to_str (password_data);
|
|
|
7c2869 |
+ username = data_to_str (username_data);
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+ result = gf_authenticate_user (input_params, config_params,
|
|
|
7c2869 |
+ username, password, using_ssl);
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+ username_data = dict_get (input_params, "ssl-name");
|
|
|
7c2869 |
+ if (username_data) {
|
|
|
7c2869 |
+ gf_log ("auth/login", GF_LOG_INFO,
|
|
|
7c2869 |
+ "connecting user name: %s", username_data->data);
|
|
|
7c2869 |
+ username = data_to_str (username_data);
|
|
|
7c2869 |
+ using_ssl = _gf_true;
|
|
|
7c2869 |
+ ssl_result = gf_authenticate_user (input_params, config_params,
|
|
|
7c2869 |
+ username, NULL, using_ssl);
|
|
|
7c2869 |
+ if (ssl_result == AUTH_ACCEPT && result != AUTH_ACCEPT) {
|
|
|
7c2869 |
+ /*
|
|
|
7c2869 |
+ * Here, ssl authentication returns true, but non-ssl
|
|
|
7c2869 |
+ * authentication returns differnt result. We are
|
|
|
7c2869 |
+ * calling for a strict auth check in this case.
|
|
|
7c2869 |
+ */
|
|
|
7c2869 |
+ result = AUTH_STRICT_ACCEPT;
|
|
|
7c2869 |
+ } else {
|
|
|
7c2869 |
+ result = ssl_result;
|
|
|
7c2869 |
+ }
|
|
|
7c2869 |
+ }
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+out:
|
|
|
7c2869 |
return result;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
|
|
|
7c2869 |
diff --git a/xlators/protocol/server/src/authenticate.c b/xlators/protocol/server/src/authenticate.c
|
|
|
7c2869 |
index c000776..977ed75 100644
|
|
|
7c2869 |
--- a/xlators/protocol/server/src/authenticate.c
|
|
|
7c2869 |
+++ b/xlators/protocol/server/src/authenticate.c
|
|
|
7c2869 |
@@ -18,7 +18,9 @@
|
|
|
7c2869 |
#include <dlfcn.h>
|
|
|
7c2869 |
#include <errno.h>
|
|
|
7c2869 |
#include "authenticate.h"
|
|
|
7c2869 |
+#include "authenticate.h"
|
|
|
7c2869 |
#include "server-messages.h"
|
|
|
7c2869 |
+#include "server.h"
|
|
|
7c2869 |
|
|
|
7c2869 |
static int
|
|
|
7c2869 |
init (dict_t *this, char *key, data_t *value, void *data)
|
|
|
7c2869 |
@@ -173,6 +175,7 @@ gf_auth_one_method (dict_t *this, char *key, data_t *value, void *data)
|
|
|
7c2869 |
{
|
|
|
7c2869 |
gf_auth_args_t *args = data;
|
|
|
7c2869 |
auth_handle_t *handle = NULL;
|
|
|
7c2869 |
+ int64_t result;
|
|
|
7c2869 |
|
|
|
7c2869 |
if (!value) {
|
|
|
7c2869 |
return 0;
|
|
|
7c2869 |
@@ -183,10 +186,13 @@ gf_auth_one_method (dict_t *this, char *key, data_t *value, void *data)
|
|
|
7c2869 |
return 0;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
|
|
|
7c2869 |
- switch (handle->authenticate (args->iparams, args->cparams)) {
|
|
|
7c2869 |
+ result = handle->authenticate (args->iparams, args->cparams);
|
|
|
7c2869 |
+ switch (result) {
|
|
|
7c2869 |
case AUTH_ACCEPT:
|
|
|
7c2869 |
- if (args->result != AUTH_REJECT) {
|
|
|
7c2869 |
- args->result = AUTH_ACCEPT;
|
|
|
7c2869 |
+ case AUTH_STRICT_ACCEPT:
|
|
|
7c2869 |
+ if (args->result != AUTH_REJECT &&
|
|
|
7c2869 |
+ args->result != AUTH_STRICT_ACCEPT) {
|
|
|
7c2869 |
+ args->result = result;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
/* FALLTHROUGH */
|
|
|
7c2869 |
default:
|
|
|
7c2869 |
@@ -198,9 +204,8 @@ gf_auth_one_method (dict_t *this, char *key, data_t *value, void *data)
|
|
|
7c2869 |
}
|
|
|
7c2869 |
|
|
|
7c2869 |
auth_result_t
|
|
|
7c2869 |
-gf_authenticate (dict_t *input_params,
|
|
|
7c2869 |
- dict_t *config_params,
|
|
|
7c2869 |
- dict_t *auth_modules)
|
|
|
7c2869 |
+gf_authenticate (server_conf_t *conf, dict_t *input_params,
|
|
|
7c2869 |
+ dict_t *config_params, dict_t *auth_modules)
|
|
|
7c2869 |
{
|
|
|
7c2869 |
char *name = NULL;
|
|
|
7c2869 |
data_t *peerinfo_data = NULL;
|
|
|
7c2869 |
@@ -210,9 +215,19 @@ gf_authenticate (dict_t *input_params,
|
|
|
7c2869 |
args.cparams = config_params;
|
|
|
7c2869 |
args.result = AUTH_DONT_CARE;
|
|
|
7c2869 |
|
|
|
7c2869 |
+ GF_VALIDATE_OR_GOTO ("authentication", conf, out);
|
|
|
7c2869 |
dict_foreach (auth_modules, gf_auth_one_method, &args);
|
|
|
7c2869 |
|
|
|
7c2869 |
- if (AUTH_DONT_CARE == args.result) {
|
|
|
7c2869 |
+ switch (args.result) {
|
|
|
7c2869 |
+ case AUTH_STRICT_ACCEPT:
|
|
|
7c2869 |
+ if (!conf->strict_auth_enabled) {
|
|
|
7c2869 |
+ args.result = AUTH_ACCEPT;
|
|
|
7c2869 |
+ break;
|
|
|
7c2869 |
+ }
|
|
|
7c2869 |
+ gf_msg ("auth", GF_LOG_ERROR, 0, PS_MSG_REMOTE_CLIENT_REFUSED,
|
|
|
7c2869 |
+ "Authentication is failed due to the strict options.");
|
|
|
7c2869 |
+ /* Fallthrough */
|
|
|
7c2869 |
+ case AUTH_DONT_CARE:
|
|
|
7c2869 |
peerinfo_data = dict_get (input_params, "peer-info-name");
|
|
|
7c2869 |
|
|
|
7c2869 |
if (peerinfo_data) {
|
|
|
7c2869 |
@@ -223,8 +238,9 @@ gf_authenticate (dict_t *input_params,
|
|
|
7c2869 |
"no authentication module is interested in "
|
|
|
7c2869 |
"accepting remote-client %s", name);
|
|
|
7c2869 |
args.result = AUTH_REJECT;
|
|
|
7c2869 |
+ /* Fallthrough */
|
|
|
7c2869 |
}
|
|
|
7c2869 |
-
|
|
|
7c2869 |
+out:
|
|
|
7c2869 |
return args.result;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
|
|
|
7c2869 |
diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
|
|
|
7c2869 |
index 3f80231..d5971d3 100644
|
|
|
7c2869 |
--- a/xlators/protocol/server/src/authenticate.h
|
|
|
7c2869 |
+++ b/xlators/protocol/server/src/authenticate.h
|
|
|
7c2869 |
@@ -25,7 +25,8 @@
|
|
|
7c2869 |
typedef enum {
|
|
|
7c2869 |
AUTH_ACCEPT,
|
|
|
7c2869 |
AUTH_REJECT,
|
|
|
7c2869 |
- AUTH_DONT_CARE
|
|
|
7c2869 |
+ AUTH_DONT_CARE,
|
|
|
7c2869 |
+ AUTH_STRICT_ACCEPT
|
|
|
7c2869 |
} auth_result_t;
|
|
|
7c2869 |
|
|
|
7c2869 |
typedef auth_result_t (*auth_fn_t) (dict_t *input_params,
|
|
|
7c2869 |
@@ -37,9 +38,6 @@ typedef struct {
|
|
|
7c2869 |
volume_opt_list_t *vol_opt;
|
|
|
7c2869 |
} auth_handle_t;
|
|
|
7c2869 |
|
|
|
7c2869 |
-auth_result_t gf_authenticate (dict_t *input_params,
|
|
|
7c2869 |
- dict_t *config_params,
|
|
|
7c2869 |
- dict_t *auth_modules);
|
|
|
7c2869 |
int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
|
|
|
7c2869 |
void gf_auth_fini (dict_t *auth_modules);
|
|
|
7c2869 |
|
|
|
7c2869 |
diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
|
|
|
7c2869 |
index ba5b11a..b67ed47 100644
|
|
|
7c2869 |
--- a/xlators/protocol/server/src/server-handshake.c
|
|
|
7c2869 |
+++ b/xlators/protocol/server/src/server-handshake.c
|
|
|
7c2869 |
@@ -709,7 +709,7 @@ server_setvolume (rpcsvc_request_t *req)
|
|
|
7c2869 |
ret = dict_get_str (params, "volfile-key",
|
|
|
7c2869 |
&volfile_key);
|
|
|
7c2869 |
if (ret)
|
|
|
7c2869 |
- gf_msg_debug (this->name, 0, "failed to set "
|
|
|
7c2869 |
+ gf_msg_debug (this->name, 0, "failed to get "
|
|
|
7c2869 |
"'volfile-key'");
|
|
|
7c2869 |
|
|
|
7c2869 |
ret = _validate_volfile_checksum (this, volfile_key,
|
|
|
7c2869 |
@@ -765,7 +765,7 @@ server_setvolume (rpcsvc_request_t *req)
|
|
|
7c2869 |
PS_MSG_CLIENT_VERSION_NOT_SET,
|
|
|
7c2869 |
"client-version not set, may be of older version");
|
|
|
7c2869 |
|
|
|
7c2869 |
- ret = gf_authenticate (params, config_params,
|
|
|
7c2869 |
+ ret = gf_authenticate (conf, params, config_params,
|
|
|
7c2869 |
conf->auth_modules);
|
|
|
7c2869 |
|
|
|
7c2869 |
if (ret == AUTH_ACCEPT) {
|
|
|
7c2869 |
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
|
|
|
7c2869 |
index 96aa012..f89e743 100644
|
|
|
7c2869 |
--- a/xlators/protocol/server/src/server.c
|
|
|
7c2869 |
+++ b/xlators/protocol/server/src/server.c
|
|
|
7c2869 |
@@ -866,6 +866,10 @@ do_rpc:
|
|
|
7c2869 |
goto out;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
|
|
|
7c2869 |
+ GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
|
|
|
7c2869 |
+ options, bool, out);
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+
|
|
|
7c2869 |
GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
|
|
|
7c2869 |
bool, out);
|
|
|
7c2869 |
|
|
|
7c2869 |
@@ -906,7 +910,7 @@ do_rpc:
|
|
|
7c2869 |
if (strcmp (xprt_path, auth_path) != 0) {
|
|
|
7c2869 |
continue;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
- ret = gf_authenticate (xprt->clnt_options,
|
|
|
7c2869 |
+ ret = gf_authenticate (conf, xprt->clnt_options,
|
|
|
7c2869 |
options,
|
|
|
7c2869 |
conf->auth_modules);
|
|
|
7c2869 |
if (ret == AUTH_ACCEPT) {
|
|
|
7c2869 |
@@ -1098,6 +1102,14 @@ init (xlator_t *this)
|
|
|
7c2869 |
"Failed to initialize group cache.");
|
|
|
7c2869 |
goto out;
|
|
|
7c2869 |
}
|
|
|
7c2869 |
+
|
|
|
7c2869 |
+ ret = dict_get_str_boolean (this->options, "strict-auth-accept",
|
|
|
7c2869 |
+ _gf_false);
|
|
|
7c2869 |
+ if (ret == -1)
|
|
|
7c2869 |
+ conf->strict_auth_enabled = _gf_false;
|
|
|
7c2869 |
+ else
|
|
|
7c2869 |
+ conf->strict_auth_enabled = ret;
|
|
|
7c2869 |
+
|
|
|
7c2869 |
ret = dict_get_str_boolean (this->options, "dynamic-auth",
|
|
|
7c2869 |
_gf_true);
|
|
|
7c2869 |
if (ret == -1)
|
|
|
7c2869 |
@@ -1738,5 +1750,11 @@ struct volume_options options[] = {
|
|
|
7c2869 |
"transport connection immediately in response to "
|
|
|
7c2869 |
"*.allow | *.reject volume set options."
|
|
|
7c2869 |
},
|
|
|
7c2869 |
+ { .key = {"strict-auth-accept"},
|
|
|
7c2869 |
+ .type = GF_OPTION_TYPE_BOOL,
|
|
|
7c2869 |
+ .default_value = "off",
|
|
|
7c2869 |
+ .description = "strict-auth-accept reject connection with out"
|
|
|
7c2869 |
+ "a valid username and password."
|
|
|
7c2869 |
+ },
|
|
|
7c2869 |
{ .key = {NULL} },
|
|
|
7c2869 |
};
|
|
|
7c2869 |
diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
|
|
|
7c2869 |
index 1be9a38..4c35aaa 100644
|
|
|
7c2869 |
--- a/xlators/protocol/server/src/server.h
|
|
|
7c2869 |
+++ b/xlators/protocol/server/src/server.h
|
|
|
7c2869 |
@@ -24,6 +24,7 @@
|
|
|
7c2869 |
#include "client_t.h"
|
|
|
7c2869 |
#include "gidcache.h"
|
|
|
7c2869 |
#include "defaults.h"
|
|
|
7c2869 |
+#include "authenticate.h"
|
|
|
7c2869 |
|
|
|
7c2869 |
#define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */
|
|
|
7c2869 |
#define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol"
|
|
|
7c2869 |
@@ -111,6 +112,7 @@ struct server_conf {
|
|
|
7c2869 |
struct _child_status *child_status;
|
|
|
7c2869 |
|
|
|
7c2869 |
gf_lock_t itable_lock;
|
|
|
7c2869 |
+ gf_boolean_t strict_auth_enabled;
|
|
|
7c2869 |
};
|
|
|
7c2869 |
typedef struct server_conf server_conf_t;
|
|
|
7c2869 |
|
|
|
7c2869 |
@@ -243,6 +245,8 @@ serialize_rsp_dirent (gf_dirent_t *entries, gfs3_readdir_rsp *rsp);
|
|
|
7c2869 |
|
|
|
7c2869 |
int
|
|
|
7c2869 |
serialize_rsp_direntp (gf_dirent_t *entries, gfs3_readdirp_rsp *rsp);
|
|
|
7c2869 |
+auth_result_t gf_authenticate (server_conf_t *conf, dict_t *input_params,
|
|
|
7c2869 |
+ dict_t *config_params, dict_t *auth_modules);
|
|
|
7c2869 |
|
|
|
7c2869 |
server_ctx_t*
|
|
|
7c2869 |
server_ctx_get (client_t *client, xlator_t *xlator);
|
|
|
7c2869 |
--
|
|
|
7c2869 |
1.8.3.1
|
|
|
7c2869 |
|