From d9810813335684fc5658d3d8cbd9dba6f91a1162 Mon Sep 17 00:00:00 2001
From: Atin Mukherjee <amukherj@redhat.com>
Date: Mon, 20 Mar 2017 05:15:25 +0530
Subject: [PATCH 364/369] protocol : fix auth-allow regression
One of the brick multiplexing patches (commit 1a95fc3) had some changes
in gf_auth () & server_setvolume () functions which caused auth-allow
feature to be broken. mount doesn't succeed even if it's part of the
auth-allow list. This fix does the following:
1. Reintroduce the peer-info data back in gf_auth () so that fnmatch has
valid input and it can decide on the result.
2. config-params dict should capture key values pairs for all the bricks
in case brick multiplexing is on. In case brick multiplexing isn't
enabled, then config-params should carry attributes from protocol/server
such that all rpc auth related attributes stay in tact in the
dictionary.
>Reviewed-on: https://review.gluster.org/16920
>Tested-by: Jeff Darcy <jeff@pl.atyp.us>
>Smoke: Gluster Build System <jenkins@build.gluster.org>
>NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
>CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
>Reviewed-by: Jeff Darcy <jeff@pl.atyp.us>
>Reviewed-by: MOHIT AGRAWAL <moagrawa@redhat.com>
Change-Id: I007c4c6d78620a896b8858a29459a77de8b52412
BUG: 1437332
Signed-off-by: Atin Mukherjee <amukherj@redhat.com>
Reviewed-on: https://code.engineering.redhat.com/gerrit/102295
---
tests/bugs/protocol/bug-1433815-auth-allow.t | 39 ++++++++++++++++
xlators/protocol/auth/addr/src/addr.c | 61 +++++++++++++++++++++++++-
xlators/protocol/server/src/server-handshake.c | 6 ++-
3 files changed, 103 insertions(+), 3 deletions(-)
create mode 100644 tests/bugs/protocol/bug-1433815-auth-allow.t
diff --git a/tests/bugs/protocol/bug-1433815-auth-allow.t b/tests/bugs/protocol/bug-1433815-auth-allow.t
new file mode 100644
index 0000000..fa22ad8
--- /dev/null
+++ b/tests/bugs/protocol/bug-1433815-auth-allow.t
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+. $(dirname $0)/../../include.rc
+. $(dirname $0)/../../volume.rc
+
+check_mounted () {
+ df | grep $1 | wc -l
+}
+
+get_addresses () {
+ ip addr | sed -n '/.*inet \([0-9.]*\).*/s//\1/p' | tr '\n' ','
+}
+
+TEST glusterd
+TEST $CLI volume create $V0 $H0:$B0/$V0
+
+# Set auth.allow so it *doesn't* include ourselves.
+TEST $CLI volume set $V0 auth.allow 1.2.3.4
+TEST $CLI volume start $V0
+
+# "System getspec" will include the username and password if the request comes
+# from a server (which we are). Unfortunately, this will cause authentication
+# to succeed in auth.login regardless of whether auth.addr is working properly
+# or not, which is useless to us. To get a proper test, strip out those lines.
+$CLI system getspec $V0 | sed -e /username/d -e /password/d > fubar.vol
+
+# This mount should fail because auth.allow doesn't include us.
+TEST $GFS -f fubar.vol $M0
+# If we had DONT_EXPECT_WITHIN we could use that, but we don't.
+sleep 10
+EXPECT 0 check_mounted $M0
+
+# Set auth.allow to include us. This mount should therefore succeed.
+TEST $CLI volume set $V0 auth.allow "$(get_addresses)"
+TEST $GFS -f fubar.vol $M0
+sleep 10
+EXPECT 1 check_mounted $M0
+
+cleanup
diff --git a/xlators/protocol/auth/addr/src/addr.c b/xlators/protocol/auth/addr/src/addr.c
index 1b45571..7ccbb57 100644
--- a/xlators/protocol/auth/addr/src/addr.c
+++ b/xlators/protocol/auth/addr/src/addr.c
@@ -30,14 +30,20 @@ gf_auth (dict_t *input_params, dict_t *config_params)
int ret = 0;
char *name = NULL;
char *searchstr = NULL;
+ peer_info_t *peer_info = NULL;
+ data_t *peer_info_data = NULL;
data_t *allow_addr = NULL;
data_t *reject_addr = NULL;
char *addr_str = NULL;
char *tmp = NULL;
char *addr_cpy = NULL;
+ char *service = NULL;
+ uint16_t peer_port = 0;
char negate = 0;
char match = 0;
- char peer_addr[UNIX_PATH_MAX];
+ char peer_addr[UNIX_PATH_MAX] = {0,};
+ char *type = NULL;
+ gf_boolean_t allow_insecure = _gf_false;
name = data_to_str (dict_get (input_params, "remote-subvolume"));
if (!name) {
@@ -85,6 +91,57 @@ gf_auth (dict_t *input_params, dict_t *config_params)
goto out;
}
+ peer_info_data = dict_get (input_params, "peer-info");
+ if (!peer_info_data) {
+ gf_log ("auth/addr", GF_LOG_ERROR,
+ "peer-info not present");
+ goto out;
+ }
+
+ peer_info = data_to_ptr (peer_info_data);
+
+ switch (((struct sockaddr *) &peer_info->sockaddr)->sa_family) {
+ case AF_INET_SDP:
+ case AF_INET:
+ case AF_INET6:
+ strcpy (peer_addr, peer_info->identifier);
+ service = strrchr (peer_addr, ':');
+ *service = '\0';
+ service++;
+
+ ret = dict_get_str (config_params, "rpc-auth-allow-insecure",
+ &type);
+ if (ret == 0) {
+ ret = gf_string2boolean (type, &allow_insecure);
+ if (ret < 0) {
+ gf_log ("auth/addr", GF_LOG_WARNING,
+ "rpc-auth-allow-insecure option %s "
+ "is not a valid bool option", type);
+ goto out;
+ }
+ }
+
+ peer_port = atoi (service);
+ if (peer_port >= PRIVILEGED_PORT_CEILING && !allow_insecure) {
+ gf_log ("auth/addr", GF_LOG_ERROR,
+ "client is bound to port %d which is not privileged",
+ peer_port);
+ result = AUTH_REJECT;
+ goto out;
+ }
+ break;
+
+ case AF_UNIX:
+ strcpy (peer_addr, peer_info->identifier);
+ break;
+
+ default:
+ gf_log ("authenticate/addr", GF_LOG_ERROR,
+ "unknown address family %d",
+ ((struct sockaddr *) &peer_info->sockaddr)->sa_family);
+ goto out;
+ }
+
if (reject_addr) {
addr_cpy = gf_strdup (reject_addr->data);
if (!addr_cpy)
@@ -120,7 +177,7 @@ gf_auth (dict_t *input_params, dict_t *config_params)
addr_str = strtok_r (addr_cpy, ADDR_DELIMITER, &tmp);
while (addr_str) {
- gf_log (name, GF_LOG_DEBUG,
+ gf_log (name, GF_LOG_INFO,
"allowed = \"%s\", received addr = \"%s\"",
addr_str, peer_addr);
if (addr_str[0] == '!') {
diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
index 249dde7..64267f2 100644
--- a/xlators/protocol/server/src/server-handshake.c
+++ b/xlators/protocol/server/src/server-handshake.c
@@ -425,6 +425,10 @@ server_setvolume (rpcsvc_request_t *req)
}
this = req->svc->xl;
+ /* this is to ensure config_params is populated with the first brick
+ * details at first place if brick multiplexing is enabled
+ */
+ config_params = dict_copy_with_ref (this->options, NULL);
buf = memdup (args.dict.dict_val, args.dict.dict_len);
if (buf == NULL) {
@@ -484,7 +488,7 @@ server_setvolume (rpcsvc_request_t *req)
goto fail;
}
- config_params = dict_copy_with_ref (xl->options, NULL);
+ config_params = dict_copy_with_ref (xl->options, config_params);
conf = this->private;
if (conf->parent_up == _gf_false) {
--
1.8.3.1