Blob Blame History Raw
From bceb9586b96cbf3e0f1747affa6f56cfe29ac140 Mon Sep 17 00:00:00 2001
From: Mohammed Rafi KC <rkavunga@redhat.com>
Date: Mon, 2 Apr 2018 12:20:47 +0530
Subject: [PATCH 241/260] server/auth: add option for strict authentication

When this option is enabled, we will check for a matching
username and password, if not found then the connection will
be rejected. This also does a checksum validation of volfile

The option is invalid when SSL/TLS is in use, at which point
the SSL/TLS certificate user name is used to validate and
hence authorize the right user. This expects TLS allow rules
to be setup correctly rather than the default *.

This option is not settable, as a result this cannot be enabled
for volumes using the CLI. This is used with the shared storage
volume, to restrict access to the same in non-SSL/TLS environments
to the gluster peers only.

Tested:
  ./tests/bugs/protocol/bug-1321578.t
  ./tests/features/ssl-authz.t
  - Ran tests on volumes with and without strict auth
    checking (as brick vol file needed to be edited to test,
    or rather to enable the option)
  - Ran tests on volumes to ensure existing mounts are
    disconnected when we enable strict checking

backport of upstream https://review.gluster.org/#/c/19921/

>Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
>fixes: bz#1570432
>Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
>Signed-off-by: ShyamsundarR <srangana@redhat.com>

Change-Id: I7fd3194b91ba22d57b851a2a042ff16b9a616a5a
BUG: 1568969
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
Reviewed-on: https://code.engineering.redhat.com/gerrit/136709
Tested-by: RHGS Build Bot <nigelb@redhat.com>
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
---
 xlators/mgmt/glusterd/src/glusterd-volgen.c    | 16 +++++++-
 xlators/protocol/auth/login/src/login.c        | 51 ++++++++++++++++++++++----
 xlators/protocol/server/src/authenticate.h     |  4 +-
 xlators/protocol/server/src/server-handshake.c |  2 +-
 xlators/protocol/server/src/server.c           | 18 +++++++++
 xlators/protocol/server/src/server.h           |  2 +
 6 files changed, 81 insertions(+), 12 deletions(-)

diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
index 1c43f24..3926bd3 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
@@ -2341,6 +2341,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
         char            *password = NULL;
         char            key[1024] = {0};
         char            *ssl_user = NULL;
+        char            *volname = NULL;
         char            *address_family_data = NULL;
 
         if (!graph || !volinfo || !set_dict || !brickinfo)
@@ -2416,6 +2417,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
         if (ret)
                 return -1;
 
+        volname = volinfo->is_snap_volume ?
+                  volinfo->parent_volname : volinfo->volname;
+
+
+        if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
+                memset (key, 0, sizeof (key));
+                snprintf (key, sizeof (key), "strict-auth-accept");
+
+                ret = xlator_set_option (xl, key, "true");
+                if (ret)
+                        return -1;
+        }
+
         if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
                 memset (key, 0, sizeof (key));
                 snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
@@ -5841,7 +5855,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
 
 
         if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
-             client_type != GF_CLIENT_TRUSTED) {
+            client_type != GF_CLIENT_TRUSTED) {
                 /*
                  * shared storage volume cannot be mounted from non trusted
                  * nodes. So we are not creating volfiles for non-trusted
diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
index e799dd2..da10d0b 100644
--- a/xlators/protocol/auth/login/src/login.c
+++ b/xlators/protocol/auth/login/src/login.c
@@ -11,6 +11,16 @@
 #include <fnmatch.h>
 #include "authenticate.h"
 
+/* Note on strict_auth
+ * - Strict auth kicks in when authentication is using the username, password
+ *   in the volfile to login
+ * - If enabled, auth is rejected if the username and password is not matched
+ *   or is not present
+ * - When using SSL names, this is automatically strict, and allows only those
+ *   names that are present in the allow list, IOW strict auth checking has no
+ *   implication when using SSL names
+*/
+
 auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
 {
         auth_result_t  result  = AUTH_DONT_CARE;
@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
         char            *tmp            = NULL;
         char            *username_cpy   = NULL;
         gf_boolean_t    using_ssl       = _gf_false;
+        gf_boolean_t    strict_auth     = _gf_false;
 
         username_data = dict_get (input_params, "ssl-name");
         if (username_data) {
@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
                 using_ssl = _gf_true;
         }
         else {
+                ret = dict_get_str_boolean (config_params, "strict-auth-accept",
+                                            _gf_false);
+                if (ret == -1)
+                        strict_auth = _gf_false;
+                else
+                        strict_auth = ret;
+
                 username_data = dict_get (input_params, "username");
                 if (!username_data) {
-                        gf_log ("auth/login", GF_LOG_DEBUG,
-                                "username not found, returning DONT-CARE");
+                        if (strict_auth) {
+                                gf_log ("auth/login", GF_LOG_DEBUG,
+                                        "username not found, strict auth"
+                                        " configured returning REJECT");
+                                result = AUTH_REJECT;
+                        } else {
+                                gf_log ("auth/login", GF_LOG_DEBUG,
+                                        "username not found, returning"
+                                        " DONT-CARE");
+                        }
                         goto out;
                 }
                 password_data = dict_get (input_params, "password");
                 if (!password_data) {
-                        gf_log ("auth/login", GF_LOG_WARNING,
-                                "password not found, returning DONT-CARE");
+                        if (strict_auth) {
+                                gf_log ("auth/login", GF_LOG_DEBUG,
+                                        "password not found, strict auth"
+                                        " configured returning REJECT");
+                                result = AUTH_REJECT;
+                        } else {
+                                gf_log ("auth/login", GF_LOG_WARNING,
+                                        "password not found, returning"
+                                        " DONT-CARE");
+                        }
                         goto out;
                 }
                 password = data_to_str (password_data);
@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
         ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
                            using_ssl ? "ssl-allow" : "allow");
         if (-1 == ret) {
-                gf_log ("auth/login", GF_LOG_WARNING,
+                gf_log ("auth/login", GF_LOG_ERROR,
                         "asprintf failed while setting search string, "
-                        "returning DONT-CARE");
+                        "returning REJECT");
+                result = AUTH_REJECT;
                 goto out;
         }
 
@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
                  * ssl-allow=* case as well) authorization is effectively
                  * disabled, though authentication and encryption are still
                  * active.
+                 *
+                 * Read NOTE on strict_auth above.
                  */
-                if (using_ssl) {
+                if (using_ssl || strict_auth) {
                         result = AUTH_REJECT;
                 }
                 username_cpy = gf_strdup (allow_user->data);
diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
index 3f80231..5f92183 100644
--- a/xlators/protocol/server/src/authenticate.h
+++ b/xlators/protocol/server/src/authenticate.h
@@ -37,10 +37,8 @@ typedef struct {
         volume_opt_list_t *vol_opt;
 } auth_handle_t;
 
-auth_result_t gf_authenticate (dict_t *input_params,
-                               dict_t *config_params,
-                               dict_t *auth_modules);
 int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
 void gf_auth_fini (dict_t *auth_modules);
+auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);
 
 #endif /* _AUTHENTICATE_H */
diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
index cbc93a3..fc63f2c 100644
--- a/xlators/protocol/server/src/server-handshake.c
+++ b/xlators/protocol/server/src/server-handshake.c
@@ -747,7 +747,7 @@ server_setvolume (rpcsvc_request_t *req)
                         ret = dict_get_str (params, "volfile-key",
                                             &volfile_key);
                         if (ret)
-                                gf_msg_debug (this->name, 0, "failed to set "
+                                gf_msg_debug (this->name, 0, "failed to get "
                                               "'volfile-key'");
 
                         ret = _validate_volfile_checksum (this, volfile_key,
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index eed4295..6f20a06 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -943,6 +943,10 @@ do_rpc:
                 goto out;
         }
 
+        GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
+                          options, bool, out);
+
+
         GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
                         bool, out);
 
@@ -1183,6 +1187,14 @@ init (xlator_t *this)
                         "Failed to initialize group cache.");
                 goto out;
         }
+
+        ret = dict_get_str_boolean (this->options, "strict-auth-accept",
+                                    _gf_false);
+        if (ret == -1)
+                conf->strict_auth_enabled = _gf_false;
+        else
+                conf->strict_auth_enabled = ret;
+
         ret = dict_get_str_boolean (this->options, "dynamic-auth",
                         _gf_true);
         if (ret == -1)
@@ -1840,5 +1852,11 @@ struct volume_options options[] = {
                            "transport connection immediately in response to "
                            "*.allow | *.reject volume set options."
         },
+        { .key   = {"strict-auth-accept"},
+          .type  = GF_OPTION_TYPE_BOOL,
+          .default_value = "off",
+          .description   = "strict-auth-accept reject connection with out"
+                           "a valid username and password."
+        },
         { .key   = {NULL} },
 };
diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
index af987aa..691c75b 100644
--- a/xlators/protocol/server/src/server.h
+++ b/xlators/protocol/server/src/server.h
@@ -24,6 +24,7 @@
 #include "client_t.h"
 #include "gidcache.h"
 #include "defaults.h"
+#include "authenticate.h"
 
 #define DEFAULT_BLOCK_SIZE         4194304   /* 4MB */
 #define DEFAULT_VOLUME_FILE_PATH   CONFDIR "/glusterfs.vol"
@@ -109,6 +110,7 @@ struct server_conf {
                                             * tweeked */
         struct _child_status    *child_status;
         gf_lock_t               itable_lock;
+        gf_boolean_t            strict_auth_enabled;
 };
 typedef struct server_conf server_conf_t;
 
-- 
1.8.3.1