diff options
Diffstat (limited to 'rpc/rpc-lib/src/rpcsvc-auth.c')
| -rw-r--r-- | rpc/rpc-lib/src/rpcsvc-auth.c | 217 |
1 files changed, 141 insertions, 76 deletions
diff --git a/rpc/rpc-lib/src/rpcsvc-auth.c b/rpc/rpc-lib/src/rpcsvc-auth.c index 5cfa255ba..4cb86a758 100644 --- a/rpc/rpc-lib/src/rpcsvc-auth.c +++ b/rpc/rpc-lib/src/rpcsvc-auth.c @@ -1,20 +1,11 @@ /* - Copyright (c) 2010 Gluster, Inc. <http://www.gluster.com> + Copyright (c) 2008-2012 Red Hat, Inc. <http://www.redhat.com> This file is part of GlusterFS. - GlusterFS is free software; you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published - by the Free Software Foundation; either version 3 of the License, - or (at your option) any later version. - - GlusterFS is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Affero General Public License for more details. - - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see - <http://www.gnu.org/licenses/>. + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. */ #include "rpcsvc.h" @@ -29,6 +20,8 @@ rpcsvc_auth_unix_init (rpcsvc_t *svc, dict_t *options); extern rpcsvc_auth_t * rpcsvc_auth_glusterfs_init (rpcsvc_t *svc, dict_t *options); +extern rpcsvc_auth_t * +rpcsvc_auth_glusterfs_v2_init (rpcsvc_t *svc, dict_t *options); int rpcsvc_auth_add_initer (struct list_head *list, char *idfier, @@ -41,7 +34,6 @@ rpcsvc_auth_add_initer (struct list_head *list, char *idfier, new = GF_CALLOC (1, sizeof (*new), gf_common_mt_rpcsvc_auth_list); if (!new) { - gf_log (GF_RPCSVC, GF_LOG_ERROR, "Memory allocation failed"); return -1; } @@ -67,6 +59,16 @@ rpcsvc_auth_add_initers (rpcsvc_t *svc) goto err; } + + ret = rpcsvc_auth_add_initer (&svc->authschemes, "auth-glusterfs-v2", + (rpcsvc_auth_initer_t) + rpcsvc_auth_glusterfs_v2_init); + if (ret == -1) { + gf_log (GF_RPCSVC, GF_LOG_ERROR, + "Failed to add AUTH_GLUSTERFS-v2"); + goto err; + } + ret = rpcsvc_auth_add_initer (&svc->authschemes, "auth-unix", (rpcsvc_auth_initer_t) rpcsvc_auth_unix_init); @@ -176,6 +178,75 @@ err: } int +rpcsvc_set_addr_namelookup (rpcsvc_t *svc, dict_t *options) +{ + int ret; + static char *addrlookup_key = "rpc-auth.addr.namelookup"; + + if (!svc || !options) + return (-1); + + /* By default it's disabled */ + ret = dict_get_str_boolean (options, addrlookup_key, _gf_false); + if (ret < 0) { + svc->addr_namelookup = _gf_false; + } else { + svc->addr_namelookup = ret; + } + + if (svc->addr_namelookup) + gf_log (GF_RPCSVC, GF_LOG_DEBUG, "Addr-Name lookup enabled"); + + return (0); +} + +int +rpcsvc_set_allow_insecure (rpcsvc_t *svc, dict_t *options) +{ + int ret = -1; + char *allow_insecure_str = NULL; + gf_boolean_t is_allow_insecure = _gf_false; + + GF_ASSERT (svc); + GF_ASSERT (options); + + ret = dict_get_str (options, "rpc-auth-allow-insecure", + &allow_insecure_str); + if (0 == ret) { + ret = gf_string2boolean (allow_insecure_str, + &is_allow_insecure); + if (0 == ret) { + if (_gf_true == is_allow_insecure) + svc->allow_insecure = 1; + else + svc->allow_insecure = 0; + } + } + + return 0; +} + +int +rpcsvc_set_root_squash (rpcsvc_t *svc, dict_t *options) +{ + int ret = -1; + + GF_ASSERT (svc); + GF_ASSERT (options); + + ret = dict_get_str_boolean (options, "root-squash", 0); + if (ret != -1) + svc->root_squash = ret; + else + svc->root_squash = _gf_false; + + if (svc->root_squash) + gf_log (GF_RPCSVC, GF_LOG_DEBUG, "root squashing enabled "); + + return 0; +} + +int rpcsvc_auth_init (rpcsvc_t *svc, dict_t *options) { int ret = -1; @@ -183,6 +254,9 @@ rpcsvc_auth_init (rpcsvc_t *svc, dict_t *options) if ((!svc) || (!options)) return -1; + (void) rpcsvc_set_allow_insecure (svc, options); + (void) rpcsvc_set_root_squash (svc, options); + (void) rpcsvc_set_addr_namelookup (svc, options); ret = rpcsvc_auth_add_initers (svc); if (ret == -1) { gf_log (GF_RPCSVC, GF_LOG_ERROR, "Failed to add initers"); @@ -199,6 +273,25 @@ out: return ret; } +int +rpcsvc_auth_reconf (rpcsvc_t *svc, dict_t *options) +{ + int ret = 0; + + if ((!svc) || (!options)) + return (-1); + + ret = rpcsvc_set_allow_insecure (svc, options); + if (ret) + return (-1); + + ret = rpcsvc_set_root_squash (svc, options); + if (ret) + return (-1); + + return rpcsvc_set_addr_namelookup (svc, options); +} + rpcsvc_auth_t * __rpcsvc_auth_get_handler (rpcsvc_request_t *req) @@ -277,6 +370,9 @@ rpcsvc_auth_request_init (rpcsvc_request_t *req) if (!auth->authops->request_init) ret = auth->authops->request_init (req, auth->authprivate); + req->auxgids = req->auxgidsmall; /* reset to auxgidlarge during + unsersialize if necessary */ + req->auxgidlarge = NULL; err: return ret; } @@ -292,17 +388,17 @@ rpcsvc_authenticate (rpcsvc_request_t *req) if (!req) return ret; - //minauth = rpcsvc_request_prog_minauth (req); - minauth = 1; + /* FIXME use rpcsvc_request_prog_minauth() */ + minauth = 0; if (minauth > rpcsvc_request_cred_flavour (req)) { - gf_log (GF_RPCSVC, GF_LOG_DEBUG, "Auth too weak"); + gf_log (GF_RPCSVC, GF_LOG_WARNING, "Auth too weak"); rpcsvc_request_set_autherr (req, AUTH_TOOWEAK); goto err; } auth = rpcsvc_auth_get_handler (req); if (!auth) { - gf_log (GF_RPCSVC, GF_LOG_DEBUG, "No auth handler found"); + gf_log (GF_RPCSVC, GF_LOG_WARNING, "No auth handler found"); goto err; } @@ -313,18 +409,13 @@ err: return ret; } - int rpcsvc_auth_array (rpcsvc_t *svc, char *volname, int *autharr, int arrlen) { - int count = 0; - int gen = RPCSVC_AUTH_REJECT; - int spec = RPCSVC_AUTH_REJECT; - int final = RPCSVC_AUTH_REJECT; - char *srchstr = NULL; - char *valstr = NULL; - gf_boolean_t boolval = _gf_false; - int ret = 0; + int count = 0; + int result = RPCSVC_AUTH_REJECT; + char *srchstr = NULL; + int ret = 0; struct rpcsvc_auth_list *auth = NULL; struct rpcsvc_auth_list *tmp = NULL; @@ -342,59 +433,27 @@ rpcsvc_auth_array (rpcsvc_t *svc, char *volname, int *autharr, int arrlen) if (count >= arrlen) break; - gen = gf_asprintf (&srchstr, "rpc-auth.%s", auth->name); - if (gen == -1) { + result = gf_asprintf (&srchstr, "rpc-auth.%s.%s", + auth->name, volname); + if (result == -1) { count = -1; goto err; } - gen = RPCSVC_AUTH_REJECT; - if (dict_get (svc->options, srchstr)) { - ret = dict_get_str (svc->options, srchstr, &valstr); - if (ret == 0) { - ret = gf_string2boolean (valstr, &boolval); - if (ret == 0) { - if (boolval == _gf_true) - gen = RPCSVC_AUTH_ACCEPT; - } else - gf_log (GF_RPCSVC, GF_LOG_ERROR, "Faile" - "d to read auth val"); - } else - gf_log (GF_RPCSVC, GF_LOG_ERROR, "Faile" - "d to read auth val"); - } - + ret = dict_get_str_boolean (svc->options, srchstr, 0xC00FFEE); GF_FREE (srchstr); - spec = gf_asprintf (&srchstr, "rpc-auth.%s.%s", auth->name, - volname); - if (spec == -1) { - count = -1; - goto err; - } - spec = RPCSVC_AUTH_DONTCARE; - if (dict_get (svc->options, srchstr)) { - ret = dict_get_str (svc->options, srchstr, &valstr); - if (ret == 0) { - ret = gf_string2boolean (valstr, &boolval); - if (ret == 0) { - if (boolval == _gf_true) - spec = RPCSVC_AUTH_ACCEPT; - else - spec = RPCSVC_AUTH_REJECT; - } else - gf_log (GF_RPCSVC, GF_LOG_ERROR, "Faile" - "d to read auth val"); - } else - gf_log (GF_RPCSVC, GF_LOG_ERROR, "Faile" - "d to read auth val"); - } - - GF_FREE (srchstr); - final = rpcsvc_combine_gen_spec_volume_checks (gen, spec); - if (final == RPCSVC_AUTH_ACCEPT) { + switch (ret) { + case _gf_true: + result = RPCSVC_AUTH_ACCEPT; autharr[count] = auth->auth->authnum; ++count; + break; + case _gf_false: + result = RPCSVC_AUTH_REJECT; + break; + default: + result = RPCSVC_AUTH_DONTCARE; } } @@ -402,16 +461,22 @@ err: return count; } - gid_t * rpcsvc_auth_unix_auxgids (rpcsvc_request_t *req, int *arrlen) { if ((!req) || (!arrlen)) return NULL; - if ((req->cred.flavour != AUTH_UNIX) || - (req->cred.flavour != AUTH_GLUSTERFS)) + /* In case of AUTH_NULL auxgids are not used */ + switch (req->cred.flavour) { + case AUTH_UNIX: + case AUTH_GLUSTERFS: + case AUTH_GLUSTERFS_v2: + break; + default: + gf_log ("rpc", GF_LOG_DEBUG, "auth type not unix or glusterfs"); return NULL; + } *arrlen = req->auxgidcount; if (*arrlen == 0) |