glusterfs.git/tests/features/ssl-authz.t, branch v4.1.2 tests: Fix typo in ssl-authz.t 2015-05-27T15:41:29+00:00 Deepak C Shetty deepakcs@redhat.com 2015-05-26T09:03:19+00:00 b7fde604e7fd42e6fc803bf7adfe66b5f441b8bb Fixes a typo that was incorrectly causing the ssl cipher list not to be set properly on the test volume. Change-Id: I7969988551aa0c76261e41ab2f6247b684dacd49 Signed-off-by: Deepak C Shetty <deepakcs@redhat.com> Reviewed-on: http://review.gluster.org/10914 Tested-by: NetBSD Build System Reviewed-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
Fixes a typo that was incorrectly causing the ssl cipher
list not to be set properly on the test volume.

Change-Id: I7969988551aa0c76261e41ab2f6247b684dacd49
Signed-off-by: Deepak C Shetty <deepakcs@redhat.com>
Reviewed-on: http://review.gluster.org/10914
Tested-by: NetBSD Build System
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
tests/features/ssl-authz.t: Fix spurious failures 2015-01-27T14:16:48+00:00 Emmanuel Dreyfus manu@netbsd.org 2015-01-23T10:24:07+00:00 e131fccf926bc2f19fb8c9f2980f60d5fec67994 Fix two spurious failures in tests/features/ssl-authz.t 1) Wait for bricks to come online after starting a volume, so that the mount is usable without "socket not connected" error 2) For a mount that must fail, we may get the situation where there is no mount at all, which means creating a file will write to the mount point instead of failing. To cover that case, write the file and check it is absent from the brick. BUG: 1129939 Change-Id: If95e1d65ab23d11123f778c20f8110a3177b0e7f Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org> Reviewed-on: http://review.gluster.org/9483 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Jeff Darcy <jdarcy@redhat.com> 
Fix two spurious failures in tests/features/ssl-authz.t
1) Wait for bricks to come online after starting a volume, so that
   the mount is usable without "socket not connected" error
2) For a mount that must fail, we may get the situation where there
   is no mount at all, which means creating a file will write to the
   mount point instead of failing. To cover that case, write the
   file and check it is absent from the brick.

BUG: 1129939
Change-Id: If95e1d65ab23d11123f778c20f8110a3177b0e7f
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/9483
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
transport: fix default behavior for SSL authorization 2015-01-09T18:04:11+00:00 Jeff Darcy jdarcy@redhat.com 2015-01-06T15:03:49+00:00 548547b2e41c8e2cf79b929405cf18aecbdedebc Previously, enabling SSL authentication/encryption but not authorization required explicitly setting ssl-allow=*. Now that same behavior is the default (i.e. when ssl-allow is not set). Also, there's no reason that a name used for *login* auth (typically a UUID for internal purposes or a human name when using SSL) should validate as an RFC-compliant host name or IP address. Therefore the validation only occurs when the auth type is "addr" (not "login" or anything else). Change-Id: I01485ff4f0ab37de4b182858235a5fb0cf4c3c7d BUG: 1179208 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/9397 Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
Previously, enabling SSL authentication/encryption but not authorization
required explicitly setting ssl-allow=*.  Now that same behavior is the
default (i.e. when ssl-allow is not set).

Also, there's no reason that a name used for *login* auth (typically a
UUID for internal purposes or a human name when using SSL) should
validate as an RFC-compliant host name or IP address.  Therefore the
validation only occurs when the auth type is "addr" (not "login" or
anything else).

Change-Id: I01485ff4f0ab37de4b182858235a5fb0cf4c3c7d
BUG: 1179208
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/9397
Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
socket: disallow CBC cipher modes 2014-10-27T11:40:55+00:00 Jeff Darcy jdarcy@redhat.com 2014-10-21T20:54:48+00:00 378a0a19d95e552220d71b13be685f4772c576cd This is related to CVE-2014-3566 a.k.a. POODLE. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 POODLE is specific to CBC cipher modes in SSLv3. Because there is no way to prevent SSLv3 fallback on a system with an unpatched version of OpenSSL, users of such systems can only be protected by disallowing CBC modes. The default cipher-mode specification in our code has been changed accordingly. Users can still set their own cipher modes if they wish. To support them, the ssl-authz.t test script provides an example of how to combine the CBC exclusion with other criteria in a script. Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5 BUG: 1155328 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/8962 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
This is related to CVE-2014-3566 a.k.a. POODLE.

	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

POODLE is specific to CBC cipher modes in SSLv3.  Because there is no
way to prevent SSLv3 fallback on a system with an unpatched version of
OpenSSL, users of such systems can only be protected by disallowing CBC
modes.  The default cipher-mode specification in our code has been
changed accordingly.  Users can still set their own cipher modes if they
wish.  To support them, the ssl-authz.t test script provides an example
of how to combine the CBC exclusion with other criteria in a script.

Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5
BUG: 1155328
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/8962
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Sane default for SSL on OSX 2014-09-29T08:30:44+00:00 Harshavardhana harsha@harshavardhana.net 2014-09-26T17:12:47+00:00 37ee11f4d42bff1f46fae7d2755e0d6d8a55e572 - /opt/local is not preferred anymore use /usr/local Change-Id: I30cad4cbd28850063f26121cace05371e13bb314 BUG: 1129939 Signed-off-by: Harshavardhana <harsha@harshavardhana.net> Reviewed-on: http://review.gluster.org/8872 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
- /opt/local is not preferred anymore use /usr/local

Change-Id: I30cad4cbd28850063f26121cace05371e13bb314
BUG: 1129939
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/8872
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Use sane OS-dependent defaults for SSL configuration 2014-09-26T10:32:42+00:00 Emmanuel Dreyfus manu@netbsd.org 2014-09-23T05:46:16+00:00 3d36edb00c2adad9a957a445aafac3e800964bb1 Current code assumes /etc/ssl exists, which may not be the case. Attempt to guess sane default for a few OS. BUG: 1129939 Change-Id: I0f3168f79b8f4275636581041740dfcaf25f3edd Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org> Reviewed-on: http://review.gluster.org/8790 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
Current code assumes /etc/ssl exists, which may not be the case.
Attempt to guess sane default for a few OS.

BUG: 1129939
Change-Id: I0f3168f79b8f4275636581041740dfcaf25f3edd
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/8790
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
porting: Provide setfattr/getfattr implementation 2014-09-05T17:04:20+00:00 Harshavardhana harsha@harshavardhana.net 2014-08-23T09:14:36+00:00 fd500d4396f910e4cf759e0fffa4daf4ed24745a - Use 'getfattr' properly avoid redundant options during xattr query - Untabify certain parts of tests (remove tabs) - Avoid backtick evaluation for certain values to make code more portable. - Use awk on FreeBSD/Darwin, since 'wc' implementation is broken and adds spurious spaces in its output. Change-Id: I7dcc0b70874e43b4cda8c306ed18a31b7a3f990a BUG: 1131713 Signed-off-by: Harshavardhana <harsha@harshavardhana.net> Reviewed-on: http://review.gluster.org/8520 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Emmanuel Dreyfus <manu@netbsd.org> Tested-by: Emmanuel Dreyfus <manu@netbsd.org> 
- Use 'getfattr' properly avoid redundant options during xattr query
- Untabify certain parts of tests (remove tabs)
- Avoid backtick evaluation for certain values to make code more portable.
- Use awk on FreeBSD/Darwin, since 'wc' implementation is broken and adds
  spurious spaces in its output.

Change-Id: I7dcc0b70874e43b4cda8c306ed18a31b7a3f990a
BUG: 1131713
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/8520
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Emmanuel Dreyfus <manu@netbsd.org>
Tested-by: Emmanuel Dreyfus <manu@netbsd.org>
porting: various fixes regression tests OSX/FreeBSD 2014-08-29T16:13:02+00:00 Harshavardhana harsha@harshavardhana.net 2014-08-20T01:24:23+00:00 2dd53eb4de91c25817af85475cfa9ff66e79c97b - `wc -l` on OSX/FreeBSD adds spurious spaces, this clobbers up TAP output parsers - fix it. - `umount -l` doesn't exist on OSX/FreeBSD use 'umount -f' if available. - Add check for 'file' version, to handle mime type variations across versions - Converge 'glusterfs --attribute-timeout=0 --entry-timeout=0' into '$GFS' - Modify remaining 'mount -t nfs' to use 'mount_nfs' - Update sha1sum for OSX to use 'openssl sha1'. Change-Id: Id1012faa5d67a921513d220e7fa9cebafe830d34 BUG: 1131713 Signed-off-by: Harshavardhana <harsha@harshavardhana.net> Reviewed-on: http://review.gluster.org/8501 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com> 
- `wc -l` on OSX/FreeBSD adds spurious spaces, this clobbers
  up TAP output parsers - fix it.
- `umount -l` doesn't exist on OSX/FreeBSD use 'umount -f' if
   available.
- Add check for 'file' version, to handle mime type variations
  across versions
- Converge 'glusterfs --attribute-timeout=0 --entry-timeout=0'
  into '$GFS'
- Modify remaining 'mount -t nfs' to use 'mount_nfs'
- Update sha1sum for OSX to use 'openssl sha1'.

Change-Id: Id1012faa5d67a921513d220e7fa9cebafe830d34
BUG: 1131713
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/8501
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
rpc/auth: allow SSL identity to be used for authorization 2014-07-02T09:47:05+00:00 Jeff Darcy jdarcy@redhat.com 2014-04-17T23:21:05+00:00 caa8a4ea50734378e7e19f70b39a837c58e9d229 Access to a volume is now controlled by the following options, based on whether SSL is enabled or not. * server.ssl-allow: get identity from certificate, no password needed * auth.allow: get identity and matching password from command line It is not possible to allow both simultaneously, since the connection itself is either using SSL or it isn't. Change-Id: I5a5be66520f56778563d62f4b3ab35c66cc41ac0 BUG: 1114604 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/3695 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
Access to a volume is now controlled by the following options, based on
whether SSL is enabled or not.

 * server.ssl-allow: get identity from certificate, no password needed

 * auth.allow: get identity and matching password from command line

It is not possible to allow both simultaneously, since the connection
itself is either using SSL or it isn't.

Change-Id: I5a5be66520f56778563d62f4b3ab35c66cc41ac0
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/3695
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>