glusterfs.git/xlators/features, branch v3.3.0qa12 geo-rep: disallow some special characters in url syntax 2011-09-22T12:25:14+00:00 Csaba Henk csaba@gluster.com 2011-09-22T08:26:02+00:00 eede6ce87fc19878873e8320c172d1acb2deaa33 - space is disallowed to make rsync target unambigous for gsyncd wrapper - *, ?, [ is disallowed so that we can tell away globs from urls Nothing too bad would happen without these restrictions, but this way gluster errs out early instead of producing some mystical error further down on the way. Change-Id: Idd4e68f7d91598a7a8e30ccbc6d395da570cdf2e BUG: 3610 Reviewed-on: http://review.gluster.com/490 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
- space is disallowed to make rsync target unambigous for gsyncd wrapper
- *, ?, [ is disallowed so that we can tell away globs from urls

Nothing too bad would happen without these restrictions, but this way
gluster errs out early instead of producing some mystical error
further down on the way.

Change-Id: Idd4e68f7d91598a7a8e30ccbc6d395da570cdf2e
BUG: 3610
Reviewed-on: http://review.gluster.com/490
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>
geo-rep: add support to glob patterns with "geo-rep config" 2011-09-22T12:24:57+00:00 Csaba Henk csaba@gluster.com 2011-09-22T08:12:24+00:00 21eabe9bae81b3cc732fcf773fb5c1995f19d0d7 Change-Id: I0d54cea72e4363eab85ade774cc918081d8036e9 BUG: 3610 Reviewed-on: http://review.gluster.com/489 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
Change-Id: I0d54cea72e4363eab85ade774cc918081d8036e9
BUG: 3610
Reviewed-on: http://review.gluster.com/489
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>
geo-rep: implement IP address based access control 2011-09-22T12:24:41+00:00 Csaba Henk csaba@gluster.com 2011-09-20T14:20:18+00:00 b27b9d36de798bb18eaa95524f3900f9e17ce3e5 - gsyncd gets allow-network tunable which is expected to hold a comma-separated list of IP network addresses - for IP addess matching, bring in ipaddr module from Google (http://code.google.com/p/ipaddr-py/, rev. trunk@225) This will let users control master's access to slave's volumes until we implement unprivileged geo-rep (delayed due to some technical issues). It's also needed for the completeness of our hardening efforts, as plain file slaves won't be able to work with an unprivileged gsyncd. Change-Id: I58431cba6592f8672e93ea89a5eef478905b00b9 BUG: 2825 Reviewed-on: http://review.gluster.com/488 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
- gsyncd gets allow-network tunable which is expected to
  hold a comma-separated list of IP network addresses
- for IP addess matching, bring in ipaddr module from Google
  (http://code.google.com/p/ipaddr-py/, rev. trunk@225)

This will let users control master's access to slave's volumes
until we implement unprivileged geo-rep (delayed due to some
technical issues). It's also needed for the completeness of
our hardening efforts, as plain file slaves won't be able
to work with an unprivileged gsyncd.

Change-Id: I58431cba6592f8672e93ea89a5eef478905b00b9
BUG: 2825
Reviewed-on: http://review.gluster.com/488
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>
geo-rep: gsyncd: make sure path operations do not act outside the volume 2011-09-22T12:24:23+00:00 Csaba Henk csaba@gluster.com 2011-09-19T13:47:46+00:00 d7c9d2bfbd20727f90b0118c982ff9612aacacf2 Change-Id: I2da62b34aa833b9a28728fa1db23951f28b7e538 BUG: 2825 Reviewed-on: http://review.gluster.com/462 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
Change-Id: I2da62b34aa833b9a28728fa1db23951f28b7e538
BUG: 2825
Reviewed-on: http://review.gluster.com/462
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>
gsyncd: control rsync target 2011-09-22T12:23:54+00:00 Csaba Henk csaba@gluster.com 2011-09-13T11:12:38+00:00 7e04913aa6f4ddb45e95099ef648564bf90da0b3 - require/perform rsync invocation with unprotected args (so that target is revealed to gateway program) - make use of some procfs wizardry to find gsyncd sibling and match rsync target against its working directory Change-Id: Iae1e39b0e61f22563c0f2a2e0605567e0d1902df BUG: 2825 Reviewed-on: http://review.gluster.com/461 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
- require/perform rsync invocation with unprotected args
  (so that target is revealed to gateway program)
- make use of some procfs wizardry to find gsyncd sibling
  and match rsync target against its working directory

Change-Id: Iae1e39b0e61f22563c0f2a2e0605567e0d1902df
BUG: 2825
Reviewed-on: http://review.gluster.com/461
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>
gsyncd: implement restricted mode and utility dispatch 2011-09-22T12:23:32+00:00 Csaba Henk csaba@gluster.com 2011-09-11T17:45:57+00:00 2ab00369e7ef99d287dad5301d2f334dcfd67a70 With this change, the suggested way of setting up a geo-sync slave is to use an ssh key with gsyncd as a forced command (see sshd(8)), or set gsyncd as shell. This prevents the master in executing arbitrary commands on slave (a major security hole). Detailed list the changes: - All gsyncd invocations that are not done by glusterd are considered unsafe and then we operate in so-called "restricted mode" (see below) - if we are invoked on purpose (ie. it's not the case that sshd forced us to run as frontend of a remote-invoked command), we execute gsyncd.py - if invoked by sshd as frontend command, we check the remote command line and call the required utility if it's among the allowed ones (rsyncd and gsyncd) - with rsync, we check if invocation is server mode and some other sanity measures - with gsyncd, in restricted mode we enforce the usage of the glusterd provided config file, and in python, we enforce operation in server mode and some other sanity checks Impact on using geo-rep the old way: remote file slave now also requires a running glusterd (to pick up config from). Missing: we not implemented check of the rsync target path. The issue of master being able to modify arbitrary locations is planned to be mitigated by using geo-rep with an unprivileged user. Change-Id: I9b5825bfe282a9ca777429aadd554d78708f1638 BUG: 2825 Reviewed-on: http://review.gluster.com/460 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
With this change, the suggested way of setting up a geo-sync
slave is to use an ssh key with gsyncd as a forced command
(see sshd(8)), or set gsyncd as shell. This prevents the master
in executing arbitrary commands on slave (a major security hole).

Detailed list the changes:
- All gsyncd invocations that are not done by glusterd are
  considered unsafe and then we operate in so-called "restricted mode"
  (see below)
- if we are invoked on purpose (ie. it's not the case that sshd forced
  us to run as frontend of a remote-invoked command), we execute gsyncd.py
- if invoked by sshd as frontend command, we check the remote command
  line and call the required utility if it's among the allowed ones
  (rsyncd and gsyncd)
- with rsync, we check if invocation is server mode and some other
  sanity measures
- with gsyncd, in restricted mode we enforce the usage of the glusterd
  provided config file, and in python, we enforce operation in
  server mode and some other sanity checks

Impact on using geo-rep the old way: remote file slave now also
requires a running glusterd (to pick up config from).

Missing: we not implemented check of the rsync target path.
The issue of master being able to modify arbitrary locations
is planned to be mitigated by using geo-rep with an unprivileged
user.

Change-Id: I9b5825bfe282a9ca777429aadd554d78708f1638
BUG: 2825
Reviewed-on: http://review.gluster.com/460
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>
geo-rep: rewrite gsyncd wrapper in C 2011-09-22T12:22:59+00:00 Csaba Henk csaba@gluster.com 2011-09-02T17:03:33+00:00 1098aaa51d2e3dca9e6c48ee1e9cb43bc87936f4 This rewrite does not change functionality; it's purpose is to prepare followup modifications which will let all slave side helper programs being dispatched to through gsyncd. The string processing that's required for that task would be too much cumbersome in shell. Change-Id: Ia7858aba5efeb5dcff16a918ea1c02253f0e49ab BUG: 2825 Reviewed-on: http://review.gluster.com/459 Reviewed-by: Amar Tumballi <amar@gluster.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
This rewrite does not change functionality;
it's purpose is to prepare followup modifications which will let
all slave side helper programs being dispatched to through
gsyncd. The string processing that's required for that task would
be too much cumbersome in shell.

Change-Id: Ia7858aba5efeb5dcff16a918ea1c02253f0e49ab
BUG: 2825
Reviewed-on: http://review.gluster.com/459
Reviewed-by: Amar Tumballi <amar@gluster.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>
geo-rep: gsyncd: add --ignore-deletes option 2011-09-20T17:32:55+00:00 Venky Shankar venky@gluster.com 2011-09-13T16:41:33+00:00 b30f66e20d830daec057075d67f181e904984a27 When this option is set, a file deleted on master will not trigger a delete operation on the slave. Hence, the slave will remain as a superset of the master and can be used to recover the master in case of crash and/or accidental deletes. This options is not enabled by default. Change-Id: I9244d9dfa4f38f19436036f36bec0d9c3a1f7993 BUG: 3552 Reviewed-on: http://review.gluster.com/426 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Csaba Henk <csaba@gluster.com> 
When this option is set, a file deleted on master will not trigger
a delete operation on the slave. Hence, the slave will remain as a
superset of the master and can be used to recover the master in case
of crash and/or accidental deletes.

This options is not enabled by default.

Change-Id: I9244d9dfa4f38f19436036f36bec0d9c3a1f7993
BUG: 3552
Reviewed-on: http://review.gluster.com/426
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Csaba Henk <csaba@gluster.com>
features/locks: free the string allocated by inode_path 2011-09-20T05:39:56+00:00 Raghavendra Bhat raghavendrabhat@gluster.com 2011-09-20T05:33:32+00:00 b5b0bb056391659802099908f4bccde5afdb9e34 Change-Id: I1b7d4059610713b92c4bb78676c3b48335e3a0fe BUG: 3468 Reviewed-on: http://review.gluster.com/465 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
Change-Id: I1b7d4059610713b92c4bb78676c3b48335e3a0fe
BUG: 3468
Reviewed-on: http://review.gluster.com/465
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>
features/marker: Use appropriate loc struct to do removexattr on newpath after rename. 2011-09-19T08:22:28+00:00 Raghavendra G raghavendra@gluster.com 2011-09-10T09:52:37+00:00 02db3a0e457654b35c1a147403f1e99f691dcd52 Change-Id: I060e62c1fbb288179063a6d64d73bad1a6572661 BUG: 3493 Reviewed-on: http://review.gluster.com/390 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vijay@gluster.com> 
Change-Id: I060e62c1fbb288179063a6d64d73bad1a6572661
BUG: 3493
Reviewed-on: http://review.gluster.com/390
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vijay@gluster.com>