server: Set ssl-allow option in options table and rename ID

This change explicitly adds 'ssl-allow' options to the server xlator's
options table so that glusterd2 can see it as a settable option. This
change also marks 'auth.allow' and 'auth.reject' options as a settable.

Glusterd2 doesn't maintain a separate volume options table. Glusterd2
dynamically loads shared objects of xlators to read their option table
and other information. Glusterd2 reads 'xlator_api_t' if available. If
that's not available, it falls back to reading just the options table
directly.

In glusterd2, volume set operations are performed by users on keys of
the format <xlator>.<option-name>. Glusterd2 uses xlator name set in
'xlator_api_t.identifier'. If that's not present it will use the shared
object's file name as xlator name. Hence, it is important for
'xlator_api_t.identifier' to be set properly, and in this case, the
proper value is "server". This name shall be used by users as prefix
while setting volume options implemented in server xlator. The name will
also be used in volfile.

A user in glusterd2 can authorize a client over TLS as follows:

$ glustercli volume set <volname> server.ssl-allow <client1-CN>[,<clientN-CN>]

gd2 References:
https://github.com/gluster/glusterd2/issues/971
https://github.com/gluster/glusterd2/issues/214
https://github.com/gluster/glusterd2/pull/967

Updates: bz#1193929
Change-Id: I59ef58acb8d51917e6365a83be03e79ae7c5ad17
Signed-off-by: Prashanth Pai <ppai@redhat.com>

1 files changed, 13 insertions, 1 deletions

diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 80ea3e68fbb..35c14a39c6c 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -1751,6 +1751,7 @@ struct volume_options server_options[] = {
           .setkey = "auth.addr.{{ brick.path }}.allow",
           .default_value = "*",
           .type  = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST,
+          .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC,
           .description = "Allow a comma separated list of addresses and/or "
                          "hostnames to connect to the server. Option "
                          "auth.reject overrides this option. By default, all "
@@ -1759,11 +1760,22 @@ struct volume_options server_options[] = {
         { .key   = {"auth.addr.*.reject", "auth.reject"},
           .setkey = "auth.addr.{{ brick.path }}.reject",
           .type  = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST,
+          .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC,
           .description = "Reject a comma separated list of addresses and/or "
                          "hostnames to connect to the server. This option "
                          "overrides the auth.allow option. By default, all"
                          " connections are allowed."
         },
+        { .key   = {"ssl-allow"},
+          .setkey = "auth.login.{{ brick.path }}.ssl-allow",
+          .default_value = "*",
+          .type  = GF_OPTION_TYPE_INTERNET_ADDRESS_LIST,
+          .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC,
+          .description = "Allow a comma separated list of common names (CN) of"
+                         "the clients that are allowed to access the server."
+                         "By default, all TLS authenticated clients are"
+                         "allowed to access the server."
+        },
         /* This is not a valid path w.r.t daemons, hence it's string */
         { .key   = {"auth-path"},
           .type  = GF_OPTION_TYPE_STR,
@@ -1838,5 +1850,5 @@ xlator_api_t xlator_api = {
         .fops          = &server_fops,
         .cbks          = &server_cbks,
         .options       = server_options,
-        .identifier    = "server-protocol",
+        .identifier    = "server",
 };