socket/glusterd/client: enable SSL for management

The feature is controlled by presence of the following file: /var/lib/glusterd/secure-access See the comment near the definition of SECURE_ACCESS_FILE in glusterfs.h for the rationale. With this enabled, the following rules apply to connections: UNIX-domain sockets never have SSL. Management-port sockets (both connecting and accepting, in daemons and CLI) have SSL based on presence of the file. Other IP sockets have SSL based on the existing client.ssl and server.ssl volume options. Transport multi-threading is explicitly turned off in glusterd (it would otherwise be turned on when SSL is) due to multi-threading issues. Tests have been elided to avoid risk of leaving a file which will cause all subsequent tests to run with management SSL still enabled. IMPLEMENTATION NOTE The implementation is a bit messy, and consists of two stages. First we decide whether to set the relevant fields in our context structure, based on presence of the sentinel file OR a command-line override. Later we decide whether a particular connection should actually use SSL, based on the context flags plus what kind of connection we're making[1] and what kind of daemon we're in[2]. [1] inbound, outbound to glusterd port, other outbound [2] glusterd, glusterfsd, other TESTING NOTE Instead of just running one special test for this feature, the ideal would be to run all tests with management SSL enabled. However, it would be inappropriate or premature to set up an optional feature in the patch itself. Therefore, the method of choice is to submit a separate patch on top, which modifies "cleanup" in include.rc to recreate the secure-access file and associated SSL certificate/key files before each test. Change-Id: I0e04d6d08163893e24ec8c031748c5c447d7f780 BUG: 1114604 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/8094 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
author: Jeff Darcy <jdarcy@redhat.com> 2014-07-03 14:01:20 +0000
committer: Vijay Bellur <vbellur@redhat.com> 2014-07-10 07:37:12 -0700
commit: b42688786f25420de671ea06030edf4371058433 (patch)
tree: 33b4740179b4291222c0b2553b1527b8d8982be1 /libglusterfs
parent: 0f5719a3598ff4f72cef8b4fe1fcc2587ec39931 (diff)
1 files changed, 50 insertions, 0 deletions
diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h
index 4867da42aff..3b0cc4b4eaa 100644
--- a/libglusterfs/src/glusterfs.h
+++ b/libglusterfs/src/glusterfs.h
@@ -414,6 +414,9 @@ struct _cmd_args {
         int             brick_port;
         char           *brick_name;
         int             brick_port2;
+
+        /* Should management connections use SSL? */
+        int             secure_mgmt;
 };
 typedef struct _cmd_args cmd_args_t;
 
@@ -435,6 +438,13 @@ typedef struct _glusterfs_graph glusterfs_graph_t;
 
 typedef int32_t (*glusterfsd_mgmt_event_notify_fn_t) (int32_t event, void *data,
                                                       ...);
+
+typedef enum {
+        MGMT_SSL_NEVER = 0,
+        MGMT_SSL_COPY_IO,
+        MGMT_SSL_ALWAYS
+} mgmt_ssl_t;
+
 struct _glusterfs_ctx {
         cmd_args_t          cmd_args;
         char               *process_uuid;
@@ -483,6 +493,26 @@ struct _glusterfs_ctx {
         int                 daemon_pipe[2];
 
         struct clienttable *clienttable;
+
+        /*
+         * Should management connections use SSL?  This is the only place we
+         * can put it where both daemon-startup and socket code will see it.
+         *
+         * Why is it an int?  Because we're included before common-utils.h,
+         * which defines gf_boolean_t (what we really want).  It doesn't make
+         * any sense, but it's not worth turning the codebase upside-down to
+         * fix it.  Thus, an int.
+         */
+        int                 secure_mgmt;
+
+        /*
+         * Should *our* server/inbound connections use SSL?  This is only true
+         * if we're glusterd and secure_mgmt is set, or if we're glusterfsd
+         * and SSL is set on the I/O path.  It should never be set e.g. for
+         * NFS.
+         */
+        mgmt_ssl_t          secure_srvr;
+
 };
 typedef struct _glusterfs_ctx glusterfs_ctx_t;
 
@@ -528,6 +558,26 @@ struct gf_flock {
  */
 #define GF_UNUSED __attribute__((unused))
 
+/*
+ * If present, this has the following effects:
+ *
+ *      glusterd enables privileged commands over TCP
+ *
+ *      all code enables SSL for outbound connections to management port
+ *
+ *      glusterd enables SSL for inbound connections
+ *
+ * Servers and clients enable/disable SSL among themselves by other means.
+ * Making secure management connections conditional on a file is a bit of a
+ * hack, but we don't have any other place for such global settings across
+ * all of the affected components.  Making it a compile-time option would
+ * reduce functionality, both for users and for testing (which can now be
+ * done using secure connections for all tests without change elsewhere).
+ *
+ * Nonetheless, TBD: define in terms of build-time PREFIX
+ */
+#define SECURE_ACCESS_FILE      "/var/lib/glusterd/secure-access"
+
 int glusterfs_graph_prepare (glusterfs_graph_t *graph, glusterfs_ctx_t *ctx);
 int glusterfs_graph_destroy (glusterfs_graph_t *graph);
 int glusterfs_graph_activate (glusterfs_graph_t *graph, glusterfs_ctx_t *ctx);
author	Jeff Darcy <jdarcy@redhat.com>	2014-07-03 14:01:20 +0000
committer	Vijay Bellur <vbellur@redhat.com>	2014-07-10 07:37:12 -0700
commit	b42688786f25420de671ea06030edf4371058433 (patch)
tree	33b4740179b4291222c0b2553b1527b8d8982be1 /libglusterfs
parent	0f5719a3598ff4f72cef8b4fe1fcc2587ec39931 (diff)