rpc/auth: allow SSL identity to be used for authorization

Access to a volume is now controlled by the following options, based on whether SSL is enabled or not. * server.ssl-allow: get identity from certificate, no password needed * auth.allow: get identity and matching password from command line It is not possible to allow both simultaneously, since the connection itself is either using SSL or it isn't. Change-Id: I5a5be66520f56778563d62f4b3ab35c66cc41ac0 BUG: 1114604 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/3695 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
author: Jeff Darcy <jdarcy@redhat.com> 2014-04-17 23:21:05 +0000
committer: Vijay Bellur <vbellur@redhat.com> 2014-07-02 02:47:05 -0700
commit: caa8a4ea50734378e7e19f70b39a837c58e9d229 (patch)
tree: a06a99e143a1dd8c99cc10e84e9d3bca72a63cf7 /rpc/rpc-transport/socket/src/socket.c
parent: 831efecf927788f26b630cb82d5d6ff4af411a3d (diff)
1 files changed, 30 insertions, 7 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index 6d4a862aa8d..8b8b97370de 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -246,7 +246,7 @@ out:
 #define ssl_read_one(t,b,l)  ssl_do((t),(b),(l),(SSL_trinary_func *)SSL_read)
 #define ssl_write_one(t,b,l) ssl_do((t),(b),(l),(SSL_trinary_func *)SSL_write)
 
-static int
+static char *
 ssl_setup_connection (rpc_transport_t *this, int server)
 {
 	X509             *peer = NULL;
@@ -297,7 +297,7 @@ ssl_setup_connection (rpc_transport_t *this, int server)
 		NID_commonName, peer_CN, sizeof(peer_CN)-1);
 	peer_CN[sizeof(peer_CN)-1] = '\0';
 	gf_log(this->name,GF_LOG_INFO,"peer CN = %s", peer_CN);
-	return 0;
+        return gf_strdup(peer_CN);
 
 	/* Error paths. */
 ssl_error:
@@ -307,7 +307,7 @@ free_ssl:
 	SSL_free(priv->ssl_ssl);
         priv->ssl_ssl = NULL;
 done:
-	return ret;
+	return NULL;
 }
 
 
@@ -2262,15 +2262,23 @@ socket_poller (void *ctx)
 	gf_boolean_t      to_write = _gf_false;
 	int               ret = 0;
         uint32_t          gen = 0;
+        char             *cname = NULL;
 
         priv->ot_state = OT_RUNNING;
 
         if (priv->use_ssl) {
-                if (ssl_setup_connection(this,priv->connected) < 0) {
+                cname = ssl_setup_connection(this,priv->connected);
+                if (!cname) {
                         gf_log (this->name,GF_LOG_ERROR, "%s setup failed",
                                 priv->connected ? "server" : "client");
                         goto err;
                 }
+                if (priv->connected) {
+                        this->ssl_name = cname;
+                }
+                else {
+                        GF_FREE(cname);
+                }
         }
 
         if (!priv->bio) {
@@ -2450,6 +2458,7 @@ socket_server_event_handler (int fd, int idx, void *data,
         socklen_t                addrlen = sizeof (new_sockaddr);
         socket_private_t        *new_priv = NULL;
         glusterfs_ctx_t         *ctx = NULL;
+        char                    *cname = NULL;
 
         this = data;
         GF_VALIDATE_OR_GOTO ("socket", this, out);
@@ -2560,7 +2569,8 @@ socket_server_event_handler (int fd, int idx, void *data,
 
                         new_priv->ssl_ctx = priv->ssl_ctx;
 			if (priv->use_ssl && !priv->own_thread) {
-				if (ssl_setup_connection(new_trans,1) < 0) {
+				cname = ssl_setup_connection(new_trans,1);
+                                if (!cname) {
 					gf_log(this->name,GF_LOG_ERROR,
 					       "server setup failed");
 					close(new_sock);
@@ -2568,6 +2578,7 @@ socket_server_event_handler (int fd, int idx, void *data,
                                         GF_FREE (new_trans);
 					goto unlock;
 				}
+                                this->ssl_name = cname;
 			}
 
                         if (!priv->bio && !priv->own_thread) {
@@ -2634,6 +2645,9 @@ unlock:
         pthread_mutex_unlock (&priv->lock);
 
 out:
+        if (cname && (cname != this->ssl_name)) {
+                GF_FREE(cname);
+        }
         return ret;
 }
 
@@ -2694,6 +2708,7 @@ socket_connect (rpc_transport_t *this, int port)
         gf_boolean_t                   refd      = _gf_false;
         socket_connect_error_state_t  *arg             = NULL;
         pthread_t                      th_id           = {0, };
+        char                          *cname           = NULL;
 
         GF_VALIDATE_OR_GOTO ("socket", this, err);
         GF_VALIDATE_OR_GOTO ("socket", this->private, err);
@@ -2857,12 +2872,20 @@ socket_connect (rpc_transport_t *this, int port)
                 }
 
                 if (priv->use_ssl && !priv->own_thread) {
-                        ret = ssl_setup_connection(this,0);
-                        if (ret < 0) {
+                        cname = ssl_setup_connection(this,0);
+                        if (!cname) {
+                                errno = ENOTCONN;
+                                ret = -1;
                                 gf_log(this->name,GF_LOG_ERROR,
                                        "client setup failed");
                                 goto handler;
                         }
+                        if (priv->connected) {
+                                this->ssl_name = cname;
+                        }
+                        else {
+                                GF_FREE(cname);
+                        }
                 }
 
                 if (!priv->bio && !priv->own_thread) {
author	Jeff Darcy <jdarcy@redhat.com>	2014-04-17 23:21:05 +0000
committer	Vijay Bellur <vbellur@redhat.com>	2014-07-02 02:47:05 -0700
commit	caa8a4ea50734378e7e19f70b39a837c58e9d229 (patch)
tree	a06a99e143a1dd8c99cc10e84e9d3bca72a63cf7 /rpc/rpc-transport/socket/src/socket.c
parent	831efecf927788f26b630cb82d5d6ff4af411a3d (diff)