diff options
| author | Jeff Darcy <jdarcy@redhat.com> | 2014-07-03 14:01:20 +0000 |
|---|---|---|
| committer | Vijay Bellur <vbellur@redhat.com> | 2014-07-10 07:37:12 -0700 |
| commit | b42688786f25420de671ea06030edf4371058433 (patch) | |
| tree | 33b4740179b4291222c0b2553b1527b8d8982be1 /rpc | |
| parent | 0f5719a3598ff4f72cef8b4fe1fcc2587ec39931 (diff) | |
socket/glusterd/client: enable SSL for management
The feature is controlled by presence of the following file:
/var/lib/glusterd/secure-access
See the comment near the definition of SECURE_ACCESS_FILE in glusterfs.h
for the rationale. With this enabled, the following rules apply to
connections:
UNIX-domain sockets never have SSL.
Management-port sockets (both connecting and accepting, in
daemons and CLI) have SSL based on presence of the file.
Other IP sockets have SSL based on the existing client.ssl and
server.ssl volume options.
Transport multi-threading is explicitly turned off in glusterd (it would
otherwise be turned on when SSL is) due to multi-threading issues.
Tests have been elided to avoid risk of leaving a file which will cause
all subsequent tests to run with management SSL still enabled.
IMPLEMENTATION NOTE
The implementation is a bit messy, and consists of two stages. First we
decide whether to set the relevant fields in our context structure, based
on presence of the sentinel file OR a command-line override. Later we
decide whether a particular connection should actually use SSL, based on the
context flags plus what kind of connection we're making[1] and what kind of
daemon we're in[2].
[1] inbound, outbound to glusterd port, other outbound
[2] glusterd, glusterfsd, other
TESTING NOTE
Instead of just running one special test for this feature, the ideal
would be to run all tests with management SSL enabled. However, it
would be inappropriate or premature to set up an optional feature in the
patch itself. Therefore, the method of choice is to submit a separate
patch on top, which modifies "cleanup" in include.rc to recreate the
secure-access file and associated SSL certificate/key files before each
test.
Change-Id: I0e04d6d08163893e24ec8c031748c5c447d7f780
BUG: 1114604
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/8094
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Diffstat (limited to 'rpc')
| -rw-r--r-- | rpc/rpc-transport/socket/src/socket.c | 72 | ||||
| -rw-r--r-- | rpc/rpc-transport/socket/src/socket.h | 4 |
2 files changed, 56 insertions, 20 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c index ccef2f605cc..e969a5cf7fd 100644 --- a/rpc/rpc-transport/socket/src/socket.c +++ b/rpc/rpc-transport/socket/src/socket.c @@ -318,6 +318,7 @@ ssl_teardown_connection (socket_private_t *priv) SSL_clear(priv->ssl_ssl); SSL_free(priv->ssl_ssl); priv->ssl_ssl = NULL; + priv->use_ssl = _gf_false; } @@ -2563,12 +2564,29 @@ socket_server_event_handler (int fd, int idx, void *data, new_trans->listener = this; new_priv = new_trans->private; - new_priv->use_ssl = priv->use_ssl; + if (new_sockaddr.ss_family == AF_UNIX) { + new_priv->use_ssl = _gf_false; + } + else { + switch (priv->srvr_ssl) { + case MGMT_SSL_ALWAYS: + /* Glusterd with secure_mgmt. */ + new_priv->use_ssl = _gf_true; + break; + case MGMT_SSL_COPY_IO: + /* Glusterfsd. */ + new_priv->use_ssl = priv->ssl_enabled; + break; + default: + new_priv->use_ssl = _gf_false; + } + } + new_priv->sock = new_sock; new_priv->own_thread = priv->own_thread; new_priv->ssl_ctx = priv->ssl_ctx; - if (priv->use_ssl && !priv->own_thread) { + if (new_priv->use_ssl && !new_priv->own_thread) { cname = ssl_setup_connection(new_trans,1); if (!cname) { gf_log(this->name,GF_LOG_ERROR, @@ -2692,6 +2710,23 @@ socket_connect_error_cbk (void *opaque) return NULL; } +static void +socket_fix_ssl_opts (rpc_transport_t *this, socket_private_t *priv, + uint16_t port) +{ + if (port == GF_DEFAULT_SOCKET_LISTEN_PORT) { + gf_log (this->name, GF_LOG_DEBUG, + "%s SSL for portmapper connection", + priv->mgmt_ssl ? "enabling" : "disabling"); + priv->use_ssl = priv->mgmt_ssl; + } + else if (priv->ssl_enabled && !priv->use_ssl) { + gf_log(this->name,GF_LOG_DEBUG, + "re-enabling SSL for I/O connection"); + priv->use_ssl = _gf_true; + } +} + static int socket_connect (rpc_transport_t *this, int port) { @@ -2744,23 +2779,16 @@ socket_connect (rpc_transport_t *this, int port) goto unlock; } - if (port > 0) { - sock_union.sin.sin_port = htons (port); - } - if (ntohs(sock_union.sin.sin_port) == - GF_DEFAULT_SOCKET_LISTEN_PORT) { - if (priv->use_ssl) { - gf_log(this->name,GF_LOG_DEBUG, - "disabling SSL for portmapper connection"); - priv->use_ssl = _gf_false; - } + if (sa_family == AF_UNIX) { + priv->ssl_enabled = _gf_false; + priv->mgmt_ssl = _gf_false; } else { - if (priv->ssl_enabled && !priv->use_ssl) { - gf_log(this->name,GF_LOG_DEBUG, - "re-enabling SSL for I/O connection"); - priv->use_ssl = _gf_true; + if (port > 0) { + sock_union.sin.sin_port = htons (port); } + socket_fix_ssl_opts (this, priv, + ntohs(sock_union.sin.sin_port)); } memcpy (&this->peerinfo.sockaddr, &sock_union.storage, @@ -3621,6 +3649,8 @@ socket_init (rpc_transport_t *this) "invalid value given for ssl-enabled boolean"); } } + priv->mgmt_ssl = this->ctx->secure_mgmt; + priv->srvr_ssl = this->ctx->secure_srvr; priv->ssl_own_cert = DEFAULT_CERT_PATH; if (dict_get_str(this->options,SSL_OWN_CERT_OPT,&optstr) == 0) { @@ -3656,8 +3686,11 @@ socket_init (rpc_transport_t *this) priv->ssl_ca_list = gf_strdup(priv->ssl_ca_list); gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO: GF_LOG_DEBUG, - "SSL support is %s", + "SSL support on the I/O path is %s", priv->ssl_enabled ? "ENABLED" : "NOT enabled"); + gf_log(this->name, priv->mgmt_ssl ? GF_LOG_INFO: GF_LOG_DEBUG, + "SSL support for glusterd is %s", + priv->mgmt_ssl ? "ENABLED" : "NOT enabled"); /* * This might get overridden temporarily in socket_connect (q.v.) * if we're using the glusterd portmapper. @@ -3666,8 +3699,9 @@ socket_init (rpc_transport_t *this) priv->own_thread = priv->use_ssl; if (dict_get_str(this->options,OWN_THREAD_OPT,&optstr) == 0) { + gf_log (this->name, GF_LOG_INFO, "OWN_THREAD_OPT found"); if (gf_string2boolean (optstr, &priv->own_thread) != 0) { - gf_log (this->name, GF_LOG_ERROR, + gf_log (this->name, GF_LOG_WARNING, "invalid value given for own-thread boolean"); } } @@ -3684,7 +3718,7 @@ socket_init (rpc_transport_t *this) "using cipher list %s", cipher_list); } - if (priv->use_ssl) { + if (priv->ssl_enabled || priv->mgmt_ssl) { SSL_library_init(); SSL_load_error_strings(); priv->ssl_meth = (SSL_METHOD *)TLSv1_method(); diff --git a/rpc/rpc-transport/socket/src/socket.h b/rpc/rpc-transport/socket/src/socket.h index e0b412fcce1..33c936938eb 100644 --- a/rpc/rpc-transport/socket/src/socket.h +++ b/rpc/rpc-transport/socket/src/socket.h @@ -217,7 +217,9 @@ typedef struct { int keepaliveintvl; uint32_t backlog; gf_boolean_t read_fail_log; - gf_boolean_t ssl_enabled; + gf_boolean_t ssl_enabled; /* outbound I/O */ + gf_boolean_t mgmt_ssl; /* outbound mgmt */ + mgmt_ssl_t srvr_ssl; gf_boolean_t use_ssl; SSL_METHOD *ssl_meth; SSL_CTX *ssl_ctx; |