server/auth: add option for strict authentication

When this option is enabled, we will check for a matching username and password, if not found then the connection will be rejected. This also does a checksum validation of volfile The option is invalid when SSL/TLS is in use, at which point the SSL/TLS certificate user name is used to validate and hence authorize the right user. This expects TLS allow rules to be setup correctly rather than the default *. This option is not settable, as a result this cannot be enabled for volumes using the CLI. This is used with the shared storage volume, to restrict access to the same in non-SSL/TLS environments to the gluster peers only. Tested: ./tests/bugs/protocol/bug-1321578.t ./tests/features/ssl-authz.t - Ran tests on volumes with and without strict auth checking (as brick vol file needed to be edited to test, or rather to enable the option) - Ran tests on volumes to ensure existing mounts are disconnected when we enable strict checking Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 fixes: bz#1568844 Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> Signed-off-by: ShyamsundarR <srangana@redhat.com>
author: Mohammed Rafi KC <rkavunga@redhat.com> 2018-04-02 12:20:47 +0530
committer: ShyamsundarR <srangana@redhat.com> 2018-04-20 16:44:06 -0400
commit: bca55ab1bfcd2889f8387ba8bcab27766e1b94ac (patch)
tree: 8c105a7e716fd249292f2b5d0ce7f66d8518e7bb /xlators/mgmt/glusterd/src
parent: 3dbb6b5d6093357ed430fba4cc17ac2d8eb99b32 (diff)
1 files changed, 15 insertions, 1 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
index 60014e02061..d1d9ac6b8ea 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
@@ -2472,6 +2472,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
         char            *password = NULL;
         char            key[1024] = {0};
         char            *ssl_user = NULL;
+        char            *volname = NULL;
         char            *address_family_data = NULL;
 
         if (!graph || !volinfo || !set_dict || !brickinfo)
@@ -2547,6 +2548,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
         if (ret)
                 return -1;
 
+        volname = volinfo->is_snap_volume ?
+                  volinfo->parent_volname : volinfo->volname;
+
+
+        if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
+                memset (key, 0, sizeof (key));
+                snprintf (key, sizeof (key), "strict-auth-accept");
+
+                ret = xlator_set_option (xl, key, "true");
+                if (ret)
+                        return -1;
+        }
+
         if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
                 memset (key, 0, sizeof (key));
                 snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
@@ -6117,7 +6131,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
 
 
         if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
-             client_type != GF_CLIENT_TRUSTED) {
+            client_type != GF_CLIENT_TRUSTED) {
                 /*
                  * shared storage volume cannot be mounted from non trusted
                  * nodes. So we are not creating volfiles for non-trusted
author	Mohammed Rafi KC <rkavunga@redhat.com>	2018-04-02 12:20:47 +0530
committer	ShyamsundarR <srangana@redhat.com>	2018-04-20 16:44:06 -0400
commit	bca55ab1bfcd2889f8387ba8bcab27766e1b94ac (patch)
tree	8c105a7e716fd249292f2b5d0ce7f66d8518e7bb /xlators/mgmt/glusterd/src
parent	3dbb6b5d6093357ed430fba4cc17ac2d8eb99b32 (diff)