protocol : fix auth-allow regression

One of the brick multiplexing patches (commit 1a95fc3) had some changes in gf_auth () & server_setvolume () functions which caused auth-allow feature to be broken. mount doesn't succeed even if it's part of the auth-allow list. This fix does the following: 1. Reintroduce the peer-info data back in gf_auth () so that fnmatch has valid input and it can decide on the result. 2. config-params dict should capture key values pairs for all the bricks in case brick multiplexing is on. In case brick multiplexing isn't enabled, then config-params should carry attributes from protocol/server such that all rpc auth related attributes stay in tact in the dictionary. Change-Id: I007c4c6d78620a896b8858a29459a77de8b52412 BUG: 1433815 Signed-off-by: Atin Mukherjee <amukherj@redhat.com> Reviewed-on: https://review.gluster.org/16920 Tested-by: Jeff Darcy <jeff@pl.atyp.us> Smoke: Gluster Build System <jenkins@build.gluster.org> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Jeff Darcy <jeff@pl.atyp.us> Reviewed-by: MOHIT AGRAWAL <moagrawa@redhat.com>
author: Atin Mukherjee <amukherj@redhat.com> 2017-03-20 05:15:25 +0530
committer: Atin Mukherjee <amukherj@redhat.com> 2017-03-30 01:56:59 -0400
commit: 0bd58241143e91b683a3e5c4335aabf9eed537fe (patch)
tree: f9d2a4ca7d25dae136addadbcf076bde999b9d45 /xlators/protocol/auth
parent: 57341d25db8b16e8a1fc7d40f6f56b5200f3547d (diff)
1 files changed, 59 insertions, 2 deletions
diff --git a/xlators/protocol/auth/addr/src/addr.c b/xlators/protocol/auth/addr/src/addr.c
index 1b4557134f9..7ccbb577f48 100644
--- a/xlators/protocol/auth/addr/src/addr.c
+++ b/xlators/protocol/auth/addr/src/addr.c
@@ -30,14 +30,20 @@ gf_auth (dict_t *input_params, dict_t *config_params)
         int            ret            = 0;
         char          *name           = NULL;
         char          *searchstr      = NULL;
+        peer_info_t   *peer_info      = NULL;
+        data_t        *peer_info_data = NULL;
         data_t        *allow_addr     = NULL;
         data_t        *reject_addr    = NULL;
         char          *addr_str       = NULL;
         char          *tmp            = NULL;
         char          *addr_cpy       = NULL;
+        char          *service        = NULL;
+        uint16_t       peer_port      = 0;
         char           negate         = 0;
         char           match          = 0;
-        char           peer_addr[UNIX_PATH_MAX];
+        char           peer_addr[UNIX_PATH_MAX] = {0,};
+        char          *type           = NULL;
+        gf_boolean_t   allow_insecure = _gf_false;
 
         name = data_to_str (dict_get (input_params, "remote-subvolume"));
         if (!name) {
@@ -85,6 +91,57 @@ gf_auth (dict_t *input_params, dict_t *config_params)
                 goto out;
         }
 
+        peer_info_data = dict_get (input_params, "peer-info");
+        if (!peer_info_data) {
+                gf_log ("auth/addr", GF_LOG_ERROR,
+                        "peer-info not present");
+                goto out;
+        }
+
+        peer_info = data_to_ptr (peer_info_data);
+
+        switch (((struct sockaddr *) &peer_info->sockaddr)->sa_family) {
+        case AF_INET_SDP:
+        case AF_INET:
+        case AF_INET6:
+                strcpy (peer_addr, peer_info->identifier);
+                service = strrchr (peer_addr, ':');
+                *service = '\0';
+                service++;
+
+                ret = dict_get_str (config_params, "rpc-auth-allow-insecure",
+                                    &type);
+                if (ret == 0) {
+                        ret = gf_string2boolean (type, &allow_insecure);
+                        if (ret < 0) {
+                                gf_log ("auth/addr", GF_LOG_WARNING,
+                                        "rpc-auth-allow-insecure option %s "
+                                        "is not a valid bool option", type);
+                                goto out;
+                        }
+                }
+
+                peer_port = atoi (service);
+                if (peer_port >= PRIVILEGED_PORT_CEILING && !allow_insecure) {
+                        gf_log ("auth/addr", GF_LOG_ERROR,
+                                "client is bound to port %d which is not privileged",
+                                peer_port);
+                        result = AUTH_REJECT;
+                        goto out;
+                }
+                break;
+
+        case AF_UNIX:
+                strcpy (peer_addr, peer_info->identifier);
+                break;
+
+        default:
+                gf_log ("authenticate/addr", GF_LOG_ERROR,
+                        "unknown address family %d",
+                        ((struct sockaddr *) &peer_info->sockaddr)->sa_family);
+                goto out;
+        }
+
         if (reject_addr) {
                 addr_cpy = gf_strdup (reject_addr->data);
                 if (!addr_cpy)
@@ -120,7 +177,7 @@ gf_auth (dict_t *input_params, dict_t *config_params)
                 addr_str = strtok_r (addr_cpy, ADDR_DELIMITER, &tmp);
 
                 while (addr_str) {
-                        gf_log (name,  GF_LOG_DEBUG,
+                        gf_log (name,  GF_LOG_INFO,
                                 "allowed = \"%s\", received addr = \"%s\"",
                                 addr_str, peer_addr);
                         if (addr_str[0] == '!') {
author	Atin Mukherjee <amukherj@redhat.com>	2017-03-20 05:15:25 +0530
committer	Atin Mukherjee <amukherj@redhat.com>	2017-03-30 01:56:59 -0400
commit	0bd58241143e91b683a3e5c4335aabf9eed537fe (patch)
tree	f9d2a4ca7d25dae136addadbcf076bde999b9d45 /xlators/protocol/auth
parent	57341d25db8b16e8a1fc7d40f6f56b5200f3547d (diff)