summaryrefslogtreecommitdiffstats
path: root/libglusterfs/src/glusterfs.h
diff options
context:
space:
mode:
Diffstat (limited to 'libglusterfs/src/glusterfs.h')
-rw-r--r--libglusterfs/src/glusterfs.h50
1 files changed, 50 insertions, 0 deletions
diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h
index 4867da42aff..3b0cc4b4eaa 100644
--- a/libglusterfs/src/glusterfs.h
+++ b/libglusterfs/src/glusterfs.h
@@ -414,6 +414,9 @@ struct _cmd_args {
int brick_port;
char *brick_name;
int brick_port2;
+
+ /* Should management connections use SSL? */
+ int secure_mgmt;
};
typedef struct _cmd_args cmd_args_t;
@@ -435,6 +438,13 @@ typedef struct _glusterfs_graph glusterfs_graph_t;
typedef int32_t (*glusterfsd_mgmt_event_notify_fn_t) (int32_t event, void *data,
...);
+
+typedef enum {
+ MGMT_SSL_NEVER = 0,
+ MGMT_SSL_COPY_IO,
+ MGMT_SSL_ALWAYS
+} mgmt_ssl_t;
+
struct _glusterfs_ctx {
cmd_args_t cmd_args;
char *process_uuid;
@@ -483,6 +493,26 @@ struct _glusterfs_ctx {
int daemon_pipe[2];
struct clienttable *clienttable;
+
+ /*
+ * Should management connections use SSL? This is the only place we
+ * can put it where both daemon-startup and socket code will see it.
+ *
+ * Why is it an int? Because we're included before common-utils.h,
+ * which defines gf_boolean_t (what we really want). It doesn't make
+ * any sense, but it's not worth turning the codebase upside-down to
+ * fix it. Thus, an int.
+ */
+ int secure_mgmt;
+
+ /*
+ * Should *our* server/inbound connections use SSL? This is only true
+ * if we're glusterd and secure_mgmt is set, or if we're glusterfsd
+ * and SSL is set on the I/O path. It should never be set e.g. for
+ * NFS.
+ */
+ mgmt_ssl_t secure_srvr;
+
};
typedef struct _glusterfs_ctx glusterfs_ctx_t;
@@ -528,6 +558,26 @@ struct gf_flock {
*/
#define GF_UNUSED __attribute__((unused))
+/*
+ * If present, this has the following effects:
+ *
+ * glusterd enables privileged commands over TCP
+ *
+ * all code enables SSL for outbound connections to management port
+ *
+ * glusterd enables SSL for inbound connections
+ *
+ * Servers and clients enable/disable SSL among themselves by other means.
+ * Making secure management connections conditional on a file is a bit of a
+ * hack, but we don't have any other place for such global settings across
+ * all of the affected components. Making it a compile-time option would
+ * reduce functionality, both for users and for testing (which can now be
+ * done using secure connections for all tests without change elsewhere).
+ *
+ * Nonetheless, TBD: define in terms of build-time PREFIX
+ */
+#define SECURE_ACCESS_FILE "/var/lib/glusterd/secure-access"
+
int glusterfs_graph_prepare (glusterfs_graph_t *graph, glusterfs_ctx_t *ctx);
int glusterfs_graph_destroy (glusterfs_graph_t *graph);
int glusterfs_graph_activate (glusterfs_graph_t *graph, glusterfs_ctx_t *ctx);