glusterfs: fix CVE-2018-1088

Backport patches to fix the following CVE. CVE: CVE-2018-1088 Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Chen Qi <Qi.Chen@windriver.com> 2018-09-13 18:15:36 +0800
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2018-09-18 03:07:53 -0400
commit: bf98d2e27d31804f559bfc9f7cb0582f3c258ac6 (patch)
tree: a09b237b22160c3cf18c40713e8cb9e40f693cbb
parent: 69882568e8ac28e0dd53c63d571ca282c18df2d8 (diff)
download: meta-cloud-services-bf98d2e27d31804f559bfc9f7cb0582f3c258ac6.tar.gz
3 files changed, 352 insertions, 0 deletions
diff --git a/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
new file mode 100644
index 0000000..0e24c56
--- /dev/null
+++ b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
@@ -0,0 +1,70 @@
+From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001
+From: Mohammed Rafi KC <rkavunga@redhat.com>
+Date: Mon, 26 Mar 2018 20:27:34 +0530
+Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from
+ non-trusted client
+gluster shared storage is a volume used for internal storage for
+various features including ganesha, geo-rep, snapshot.
+So this volume should not be exposed to the client, as it is
+a special volume for internal use.
+This fix wont't generate non trusted volfile for shared storage volume.
+Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c
+fixes: bz#1568844
+BUG: 1568844
+Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
+Upstream-Status: Backport
+Fix CVE-2018-1088
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
+index 0a0668e..308c41f 100644
+--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
+@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
+         int                i                  = 0;
+         int                ret                = -1;
+         char               filepath[PATH_MAX] = {0,};
+        char               *volname           = NULL;
+         char               *types[]           = {NULL, NULL, NULL};
+         dict_t             *dict              = NULL;
+         xlator_t           *this              = NULL;
+@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
+ 
+         this = THIS;
+ 
+        volname = volinfo->is_snap_volume ?
+                  volinfo->parent_volname : volinfo->volname;
+
+
+        if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
+             client_type != GF_CLIENT_TRUSTED) {
+                /*
+                 * shared storage volume cannot be mounted from non trusted
+                 * nodes. So we are not creating volfiles for non-trusted
+                 * clients for shared volumes as well as snapshot of shared
+                 * volumes.
+                 */
+
+                ret = 0;
+                gf_msg_debug ("glusterd", 0, "Skipping the non-trusted volfile"
+                               "creation for shared storage volume. Volume %s",
+                               volname);
+                goto out;
+        }
+
+         enumerate_transport_reqs (volinfo->transport_type, types);
+         dict = dict_new ();
+         if (!dict)
+-- 
+2.7.4
diff --git a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
new file mode 100644
index 0000000..8947f27
--- /dev/null
+++ b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
@@ -0,0 +1,280 @@
+From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001
+From: Mohammed Rafi KC <rkavunga@redhat.com>
+Date: Mon, 2 Apr 2018 12:20:47 +0530
+Subject: [PATCH 2/3] server/auth: add option for strict authentication
+When this option is enabled, we will check for a matching
+username and password, if not found then the connection will
+be rejected. This also does a checksum validation of volfile
+The option is invalid when SSL/TLS is in use, at which point
+the SSL/TLS certificate user name is used to validate and
+hence authorize the right user. This expects TLS allow rules
+to be setup correctly rather than the default *.
+This option is not settable, as a result this cannot be enabled
+for volumes using the CLI. This is used with the shared storage
+volume, to restrict access to the same in non-SSL/TLS environments
+to the gluster peers only.
+Tested:
+  ./tests/bugs/protocol/bug-1321578.t
+  ./tests/features/ssl-authz.t
+  - Ran tests on volumes with and without strict auth
+    checking (as brick vol file needed to be edited to test,
+    or rather to enable the option)
+  - Ran tests on volumes to ensure existing mounts are
+    disconnected when we enable strict checking
+Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
+fixes: bz#1568844
+Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
+Signed-off-by: ShyamsundarR <srangana@redhat.com>
+Upstream-Status: Backport
+Fix CVE-2018-1088
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ xlators/mgmt/glusterd/src/glusterd-volgen.c    | 16 +++++++-
+ xlators/protocol/auth/login/src/login.c        | 51 ++++++++++++++++++++++----
+ xlators/protocol/server/src/authenticate.h     |  4 +-
+ xlators/protocol/server/src/server-handshake.c |  2 +-
+ xlators/protocol/server/src/server.c           | 18 +++++++++
+ xlators/protocol/server/src/server.h           |  2 +
+ 6 files changed, 81 insertions(+), 12 deletions(-)
+diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
+index 308c41f..8dd4907 100644
+--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
+@@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
+         char            *password = NULL;
+         char            key[1024] = {0};
+         char            *ssl_user = NULL;
+        char            *volname = NULL;
+         char            *address_family_data = NULL;
+ 
+         if (!graph || !volinfo || !set_dict || !brickinfo)
+@@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
+         if (ret)
+                 return -1;
+ 
+        volname = volinfo->is_snap_volume ?
+                  volinfo->parent_volname : volinfo->volname;
+
+
+        if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
+                memset (key, 0, sizeof (key));
+                snprintf (key, sizeof (key), "strict-auth-accept");
+
+                ret = xlator_set_option (xl, key, "true");
+                if (ret)
+                        return -1;
+        }
+
+         if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
+                 memset (key, 0, sizeof (key));
+                 snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
+@@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
+ 
+ 
+         if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
+-             client_type != GF_CLIENT_TRUSTED) {
+            client_type != GF_CLIENT_TRUSTED) {
+                 /*
+                  * shared storage volume cannot be mounted from non trusted
+                  * nodes. So we are not creating volfiles for non-trusted
+diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
+index e799dd2..da10d0b 100644
+--- a/xlators/protocol/auth/login/src/login.c
+++ b/xlators/protocol/auth/login/src/login.c
+@@ -11,6 +11,16 @@
+ #include <fnmatch.h>
+ #include "authenticate.h"
+ 
+/* Note on strict_auth
+ * - Strict auth kicks in when authentication is using the username, password
+ *   in the volfile to login
+ * - If enabled, auth is rejected if the username and password is not matched
+ *   or is not present
+ * - When using SSL names, this is automatically strict, and allows only those
+ *   names that are present in the allow list, IOW strict auth checking has no
+ *   implication when using SSL names
+*/
+
+ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+ {
+         auth_result_t  result  = AUTH_DONT_CARE;
+@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+         char            *tmp            = NULL;
+         char            *username_cpy   = NULL;
+         gf_boolean_t    using_ssl       = _gf_false;
+        gf_boolean_t    strict_auth     = _gf_false;
+ 
+         username_data = dict_get (input_params, "ssl-name");
+         if (username_data) {
+@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+                 using_ssl = _gf_true;
+         }
+         else {
+                ret = dict_get_str_boolean (config_params, "strict-auth-accept",
+                                            _gf_false);
+                if (ret == -1)
+                        strict_auth = _gf_false;
+                else
+                        strict_auth = ret;
+
+                 username_data = dict_get (input_params, "username");
+                 if (!username_data) {
+-                        gf_log ("auth/login", GF_LOG_DEBUG,
+-                                "username not found, returning DONT-CARE");
+                        if (strict_auth) {
+                                gf_log ("auth/login", GF_LOG_DEBUG,
+                                        "username not found, strict auth"
+                                        " configured returning REJECT");
+                                result = AUTH_REJECT;
+                        } else {
+                                gf_log ("auth/login", GF_LOG_DEBUG,
+                                        "username not found, returning"
+                                        " DONT-CARE");
+                        }
+                         goto out;
+                 }
+                 password_data = dict_get (input_params, "password");
+                 if (!password_data) {
+-                        gf_log ("auth/login", GF_LOG_WARNING,
+-                                "password not found, returning DONT-CARE");
+                        if (strict_auth) {
+                                gf_log ("auth/login", GF_LOG_DEBUG,
+                                        "password not found, strict auth"
+                                        " configured returning REJECT");
+                                result = AUTH_REJECT;
+                        } else {
+                                gf_log ("auth/login", GF_LOG_WARNING,
+                                        "password not found, returning"
+                                        " DONT-CARE");
+                        }
+                         goto out;
+                 }
+                 password = data_to_str (password_data);
+@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+         ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
+                            using_ssl ? "ssl-allow" : "allow");
+         if (-1 == ret) {
+-                gf_log ("auth/login", GF_LOG_WARNING,
+                gf_log ("auth/login", GF_LOG_ERROR,
+                         "asprintf failed while setting search string, "
+-                        "returning DONT-CARE");
+                        "returning REJECT");
+                result = AUTH_REJECT;
+                 goto out;
+         }
+ 
+@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+                  * ssl-allow=* case as well) authorization is effectively
+                  * disabled, though authentication and encryption are still
+                  * active.
+                 *
+                 * Read NOTE on strict_auth above.
+                  */
+-                if (using_ssl) {
+                if (using_ssl || strict_auth) {
+                         result = AUTH_REJECT;
+                 }
+                 username_cpy = gf_strdup (allow_user->data);
+diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
+index 3f80231..5f92183 100644
+--- a/xlators/protocol/server/src/authenticate.h
+++ b/xlators/protocol/server/src/authenticate.h
+@@ -37,10 +37,8 @@ typedef struct {
+         volume_opt_list_t *vol_opt;
+ } auth_handle_t;
+ 
+-auth_result_t gf_authenticate (dict_t *input_params,
+-                               dict_t *config_params,
+-                               dict_t *auth_modules);
+ int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
+ void gf_auth_fini (dict_t *auth_modules);
+auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);
+ 
+ #endif /* _AUTHENTICATE_H */
+diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
+index f00804a..392a101 100644
+--- a/xlators/protocol/server/src/server-handshake.c
+++ b/xlators/protocol/server/src/server-handshake.c
+@@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req)
+                         ret = dict_get_str (params, "volfile-key",
+                                             &volfile_key);
+                         if (ret)
+-                                gf_msg_debug (this->name, 0, "failed to set "
+                                gf_msg_debug (this->name, 0, "failed to get "
+                                               "'volfile-key'");
+ 
+                         ret = _validate_volfile_checksum (this, volfile_key,
+diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
+index 202fe71..61c6194 100644
+--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
+@@ -883,6 +883,10 @@ do_rpc:
+                 goto out;
+         }
+ 
+        GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
+                          options, bool, out);
+
+
+         GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
+                         bool, out);
+ 
+@@ -1113,6 +1117,14 @@ init (xlator_t *this)
+                         "Failed to initialize group cache.");
+                 goto out;
+         }
+
+        ret = dict_get_str_boolean (this->options, "strict-auth-accept",
+                                    _gf_false);
+        if (ret == -1)
+                conf->strict_auth_enabled = _gf_false;
+        else
+                conf->strict_auth_enabled = ret;
+
+         ret = dict_get_str_boolean (this->options, "dynamic-auth",
+                         _gf_true);
+         if (ret == -1)
+@@ -1667,5 +1679,11 @@ struct volume_options options[] = {
+                            "transport connection immediately in response to "
+                            "*.allow | *.reject volume set options."
+         },
+        { .key   = {"strict-auth-accept"},
+          .type  = GF_OPTION_TYPE_BOOL,
+          .default_value = "off",
+          .description   = "strict-auth-accept reject connection with out"
+                           "a valid username and password."
+        },
+         { .key   = {NULL} },
+ };
+diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
+index 0b37eb1..7eea291 100644
+--- a/xlators/protocol/server/src/server.h
+++ b/xlators/protocol/server/src/server.h
+@@ -24,6 +24,7 @@
+ #include "client_t.h"
+ #include "gidcache.h"
+ #include "defaults.h"
+#include "authenticate.h"
+ 
+ #define DEFAULT_BLOCK_SIZE         4194304   /* 4MB */
+ #define DEFAULT_VOLUME_FILE_PATH   CONFDIR "/glusterfs.vol"
+@@ -105,6 +106,7 @@ struct server_conf {
+                                            * false, when child is down */
+ 
+         gf_lock_t               itable_lock;
+        gf_boolean_t            strict_auth_enabled;
+ };
+ typedef struct server_conf server_conf_t;
+ 
+-- 
+2.7.4
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
index 02c8a6a..8bf5653 100644
--- a/recipes-extended/glusterfs/glusterfs.inc
+++ b/recipes-extended/glusterfs/glusterfs.inc
@@ -20,6 +20,8 @@ SRC_URI += "file://glusterd.init \
            file://libglusterfs-Don-t-link-against-libfl.patch \
            file://glusterd-change-port-range.patch \
            file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \
+            file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
+            file://0002-server-auth-add-option-for-strict-authentication.patch \
           "
 LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"
author	Chen Qi <Qi.Chen@windriver.com>	2018-09-13 18:15:36 +0800
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2018-09-18 03:07:53 -0400
commit	bf98d2e27d31804f559bfc9f7cb0582f3c258ac6 (patch)
tree	a09b237b22160c3cf18c40713e8cb9e40f693cbb
parent	69882568e8ac28e0dd53c63d571ca282c18df2d8 (diff)
download	meta-cloud-services-bf98d2e27d31804f559bfc9f7cb0582f3c258ac6.tar.gz

diff --git a/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch new file mode 100644 index 0000000..0e24c56 --- /dev/null +++ b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
@@ -0,0 +1,70 @@
		1	From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001
		2	From: Mohammed Rafi KC <rkavunga@redhat.com>
		3	Date: Mon, 26 Mar 2018 20:27:34 +0530
		4	Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from
		5	non-trusted client
		6
		7	gluster shared storage is a volume used for internal storage for
		8	various features including ganesha, geo-rep, snapshot.
		9
		10	So this volume should not be exposed to the client, as it is
		11	a special volume for internal use.
		12
		13	This fix wont't generate non trusted volfile for shared storage volume.
		14
		15	Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c
		16	fixes: bz#1568844
		17	BUG: 1568844
		18	Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
		19
		20	Upstream-Status: Backport
		21	Fix CVE-2018-1088
		22
		23	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		24
		25	---
		26	xlators/mgmt/glusterd/src/glusterd-volgen.c \| 21 +++++++++++++++++++++
		27	1 file changed, 21 insertions(+)
		28
		29	diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
		30	index 0a0668e..308c41f 100644
		31	--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
		32	+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
		33	@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
		34	int i = 0;
		35	int ret = -1;
		36	char filepath[PATH_MAX] = {0,};
		37	+ char *volname = NULL;
		38	char *types[] = {NULL, NULL, NULL};
		39	dict_t *dict = NULL;
		40	xlator_t *this = NULL;
		41	@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
		42
		43	this = THIS;
		44
		45	+ volname = volinfo->is_snap_volume ?
		46	+ volinfo->parent_volname : volinfo->volname;
		47	+
		48	+
		49	+ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
		50	+ client_type != GF_CLIENT_TRUSTED) {
		51	+ /*
		52	+ * shared storage volume cannot be mounted from non trusted
		53	+ * nodes. So we are not creating volfiles for non-trusted
		54	+ * clients for shared volumes as well as snapshot of shared
		55	+ * volumes.
		56	+ */
		57	+
		58	+ ret = 0;
		59	+ gf_msg_debug ("glusterd", 0, "Skipping the non-trusted volfile"
		60	+ "creation for shared storage volume. Volume %s",
		61	+ volname);
		62	+ goto out;
		63	+ }
		64	+
		65	enumerate_transport_reqs (volinfo->transport_type, types);
		66	dict = dict_new ();
		67	if (!dict)
		68	--
		69	2.7.4
		70


diff --git a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch new file mode 100644 index 0000000..8947f27 --- /dev/null +++ b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
@@ -0,0 +1,280 @@
		1	From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001
		2	From: Mohammed Rafi KC <rkavunga@redhat.com>
		3	Date: Mon, 2 Apr 2018 12:20:47 +0530
		4	Subject: [PATCH 2/3] server/auth: add option for strict authentication
		5
		6	When this option is enabled, we will check for a matching
		7	username and password, if not found then the connection will
		8	be rejected. This also does a checksum validation of volfile
		9
		10	The option is invalid when SSL/TLS is in use, at which point
		11	the SSL/TLS certificate user name is used to validate and
		12	hence authorize the right user. This expects TLS allow rules
		13	to be setup correctly rather than the default *.
		14
		15	This option is not settable, as a result this cannot be enabled
		16	for volumes using the CLI. This is used with the shared storage
		17	volume, to restrict access to the same in non-SSL/TLS environments
		18	to the gluster peers only.
		19
		20	Tested:
		21	./tests/bugs/protocol/bug-1321578.t
		22	./tests/features/ssl-authz.t
		23	- Ran tests on volumes with and without strict auth
		24	checking (as brick vol file needed to be edited to test,
		25	or rather to enable the option)
		26	- Ran tests on volumes to ensure existing mounts are
		27	disconnected when we enable strict checking
		28
		29	Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
		30	fixes: bz#1568844
		31	Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
		32	Signed-off-by: ShyamsundarR <srangana@redhat.com>
		33
		34	Upstream-Status: Backport
		35	Fix CVE-2018-1088
		36
		37	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		38
		39	---
		40	xlators/mgmt/glusterd/src/glusterd-volgen.c \| 16 +++++++-
		41	xlators/protocol/auth/login/src/login.c \| 51 ++++++++++++++++++++++----
		42	xlators/protocol/server/src/authenticate.h \| 4 +-
		43	xlators/protocol/server/src/server-handshake.c \| 2 +-
		44	xlators/protocol/server/src/server.c \| 18 +++++++++
		45	xlators/protocol/server/src/server.h \| 2 +
		46	6 files changed, 81 insertions(+), 12 deletions(-)
		47
		48	diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
		49	index 308c41f..8dd4907 100644
		50	--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
		51	+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
		52	@@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t graph, glusterd_volinfo_t volinfo,
		53	char *password = NULL;
		54	char key[1024] = {0};
		55	char *ssl_user = NULL;
		56	+ char *volname = NULL;
		57	char *address_family_data = NULL;
		58
		59	if (!graph \|\| !volinfo \|\| !set_dict \|\| !brickinfo)
		60	@@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t graph, glusterd_volinfo_t volinfo,
		61	if (ret)
		62	return -1;
		63
		64	+ volname = volinfo->is_snap_volume ?
		65	+ volinfo->parent_volname : volinfo->volname;
		66	+
		67	+
		68	+ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
		69	+ memset (key, 0, sizeof (key));
		70	+ snprintf (key, sizeof (key), "strict-auth-accept");
		71	+
		72	+ ret = xlator_set_option (xl, key, "true");
		73	+ if (ret)
		74	+ return -1;
		75	+ }
		76	+
		77	if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
		78	memset (key, 0, sizeof (key));
		79	snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
		80	@@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
		81
		82
		83	if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
		84	- client_type != GF_CLIENT_TRUSTED) {
		85	+ client_type != GF_CLIENT_TRUSTED) {
		86	/*
		87	* shared storage volume cannot be mounted from non trusted
		88	* nodes. So we are not creating volfiles for non-trusted
		89	diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
		90	index e799dd2..da10d0b 100644
		91	--- a/xlators/protocol/auth/login/src/login.c
		92	+++ b/xlators/protocol/auth/login/src/login.c
		93	@@ -11,6 +11,16 @@
		94	#include <fnmatch.h>
		95	#include "authenticate.h"
		96
		97	+/* Note on strict_auth
		98	+ * - Strict auth kicks in when authentication is using the username, password
		99	+ * in the volfile to login
		100	+ * - If enabled, auth is rejected if the username and password is not matched
		101	+ * or is not present
		102	+ * - When using SSL names, this is automatically strict, and allows only those
		103	+ * names that are present in the allow list, IOW strict auth checking has no
		104	+ * implication when using SSL names
		105	+*/
		106	+
		107	auth_result_t gf_auth (dict_t input_params, dict_t config_params)
		108	{
		109	auth_result_t result = AUTH_DONT_CARE;
		110	@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t input_params, dict_t config_params)
		111	char *tmp = NULL;
		112	char *username_cpy = NULL;
		113	gf_boolean_t using_ssl = _gf_false;
		114	+ gf_boolean_t strict_auth = _gf_false;
		115
		116	username_data = dict_get (input_params, "ssl-name");
		117	if (username_data) {
		118	@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t input_params, dict_t config_params)
		119	using_ssl = _gf_true;
		120	}
		121	else {
		122	+ ret = dict_get_str_boolean (config_params, "strict-auth-accept",
		123	+ _gf_false);
		124	+ if (ret == -1)
		125	+ strict_auth = _gf_false;
		126	+ else
		127	+ strict_auth = ret;
		128	+
		129	username_data = dict_get (input_params, "username");
		130	if (!username_data) {
		131	- gf_log ("auth/login", GF_LOG_DEBUG,
		132	- "username not found, returning DONT-CARE");
		133	+ if (strict_auth) {
		134	+ gf_log ("auth/login", GF_LOG_DEBUG,
		135	+ "username not found, strict auth"
		136	+ " configured returning REJECT");
		137	+ result = AUTH_REJECT;
		138	+ } else {
		139	+ gf_log ("auth/login", GF_LOG_DEBUG,
		140	+ "username not found, returning"
		141	+ " DONT-CARE");
		142	+ }
		143	goto out;
		144	}
		145	password_data = dict_get (input_params, "password");
		146	if (!password_data) {
		147	- gf_log ("auth/login", GF_LOG_WARNING,
		148	- "password not found, returning DONT-CARE");
		149	+ if (strict_auth) {
		150	+ gf_log ("auth/login", GF_LOG_DEBUG,
		151	+ "password not found, strict auth"
		152	+ " configured returning REJECT");
		153	+ result = AUTH_REJECT;
		154	+ } else {
		155	+ gf_log ("auth/login", GF_LOG_WARNING,
		156	+ "password not found, returning"
		157	+ " DONT-CARE");
		158	+ }
		159	goto out;
		160	}
		161	password = data_to_str (password_data);
		162	@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t input_params, dict_t config_params)
		163	ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
		164	using_ssl ? "ssl-allow" : "allow");
		165	if (-1 == ret) {
		166	- gf_log ("auth/login", GF_LOG_WARNING,
		167	+ gf_log ("auth/login", GF_LOG_ERROR,
		168	"asprintf failed while setting search string, "
		169	- "returning DONT-CARE");
		170	+ "returning REJECT");
		171	+ result = AUTH_REJECT;
		172	goto out;
		173	}
		174
		175	@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t input_params, dict_t config_params)
		176	* ssl-allow=* case as well) authorization is effectively
		177	* disabled, though authentication and encryption are still
		178	* active.
		179	+ *
		180	+ * Read NOTE on strict_auth above.
		181	*/
		182	- if (using_ssl) {
		183	+ if (using_ssl \|\| strict_auth) {
		184	result = AUTH_REJECT;
		185	}
		186	username_cpy = gf_strdup (allow_user->data);
		187	diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
		188	index 3f80231..5f92183 100644
		189	--- a/xlators/protocol/server/src/authenticate.h
		190	+++ b/xlators/protocol/server/src/authenticate.h
		191	@@ -37,10 +37,8 @@ typedef struct {
		192	volume_opt_list_t *vol_opt;
		193	} auth_handle_t;
		194
		195	-auth_result_t gf_authenticate (dict_t *input_params,
		196	- dict_t *config_params,
		197	- dict_t *auth_modules);
		198	int32_t gf_auth_init (xlator_t xl, dict_t auth_modules);
		199	void gf_auth_fini (dict_t *auth_modules);
		200	+auth_result_t gf_authenticate (dict_t , dict_t , dict_t *);
		201
		202	#endif /* _AUTHENTICATE_H */
		203	diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
		204	index f00804a..392a101 100644
		205	--- a/xlators/protocol/server/src/server-handshake.c
		206	+++ b/xlators/protocol/server/src/server-handshake.c
		207	@@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req)
		208	ret = dict_get_str (params, "volfile-key",
		209	&volfile_key);
		210	if (ret)
		211	- gf_msg_debug (this->name, 0, "failed to set "
		212	+ gf_msg_debug (this->name, 0, "failed to get "
		213	"'volfile-key'");
		214
		215	ret = _validate_volfile_checksum (this, volfile_key,
		216	diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
		217	index 202fe71..61c6194 100644
		218	--- a/xlators/protocol/server/src/server.c
		219	+++ b/xlators/protocol/server/src/server.c
		220	@@ -883,6 +883,10 @@ do_rpc:
		221	goto out;
		222	}
		223
		224	+ GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
		225	+ options, bool, out);
		226	+
		227	+
		228	GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
		229	bool, out);
		230
		231	@@ -1113,6 +1117,14 @@ init (xlator_t *this)
		232	"Failed to initialize group cache.");
		233	goto out;
		234	}
		235	+
		236	+ ret = dict_get_str_boolean (this->options, "strict-auth-accept",
		237	+ _gf_false);
		238	+ if (ret == -1)
		239	+ conf->strict_auth_enabled = _gf_false;
		240	+ else
		241	+ conf->strict_auth_enabled = ret;
		242	+
		243	ret = dict_get_str_boolean (this->options, "dynamic-auth",
		244	_gf_true);
		245	if (ret == -1)
		246	@@ -1667,5 +1679,11 @@ struct volume_options options[] = {
		247	"transport connection immediately in response to "
		248	".allow \| .reject volume set options."
		249	},
		250	+ { .key = {"strict-auth-accept"},
		251	+ .type = GF_OPTION_TYPE_BOOL,
		252	+ .default_value = "off",
		253	+ .description = "strict-auth-accept reject connection with out"
		254	+ "a valid username and password."
		255	+ },
		256	{ .key = {NULL} },
		257	};
		258	diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
		259	index 0b37eb1..7eea291 100644
		260	--- a/xlators/protocol/server/src/server.h
		261	+++ b/xlators/protocol/server/src/server.h
		262	@@ -24,6 +24,7 @@
		263	#include "client_t.h"
		264	#include "gidcache.h"
		265	#include "defaults.h"
		266	+#include "authenticate.h"
		267
		268	#define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */
		269	#define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol"
		270	@@ -105,6 +106,7 @@ struct server_conf {
		271	* false, when child is down */
		272
		273	gf_lock_t itable_lock;
		274	+ gf_boolean_t strict_auth_enabled;
		275	};
		276	typedef struct server_conf server_conf_t;
		277
		278	--
		279	2.7.4
		280


diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc index 02c8a6a..8bf5653 100644 --- a/recipes-extended/glusterfs/glusterfs.inc +++ b/recipes-extended/glusterfs/glusterfs.inc
@@ -20,6 +20,8 @@ SRC_URI += "file://glusterd.init \
20	file://libglusterfs-Don-t-link-against-libfl.patch \	20	file://libglusterfs-Don-t-link-against-libfl.patch \
21	file://glusterd-change-port-range.patch \	21	file://glusterd-change-port-range.patch \
22	file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \	22	file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \
		23	file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
		24	file://0002-server-auth-add-option-for-strict-authentication.patch \
23	"	25	"
24		26
25	LICENSE = "(LGPLv3+ \| GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"	27	LICENSE = "(LGPLv3+ \| GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"