1 files changed, 0 insertions, 280 deletions
diff --git a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
deleted file mode 100644
index 8947f27..0000000
--- a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
+++ /dev/null
@@ -1,280 +0,0 @@
-From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001
-From: Mohammed Rafi KC <rkavunga@redhat.com>
-Date: Mon, 2 Apr 2018 12:20:47 +0530
-Subject: [PATCH 2/3] server/auth: add option for strict authentication
-When this option is enabled, we will check for a matching
-username and password, if not found then the connection will
-be rejected. This also does a checksum validation of volfile
-The option is invalid when SSL/TLS is in use, at which point
-the SSL/TLS certificate user name is used to validate and
-hence authorize the right user. This expects TLS allow rules
-to be setup correctly rather than the default *.
-This option is not settable, as a result this cannot be enabled
-for volumes using the CLI. This is used with the shared storage
-volume, to restrict access to the same in non-SSL/TLS environments
-to the gluster peers only.
-Tested:
-  ./tests/bugs/protocol/bug-1321578.t
-  ./tests/features/ssl-authz.t
-  - Ran tests on volumes with and without strict auth
-    checking (as brick vol file needed to be edited to test,
-    or rather to enable the option)
-  - Ran tests on volumes to ensure existing mounts are
-    disconnected when we enable strict checking
-Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
-fixes: bz#1568844
-Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
-Signed-off-by: ShyamsundarR <srangana@redhat.com>
-Upstream-Status: Backport
-Fix CVE-2018-1088
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
- xlators/mgmt/glusterd/src/glusterd-volgen.c    | 16 +++++++-
- xlators/protocol/auth/login/src/login.c        | 51 ++++++++++++++++++++++----
- xlators/protocol/server/src/authenticate.h     |  4 +-
- xlators/protocol/server/src/server-handshake.c |  2 +-
- xlators/protocol/server/src/server.c           | 18 +++++++++
- xlators/protocol/server/src/server.h           |  2 +
- 6 files changed, 81 insertions(+), 12 deletions(-)
-diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
-index 308c41f..8dd4907 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
-+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
-@@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
-         char            *password = NULL;
-         char            key[1024] = {0};
-         char            *ssl_user = NULL;
-+        char            *volname = NULL;
-         char            *address_family_data = NULL;
- 
-         if (!graph || !volinfo || !set_dict || !brickinfo)
-@@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
-         if (ret)
-                 return -1;
- 
-+        volname = volinfo->is_snap_volume ?
-+                  volinfo->parent_volname : volinfo->volname;
-+
-+
-+        if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
-+                memset (key, 0, sizeof (key));
-+                snprintf (key, sizeof (key), "strict-auth-accept");
-+
-+                ret = xlator_set_option (xl, key, "true");
-+                if (ret)
-+                        return -1;
-+        }
-+
-         if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
-                 memset (key, 0, sizeof (key));
-                 snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
-@@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
- 
- 
-         if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
-             client_type != GF_CLIENT_TRUSTED) {
-+            client_type != GF_CLIENT_TRUSTED) {
-                 /*
-                  * shared storage volume cannot be mounted from non trusted
-                  * nodes. So we are not creating volfiles for non-trusted
-diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
-index e799dd2..da10d0b 100644
--- a/xlators/protocol/auth/login/src/login.c
-+++ b/xlators/protocol/auth/login/src/login.c
-@@ -11,6 +11,16 @@
- #include <fnmatch.h>
- #include "authenticate.h"
- 
-+/* Note on strict_auth
-+ * - Strict auth kicks in when authentication is using the username, password
-+ *   in the volfile to login
-+ * - If enabled, auth is rejected if the username and password is not matched
-+ *   or is not present
-+ * - When using SSL names, this is automatically strict, and allows only those
-+ *   names that are present in the allow list, IOW strict auth checking has no
-+ *   implication when using SSL names
-+*/
-+
- auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
- {
-         auth_result_t  result  = AUTH_DONT_CARE;
-@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
-         char            *tmp            = NULL;
-         char            *username_cpy   = NULL;
-         gf_boolean_t    using_ssl       = _gf_false;
-+        gf_boolean_t    strict_auth     = _gf_false;
- 
-         username_data = dict_get (input_params, "ssl-name");
-         if (username_data) {
-@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
-                 using_ssl = _gf_true;
-         }
-         else {
-+                ret = dict_get_str_boolean (config_params, "strict-auth-accept",
-+                                            _gf_false);
-+                if (ret == -1)
-+                        strict_auth = _gf_false;
-+                else
-+                        strict_auth = ret;
-+
-                 username_data = dict_get (input_params, "username");
-                 if (!username_data) {
-                        gf_log ("auth/login", GF_LOG_DEBUG,
-                                "username not found, returning DONT-CARE");
-+                        if (strict_auth) {
-+                                gf_log ("auth/login", GF_LOG_DEBUG,
-+                                        "username not found, strict auth"
-+                                        " configured returning REJECT");
-+                                result = AUTH_REJECT;
-+                        } else {
-+                                gf_log ("auth/login", GF_LOG_DEBUG,
-+                                        "username not found, returning"
-+                                        " DONT-CARE");
-+                        }
-                         goto out;
-                 }
-                 password_data = dict_get (input_params, "password");
-                 if (!password_data) {
-                        gf_log ("auth/login", GF_LOG_WARNING,
-                                "password not found, returning DONT-CARE");
-+                        if (strict_auth) {
-+                                gf_log ("auth/login", GF_LOG_DEBUG,
-+                                        "password not found, strict auth"
-+                                        " configured returning REJECT");
-+                                result = AUTH_REJECT;
-+                        } else {
-+                                gf_log ("auth/login", GF_LOG_WARNING,
-+                                        "password not found, returning"
-+                                        " DONT-CARE");
-+                        }
-                         goto out;
-                 }
-                 password = data_to_str (password_data);
-@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
-         ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
-                            using_ssl ? "ssl-allow" : "allow");
-         if (-1 == ret) {
-                gf_log ("auth/login", GF_LOG_WARNING,
-+                gf_log ("auth/login", GF_LOG_ERROR,
-                         "asprintf failed while setting search string, "
-                        "returning DONT-CARE");
-+                        "returning REJECT");
-+                result = AUTH_REJECT;
-                 goto out;
-         }
- 
-@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
-                  * ssl-allow=* case as well) authorization is effectively
-                  * disabled, though authentication and encryption are still
-                  * active.
-+                 *
-+                 * Read NOTE on strict_auth above.
-                  */
-                if (using_ssl) {
-+                if (using_ssl || strict_auth) {
-                         result = AUTH_REJECT;
-                 }
-                 username_cpy = gf_strdup (allow_user->data);
-diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
-index 3f80231..5f92183 100644
--- a/xlators/protocol/server/src/authenticate.h
-+++ b/xlators/protocol/server/src/authenticate.h
-@@ -37,10 +37,8 @@ typedef struct {
-         volume_opt_list_t *vol_opt;
- } auth_handle_t;
- 
-auth_result_t gf_authenticate (dict_t *input_params,
-                               dict_t *config_params,
-                               dict_t *auth_modules);
- int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
- void gf_auth_fini (dict_t *auth_modules);
-+auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);
- 
- #endif /* _AUTHENTICATE_H */
-diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
-index f00804a..392a101 100644
--- a/xlators/protocol/server/src/server-handshake.c
-+++ b/xlators/protocol/server/src/server-handshake.c
-@@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req)
-                         ret = dict_get_str (params, "volfile-key",
-                                             &volfile_key);
-                         if (ret)
-                                gf_msg_debug (this->name, 0, "failed to set "
-+                                gf_msg_debug (this->name, 0, "failed to get "
-                                               "'volfile-key'");
- 
-                         ret = _validate_volfile_checksum (this, volfile_key,
-diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
-index 202fe71..61c6194 100644
--- a/xlators/protocol/server/src/server.c
-+++ b/xlators/protocol/server/src/server.c
-@@ -883,6 +883,10 @@ do_rpc:
-                 goto out;
-         }
- 
-+        GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
-+                          options, bool, out);
-+
-+
-         GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
-                         bool, out);
- 
-@@ -1113,6 +1117,14 @@ init (xlator_t *this)
-                         "Failed to initialize group cache.");
-                 goto out;
-         }
-+
-+        ret = dict_get_str_boolean (this->options, "strict-auth-accept",
-+                                    _gf_false);
-+        if (ret == -1)
-+                conf->strict_auth_enabled = _gf_false;
-+        else
-+                conf->strict_auth_enabled = ret;
-+
-         ret = dict_get_str_boolean (this->options, "dynamic-auth",
-                         _gf_true);
-         if (ret == -1)
-@@ -1667,5 +1679,11 @@ struct volume_options options[] = {
-                            "transport connection immediately in response to "
-                            "*.allow | *.reject volume set options."
-         },
-+        { .key   = {"strict-auth-accept"},
-+          .type  = GF_OPTION_TYPE_BOOL,
-+          .default_value = "off",
-+          .description   = "strict-auth-accept reject connection with out"
-+                           "a valid username and password."
-+        },
-         { .key   = {NULL} },
- };
-diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
-index 0b37eb1..7eea291 100644
--- a/xlators/protocol/server/src/server.h
-+++ b/xlators/protocol/server/src/server.h
-@@ -24,6 +24,7 @@
- #include "client_t.h"
- #include "gidcache.h"
- #include "defaults.h"
-+#include "authenticate.h"
- 
- #define DEFAULT_BLOCK_SIZE         4194304   /* 4MB */
- #define DEFAULT_VOLUME_FILE_PATH   CONFDIR "/glusterfs.vol"
-@@ -105,6 +106,7 @@ struct server_conf {
-                                            * false, when child is down */
- 
-         gf_lock_t               itable_lock;
-+        gf_boolean_t            strict_auth_enabled;
- };
- typedef struct server_conf server_conf_t;
- 
-- 
-2.7.4

diff --git a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch deleted file mode 100644 index 8947f27..0000000 --- a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch +++ /dev/null
@@ -1,280 +0,0 @@
1	From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001
2	From: Mohammed Rafi KC <rkavunga@redhat.com>
3	Date: Mon, 2 Apr 2018 12:20:47 +0530
4	Subject: [PATCH 2/3] server/auth: add option for strict authentication
5
6	When this option is enabled, we will check for a matching
7	username and password, if not found then the connection will
8	be rejected. This also does a checksum validation of volfile
9
10	The option is invalid when SSL/TLS is in use, at which point
11	the SSL/TLS certificate user name is used to validate and
12	hence authorize the right user. This expects TLS allow rules
13	to be setup correctly rather than the default *.
14
15	This option is not settable, as a result this cannot be enabled
16	for volumes using the CLI. This is used with the shared storage
17	volume, to restrict access to the same in non-SSL/TLS environments
18	to the gluster peers only.
19
20	Tested:
21	./tests/bugs/protocol/bug-1321578.t
22	./tests/features/ssl-authz.t
23	- Ran tests on volumes with and without strict auth
24	checking (as brick vol file needed to be edited to test,
25	or rather to enable the option)
26	- Ran tests on volumes to ensure existing mounts are
27	disconnected when we enable strict checking
28
29	Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
30	fixes: bz#1568844
31	Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
32	Signed-off-by: ShyamsundarR <srangana@redhat.com>
33
34	Upstream-Status: Backport
35	Fix CVE-2018-1088
36
37	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
38
39	---
40	xlators/mgmt/glusterd/src/glusterd-volgen.c \| 16 +++++++-
41	xlators/protocol/auth/login/src/login.c \| 51 ++++++++++++++++++++++----
42	xlators/protocol/server/src/authenticate.h \| 4 +-
43	xlators/protocol/server/src/server-handshake.c \| 2 +-
44	xlators/protocol/server/src/server.c \| 18 +++++++++
45	xlators/protocol/server/src/server.h \| 2 +
46	6 files changed, 81 insertions(+), 12 deletions(-)
47
48	diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
49	index 308c41f..8dd4907 100644
50	--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
51	+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
52	@@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t graph, glusterd_volinfo_t volinfo,
53	char *password = NULL;
54	char key[1024] = {0};
55	char *ssl_user = NULL;
56	+ char *volname = NULL;
57	char *address_family_data = NULL;
58
59	if (!graph \|\| !volinfo \|\| !set_dict \|\| !brickinfo)
60	@@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t graph, glusterd_volinfo_t volinfo,
61	if (ret)
62	return -1;
63
64	+ volname = volinfo->is_snap_volume ?
65	+ volinfo->parent_volname : volinfo->volname;
66	+
67	+
68	+ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
69	+ memset (key, 0, sizeof (key));
70	+ snprintf (key, sizeof (key), "strict-auth-accept");
71	+
72	+ ret = xlator_set_option (xl, key, "true");
73	+ if (ret)
74	+ return -1;
75	+ }
76	+
77	if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
78	memset (key, 0, sizeof (key));
79	snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
80	@@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
81
82
83	if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
84	- client_type != GF_CLIENT_TRUSTED) {
85	+ client_type != GF_CLIENT_TRUSTED) {
86	/*
87	* shared storage volume cannot be mounted from non trusted
88	* nodes. So we are not creating volfiles for non-trusted
89	diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
90	index e799dd2..da10d0b 100644
91	--- a/xlators/protocol/auth/login/src/login.c
92	+++ b/xlators/protocol/auth/login/src/login.c
93	@@ -11,6 +11,16 @@
94	#include <fnmatch.h>
95	#include "authenticate.h"
96
97	+/* Note on strict_auth
98	+ * - Strict auth kicks in when authentication is using the username, password
99	+ * in the volfile to login
100	+ * - If enabled, auth is rejected if the username and password is not matched
101	+ * or is not present
102	+ * - When using SSL names, this is automatically strict, and allows only those
103	+ * names that are present in the allow list, IOW strict auth checking has no
104	+ * implication when using SSL names
105	+*/
106	+
107	auth_result_t gf_auth (dict_t input_params, dict_t config_params)
108	{
109	auth_result_t result = AUTH_DONT_CARE;
110	@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t input_params, dict_t config_params)
111	char *tmp = NULL;
112	char *username_cpy = NULL;
113	gf_boolean_t using_ssl = _gf_false;
114	+ gf_boolean_t strict_auth = _gf_false;
115
116	username_data = dict_get (input_params, "ssl-name");
117	if (username_data) {
118	@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t input_params, dict_t config_params)
119	using_ssl = _gf_true;
120	}
121	else {
122	+ ret = dict_get_str_boolean (config_params, "strict-auth-accept",
123	+ _gf_false);
124	+ if (ret == -1)
125	+ strict_auth = _gf_false;
126	+ else
127	+ strict_auth = ret;
128	+
129	username_data = dict_get (input_params, "username");
130	if (!username_data) {
131	- gf_log ("auth/login", GF_LOG_DEBUG,
132	- "username not found, returning DONT-CARE");
133	+ if (strict_auth) {
134	+ gf_log ("auth/login", GF_LOG_DEBUG,
135	+ "username not found, strict auth"
136	+ " configured returning REJECT");
137	+ result = AUTH_REJECT;
138	+ } else {
139	+ gf_log ("auth/login", GF_LOG_DEBUG,
140	+ "username not found, returning"
141	+ " DONT-CARE");
142	+ }
143	goto out;
144	}
145	password_data = dict_get (input_params, "password");
146	if (!password_data) {
147	- gf_log ("auth/login", GF_LOG_WARNING,
148	- "password not found, returning DONT-CARE");
149	+ if (strict_auth) {
150	+ gf_log ("auth/login", GF_LOG_DEBUG,
151	+ "password not found, strict auth"
152	+ " configured returning REJECT");
153	+ result = AUTH_REJECT;
154	+ } else {
155	+ gf_log ("auth/login", GF_LOG_WARNING,
156	+ "password not found, returning"
157	+ " DONT-CARE");
158	+ }
159	goto out;
160	}
161	password = data_to_str (password_data);
162	@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t input_params, dict_t config_params)
163	ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
164	using_ssl ? "ssl-allow" : "allow");
165	if (-1 == ret) {
166	- gf_log ("auth/login", GF_LOG_WARNING,
167	+ gf_log ("auth/login", GF_LOG_ERROR,
168	"asprintf failed while setting search string, "
169	- "returning DONT-CARE");
170	+ "returning REJECT");
171	+ result = AUTH_REJECT;
172	goto out;
173	}
174
175	@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t input_params, dict_t config_params)
176	* ssl-allow=* case as well) authorization is effectively
177	* disabled, though authentication and encryption are still
178	* active.
179	+ *
180	+ * Read NOTE on strict_auth above.
181	*/
182	- if (using_ssl) {
183	+ if (using_ssl \|\| strict_auth) {
184	result = AUTH_REJECT;
185	}
186	username_cpy = gf_strdup (allow_user->data);
187	diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
188	index 3f80231..5f92183 100644
189	--- a/xlators/protocol/server/src/authenticate.h
190	+++ b/xlators/protocol/server/src/authenticate.h
191	@@ -37,10 +37,8 @@ typedef struct {
192	volume_opt_list_t *vol_opt;
193	} auth_handle_t;
194
195	-auth_result_t gf_authenticate (dict_t *input_params,
196	- dict_t *config_params,
197	- dict_t *auth_modules);
198	int32_t gf_auth_init (xlator_t xl, dict_t auth_modules);
199	void gf_auth_fini (dict_t *auth_modules);
200	+auth_result_t gf_authenticate (dict_t , dict_t , dict_t *);
201
202	#endif /* _AUTHENTICATE_H */
203	diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
204	index f00804a..392a101 100644
205	--- a/xlators/protocol/server/src/server-handshake.c
206	+++ b/xlators/protocol/server/src/server-handshake.c
207	@@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req)
208	ret = dict_get_str (params, "volfile-key",
209	&volfile_key);
210	if (ret)
211	- gf_msg_debug (this->name, 0, "failed to set "
212	+ gf_msg_debug (this->name, 0, "failed to get "
213	"'volfile-key'");
214
215	ret = _validate_volfile_checksum (this, volfile_key,
216	diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
217	index 202fe71..61c6194 100644
218	--- a/xlators/protocol/server/src/server.c
219	+++ b/xlators/protocol/server/src/server.c
220	@@ -883,6 +883,10 @@ do_rpc:
221	goto out;
222	}
223
224	+ GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
225	+ options, bool, out);
226	+
227	+
228	GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
229	bool, out);
230
231	@@ -1113,6 +1117,14 @@ init (xlator_t *this)
232	"Failed to initialize group cache.");
233	goto out;
234	}
235	+
236	+ ret = dict_get_str_boolean (this->options, "strict-auth-accept",
237	+ _gf_false);
238	+ if (ret == -1)
239	+ conf->strict_auth_enabled = _gf_false;
240	+ else
241	+ conf->strict_auth_enabled = ret;
242	+
243	ret = dict_get_str_boolean (this->options, "dynamic-auth",
244	_gf_true);
245	if (ret == -1)
246	@@ -1667,5 +1679,11 @@ struct volume_options options[] = {
247	"transport connection immediately in response to "
248	".allow \| .reject volume set options."
249	},
250	+ { .key = {"strict-auth-accept"},
251	+ .type = GF_OPTION_TYPE_BOOL,
252	+ .default_value = "off",
253	+ .description = "strict-auth-accept reject connection with out"
254	+ "a valid username and password."
255	+ },
256	{ .key = {NULL} },
257	};
258	diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
259	index 0b37eb1..7eea291 100644
260	--- a/xlators/protocol/server/src/server.h
261	+++ b/xlators/protocol/server/src/server.h
262	@@ -24,6 +24,7 @@
263	#include "client_t.h"
264	#include "gidcache.h"
265	#include "defaults.h"
266	+#include "authenticate.h"
267
268	#define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */
269	#define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol"
270	@@ -105,6 +106,7 @@ struct server_conf {
271	* false, when child is down */
272
273	gf_lock_t itable_lock;
274	+ gf_boolean_t strict_auth_enabled;
275	};
276	typedef struct server_conf server_conf_t;
277
278	--
279	2.7.4
280