rpc: By default set allow-insecure, bind-insecure to on

since we now use SSL (Secure Sockets Layer) for the security issues, the patch
changes the default setting to allow connections/requests from non-privilaged
ports by setting allow-insecure and bind-insecure to 1

Also added bind functionality for insecure binding which can select from
available local ports dynamically

BUG: 1232658
Change-Id: I927e112223f33611452093e38cd846a0b9347e57
Signed-off-by: Pranith Kumar K <pkarampu@redhat.com>
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-on: http://review.gluster.org/11039
Tested-by: NetBSD Build System <jenkins@build.gluster.org>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
This commit is contained in:
Prasanna Kumar Kalever 2015-06-24 12:21:02 +05:30 committed by Raghavendra G
parent 64f36a04d0
commit 5bf6522562
4 changed files with 52 additions and 21 deletions

View File

@ -262,7 +262,8 @@ rpc_transport_load (glusterfs_ctx_t *ctx, dict_t *options, char *trans_name)
else
trans->bind_insecure = 0;
} else {
trans->bind_insecure = 0;
/* By default allow bind insecure */
trans->bind_insecure = 1;
}
ret = dict_get_str (options, "transport-type", &type);

View File

@ -221,9 +221,20 @@ rpcsvc_set_allow_insecure (rpcsvc_t *svc, dict_t *options)
else
svc->allow_insecure = 0;
}
} else {
/* By default set allow-insecure to true */
svc->allow_insecure = 1;
/* setting in options for the sake of functions that look
* configuration params for allow insecure, eg: gf_auth
*/
ret = dict_set_str (options, "rpc-auth-allow-insecure", "on");
if (ret < 0)
gf_log ("rpc-auth", GF_LOG_DEBUG,
"dict_set failed for 'allow-insecure'");
}
return 0;
return ret;
}
int

View File

@ -631,8 +631,10 @@ rpcsvc_handle_rpc_call (rpcsvc_t *svc, rpc_transport_t *trans,
gf_log (GF_RPCSVC, GF_LOG_ERROR,
"Request received from non-"
"privileged port. Failing request");
rpcsvc_request_destroy (req);
return -1;
req->rpc_status = MSG_DENIED;
req->rpc_err = AUTH_ERROR;
req->auth_err = RPCSVC_AUTH_REJECT;
goto err_reply;
}
/* DRC */

View File

@ -23,6 +23,21 @@
#include "socket.h"
#include "common-utils.h"
static void
_assign_port (struct sockaddr *sockaddr, uint16_t port)
{
switch (sockaddr->sa_family) {
case AF_INET6:
((struct sockaddr_in6 *)sockaddr)->sin6_port = htons (port);
break;
case AF_INET_SDP:
case AF_INET:
((struct sockaddr_in *)sockaddr)->sin_port = htons (port);
break;
}
}
static int32_t
af_inet_bind_to_port_lt_ceiling (int fd, struct sockaddr *sockaddr,
socklen_t sockaddr_len, int ceiling)
@ -41,17 +56,7 @@ af_inet_bind_to_port_lt_ceiling (int fd, struct sockaddr *sockaddr,
while (port)
{
switch (sockaddr->sa_family)
{
case AF_INET6:
((struct sockaddr_in6 *)sockaddr)->sin6_port = htons (port);
break;
case AF_INET_SDP:
case AF_INET:
((struct sockaddr_in *)sockaddr)->sin_port = htons (port);
break;
}
_assign_port (sockaddr, port);
// ignore the reserved ports
if (ports[port] == _gf_true) {
port--;
@ -440,12 +445,24 @@ client_bind (rpc_transport_t *this,
if (!this->bind_insecure) {
ret = af_inet_bind_to_port_lt_ceiling (sock, sockaddr,
*sockaddr_len, GF_CLIENT_PORT_CEILING);
}
if (ret == -1) {
gf_log (this->name, GF_LOG_DEBUG,
"cannot bind inet socket (%d) to port less than %d (%s)",
sock, GF_CLIENT_PORT_CEILING, strerror (errno));
ret = 0;
if (ret == -1) {
gf_log (this->name, GF_LOG_DEBUG,
"cannot bind inet socket (%d) to port less than %d (%s)",
sock, GF_CLIENT_PORT_CEILING, strerror (errno));
ret = 0;
}
} else {
/* A port number of zero will let the bind function to
* pick any available local port dynamically
*/
_assign_port (sockaddr, 0);
ret = bind (sock, sockaddr, *sockaddr_len);
if (ret == -1) {
gf_log (this->name, GF_LOG_DEBUG,
"failed while binding to available ports (%s)",
strerror (errno));
ret = 0;
}
}
break;