[Bugs] [Bug 1179208] New: Since 3.6; ssl without auth.ssl-allow broken

bugzilla at redhat.com bugzilla at redhat.com
Tue Jan 6 12:43:12 UTC 2015 

https://bugzilla.redhat.com/show_bug.cgi?id=1179208

            Bug ID: 1179208
           Summary: Since 3.6; ssl without auth.ssl-allow broken
           Product: GlusterFS
           Version: 3.6.1
         Component: core
          Severity: high
          Assignee: bugs at gluster.org
          Reporter: bugzilla.redhat.com at spider007.net
                CC: bugs at gluster.org, gluster-bugs at redhat.com



Description of problem:

I upgraded to 3.6.1 recently; and all my clients broke. It turned out this was
caused by the "improved ssl support"; which uses ssl-allow to determine if a
user is allowed to connect.

Previously any client with a valid certificate was allowed; but now
auth.ssl-allow '*' is required. Without it, all clients will log:

I [socket.c:379:ssl_setup_connection] 0-volume-client-0: peer CN = fs1.xxx
I [client-handshake.c:1415:select_server_supported_programs] 0-volume-client-0:
Using Program GlusterFS 3.3, Num (1298437), Version (330)
W [client-handshake.c:1109:client_setvolume_cbk] 0-volume-client-0: failed to
set the volume (Permission denied)
W [client-handshake.c:1135:client_setvolume_cbk] 0-volume-client-0: failed to
get 'process-uuid' from reply dict
E [client-handshake.c:1141:client_setvolume_cbk] 0-volume-client-0: SETVOLUME
on remote-host failed: Authentication failed
I [client-handshake.c:1227:client_setvolume_cbk] 0-volume-client-0: sending
AUTH_FAILED event
E [fuse-bridge.c:5145:notify] 0-fuse: Server authenication failed. Shutting
down.

This is fixed by adding auth.ssl-allow='*'. Additionally; it seems wildcards
aren't fully supported. I initially tried *.valid-domain.tld and gluster says:

E [server.c:416:_check_for_auth_option] 0-/export/volume: internet address
'*.valid-domain.tld' does not conform to standards.
E [server.c:449:validate_auth_options] 0-volumes-server: volume
'/export/volume' defined as subvolume, but no authentication defined for the
same
E [xlator.c:425:xlator_init] 0-volume-server: Initialization of volume
'volume-server' failed, review your volfile again
E [graph.c:322:glusterfs_graph_init] 0-volume-server: initializing translator
failed
E [graph.c:525:glusterfs_graph_activate] 0-graph: init failed
W [glusterfsd.c:1194:cleanup_and_exit] (--> 0-: received signum (0), shutting
down

Issues:
* BUG:  ssl-allow should default to '*' like allow does
* FEAT: *.domain should work for ssl-allow
* FEAT: The "Permission denied" message should indicate which module threw
AUTH_REJECT

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list