Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1568844 - [snapshot-scheduler]Prevent access of shared storage volume from the outside client
Summary: [snapshot-scheduler]Prevent access of shared storage volume from the outside ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: GlusterFS
Classification: Community
Component: snapshot
Version: mainline
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Mohammed Rafi KC
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1568832 1568973
TreeView+ depends on / blocked
 
Reported: 2018-04-18 10:18 UTC by Mohammed Rafi KC
Modified: 2018-06-20 18:05 UTC (History)
1 user (show)

Fixed In Version: glusterfs-v4.1.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-20 18:05:09 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Embargoed:

Attachments (Terms of Use)

Description Mohammed Rafi KC 2018-04-18 10:18:03 UTC 
Description of problem:

shared storage volume is used for gluster meta data store. Since it has gluster related information, it shouldn't be accessible from outside gluster


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.ennable shared storage gluster volume set all enable-shared-storage enable
2.try to mount the shared storage from a client machine which is not part of the trusted storage pool
3.

Actual results:

mount will succeed

Expected results:

mount should fail

Additional info:
Comment 1 Mohammed Rafi KC 2018-04-18 10:21:23 UTC 
https://review.gluster.org/19898 shared storage: Prevent mounting shared storage from non-trusted client
https://review.gluster.org/19899 server/auth: add option for strict authentication
Comment 2 Worker Ant 2018-04-18 10:21:27 UTC 
REVIEW: https://review.gluster.org/19898 (shared storage: Prevent mounting shared storage from non-trusted client) posted (#1) for review on master by mohammed rafi  kc
Comment 3 Worker Ant 2018-04-18 10:22:22 UTC 
REVIEW: https://review.gluster.org/19899 (server/auth: add option for strict authentication) posted (#1) for review on master by mohammed rafi  kc
Comment 4 Worker Ant 2018-04-22 03:03:21 UTC 
COMMIT: https://review.gluster.org/19898 committed in master by "Shyamsundar Ranganathan" <srangana> with a commit message- shared storage: Prevent mounting shared storage from non-trusted client

gluster shared storage is a volume used for internal storage for
various features including ganesha, geo-rep, snapshot.

So this volume should not be exposed to the client, as it is
a special volume for internal use.

This fix wont't generate non trusted volfile for shared storage volume.

Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c
fixes: bz#1568844
BUG: 1568844
Signed-off-by: Mohammed Rafi KC <rkavunga>
Comment 5 Worker Ant 2018-04-22 03:03:42 UTC 
COMMIT: https://review.gluster.org/19899 committed in master by "Shyamsundar Ranganathan" <srangana> with a commit message- server/auth: add option for strict authentication

When this option is enabled, we will check for a matching
username and password, if not found then the connection will
be rejected. This also does a checksum validation of volfile

The option is invalid when SSL/TLS is in use, at which point
the SSL/TLS certificate user name is used to validate and
hence authorize the right user. This expects TLS allow rules
to be setup correctly rather than the default *.

This option is not settable, as a result this cannot be enabled
for volumes using the CLI. This is used with the shared storage
volume, to restrict access to the same in non-SSL/TLS environments
to the gluster peers only.

Tested:
  ./tests/bugs/protocol/bug-1321578.t
  ./tests/features/ssl-authz.t
  - Ran tests on volumes with and without strict auth
    checking (as brick vol file needed to be edited to test,
    or rather to enable the option)
  - Ran tests on volumes to ensure existing mounts are
    disconnected when we enable strict checking

Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
fixes: bz#1568844
Signed-off-by: Mohammed Rafi KC <rkavunga>
Signed-off-by: ShyamsundarR <srangana>
Comment 6 Shyamsundar 2018-06-20 18:05:09 UTC 
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-v4.1.0, please open a new bug report.

glusterfs-v4.1.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://lists.gluster.org/pipermail/announce/2018-June/000102.html
[2] https://www.gluster.org/pipermail/gluster-users/
Note You need to log in before you can comment on or make changes to this bug.