From patchwork Wed Jan 16 21:52:54 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 213076 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "userp1040.oracle.com", Issuer "VeriSign Class 3 International Server CA - G3" (not verified)) by ozlabs.org (Postfix) with ESMTPS id B50052C008C for ; Thu, 17 Jan 2013 08:53:03 +1100 (EST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id r0GLr0Hp018510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 16 Jan 2013 21:53:00 GMT Received: from oss.oracle.com (oss-external.oracle.com [137.254.96.51]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r0GLqx94012248 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Jan 2013 21:52:59 GMT Received: from localhost ([127.0.0.1] helo=oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1Tvaup-0006K1-Ie; Wed, 16 Jan 2013 13:52:59 -0800 Received: from ucsinet22.oracle.com ([156.151.31.94]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1Tvaun-0006JD-SR for fedfs-utils-devel@oss.oracle.com; Wed, 16 Jan 2013 13:52:57 -0800 Received: from aserp1020.oracle.com (aserp1020.oracle.com [141.146.126.67]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r0GLqvbR028736 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 16 Jan 2013 21:52:57 GMT Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by aserp1020.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id r0GLqunb015108 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=OK) for ; Wed, 16 Jan 2013 21:52:56 GMT Received: by mail-ie0-f182.google.com with SMTP id s9so3552766iec.27 for ; Wed, 16 Jan 2013 13:52:56 -0800 (PST) X-Received: by 10.50.89.165 with SMTP id bp5mr181169igb.70.1358373176031; Wed, 16 Jan 2013 13:52:56 -0800 (PST) Received: from seurat.1015granger.net (adsl-99-26-161-222.dsl.sfldmi.sbcglobal.net. [99.26.161.222]) by mx.google.com with ESMTPS id j11sm5825448igc.5.2013.01.16.13.52.55 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 16 Jan 2013 13:52:55 -0800 (PST) From: Chuck Lever To: fedfs-utils-devel@oss.oracle.com Date: Wed, 16 Jan 2013 16:52:54 -0500 Message-ID: <20130116215254.21683.8118.stgit@seurat.1015granger.net> In-Reply-To: <20130116214757.21683.47697.stgit@seurat.1015granger.net> References: <20130116214757.21683.47697.stgit@seurat.1015granger.net> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 X-Flow-Control-Info: class=Default reputation=ipRepBelow100 ip=209.85.223.182 ct-class=R5 ct-vol1=0 ct-vol2=8 ct-vol3=8 ct-risk=50 ct-spam1=80 ct-spam2=6 ct-bulk=5 rcpts=1 size=10894 X-MM-CT-Classification: not spam X-MM-CT-RefID: str=0001.0A090205.50F72138.0084,ss=1,re=-2.300,fgs=0 Subject: [fedfs-utils] [PATCH 08/11] nsdbparams: "update" subcommand shouldn't wipe security data X-BeenThere: fedfs-utils-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list Reply-To: fedfs-utils Developers List-Id: fedfs-utils Developers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: fedfs-utils-devel-bounces@oss.oracle.com Errors-To: fedfs-utils-devel-bounces@oss.oracle.com X-Source-IP: acsinet21.oracle.com [141.146.126.237] "nsdbparams update" updates the NSDB's security data every time it is invoked. That means every time an NSDB connection parameters update is done (say, to prevent LDAP referral following), the previous security settings for that NSDB are wiped. It's always worked this way, but until now, fedfs-utils has supported only one connection security type, a type which had no security data associated with it. So we couldn't tell it was broken. Also, nsdbparams should validate incoming certificate material. And let's document in the man page what kind of certificate is needed. Finally, a minor UI change: allow users to specify "--certfile" without "--sectype" to enable TLS mode. Signed-off-by: Chuck Lever --- doc/man/nsdbparams.8 | 59 ++++++++++++++++-------- src/nsdbparams/main.c | 4 ++ src/nsdbparams/update.c | 115 +++++++++++++++++++++++++++++++---------------- 3 files changed, 120 insertions(+), 58 deletions(-) diff --git a/doc/man/nsdbparams.8 b/doc/man/nsdbparams.8 index 84820c5..7f48411 100644 --- a/doc/man/nsdbparams.8 +++ b/doc/man/nsdbparams.8 @@ -82,16 +82,24 @@ a coherent namespace across multiple file servers using For further details, see .BR fedfs (7). .P -The bulk of FedFS junction information in a FedFS domain is stored -on one or more LDAP servers. +The bulk of FedFS metadata is stored on one or more LDAP servers. These servers are known as .IR "namespace databases" , or NSDBs, for short. -On systems that contact NSDBs, -a local database stores connection parameters for each NSDB. -These connection parameters are used during file server operations -that access NSDBs, -and when executing NSDB administrative commands. +An +.I NSDB client +is any system that communicates with an NSDB. +This can be either a fileserver or an NSDB administrative client. +.P +On NSDB clients, +a small local database stores information about how to connect +to each NSDB node. These +.I NSDB connection parameters +are used when an NSDB client contacts an NSDB node to perform file +server operations or when executing NSDB administrative commands. +.P +The settings in this database effect only the behavior of the local +NSDB client. They have no effect on the operation of NSDBs nodes. .SH DESCRIPTION The .BR nsdbparams (8) @@ -188,10 +196,9 @@ If no NSDB port number is provided on the command line, the command uses the default LDAP port (389). .P The database matches NSDB domain names and ports by exact value. -If two unique domain names point -to the IP address of the same physical NSDB, -they are considered separate entries -in the local NSDB connection parameter database. +Details on NSDB connection parameters database entry matching can be +found in +.BR nsdb-parameters (7). .SS Command line options .IP "\fB\-d, \-\-debug" Enables debugging messages during subcommand operation. @@ -209,12 +216,13 @@ This option is valid for the .B update subcommand. .IP "\fB-f, \-\-certfile=\fIpathname\fP" -Specifies the pathname of a local file containing the X.509 certificate -to establish a TLS connection with the specified NSDB. -The -.BR nsdbparams (8) -command copies the specified certificate to a private directory. -The specified file can be deleted after the subcommand succeeds. +Specifies the pathname of a local file containing security data +appropriate for the +.B "\-\-sectype" +specified on the command line. +The specified file may be deleted after the command succeeds. +Details on security data can be found in +.BR nsdb-parameters (7). This option is valid for the .B update subcommand. @@ -272,6 +280,19 @@ If that user doesn't exist, then the UID for .I nobody is used instead. This option is valid for all subcommands. +.SH CHANGING SECURITY TYPES +You can change connection security types used to contact an NSDB node +using the +.B update +subcommand. Simply specify the new security type with the +.B "\-\-sectype" +option. +Specifying the NONE type removes existing stored certificate material +for that NSDB node. +Specifying the TLS type replaces existing stored certificate material +with new material specified with the +.B "\-\-certfile" +option. .SH EXAMPLES If there is an NSDB called .IR nsdb.example.net , @@ -304,7 +325,7 @@ subcommand and specify the and .B \-\-certfile options. -For instance, if an X.509 certificate for +For instance, if an x.509 certificate for .I nsdb.example.net were contained in a local file called .IR /tmp/nsdb.pem , @@ -325,7 +346,7 @@ you might use: database of NSDB connection parameters .TP .I @statedir@/nsdbcerts -local directory that stores X.509 certificates for NSDBs +local directory that stores x.509 certificates for NSDBs .SH "SEE ALSO" .BR fedfs (7), .BR nsdb-parameters (7), diff --git a/src/nsdbparams/main.c b/src/nsdbparams/main.c index 6e96c1c..103761f 100644 --- a/src/nsdbparams/main.c +++ b/src/nsdbparams/main.c @@ -206,6 +206,8 @@ main(int argc, char **argv) goto out; } + nsdb_connsec_crypto_startup(); + if (strcasecmp(argv[1], "delete") == 0) exit_status = nsdbparams_delete(progname, argc - 1, argv + 1); else if (strcasecmp(argv[1], "list") == 0) @@ -219,6 +221,8 @@ main(int argc, char **argv) nsdbparams_usage(progname); } + nsdb_connsec_crypto_shutdown(); + out: exit(exit_status); } diff --git a/src/nsdbparams/update.c b/src/nsdbparams/update.c index 60db7a5..62de0c2 100644 --- a/src/nsdbparams/update.c +++ b/src/nsdbparams/update.c @@ -138,7 +138,7 @@ nsdbparams_test_nsdb(const char *nsdbname, unsigned short nsdbport) * @return false if could not parse security type */ static _Bool -nsdbparams_sectype(const char *arg, unsigned int *type) +nsdbparams_sectype(const char *arg, FedFsConnectionSec *type) { unsigned long tmp; char *endptr; @@ -171,6 +171,55 @@ try_symbolic: } /** + * Update the security setting for this NSDB + * + * @param nsdbname NUL-terminated UTF-8 string containing NSDB hostname + * @param nsdbport NSDB's IP port number + * @param type connection security type for this NSDB + * @param certfile NUL-terminated UTF-8 string containing pathname of file + * @return a FedFsStatus code + */ +static FedFsStatus +nsdbparams_update_security(const char *nsdbname, unsigned short nsdbport, + FedFsConnectionSec type, const char *certfile) +{ + FedFsStatus retval; + + switch (type) { + case FEDFS_SEC_NONE: + if (certfile != NULL) + xlog(L_ERROR, "The specified certfile was ignored"); + + retval = nsdb_connsec_set_none(nsdbname, nsdbport); + if (retval != FEDFS_OK) { + xlog(L_ERROR, "Failed to update security pararmeters: %s", + nsdb_display_fedfsstatus(retval)); + return retval; + } + break; + case FEDFS_SEC_TLS: + if (certfile == NULL) { + xlog(L_ERROR, "No certfile was specified"); + return FEDFS_ERR_INVAL; + } + + retval = nsdb_connsec_set_tls_file(nsdbname, nsdbport, + certfile); + if (retval != FEDFS_OK) { + xlog(L_ERROR, "Failed to update security pararmeters: %s", + nsdb_display_fedfsstatus(retval)); + return retval; + } + break; + default: + xlog(L_ERROR, "Unrecognized connection security type"); + return FEDFS_ERR_INVAL; + } + + return FEDFS_OK; +} + +/** * Update an NSDB entry in our NSDB connection parameter database * * @param progname NUL-terminated UTF-8 string containing name of this program @@ -181,12 +230,10 @@ try_symbolic: int nsdbparams_update(const char *progname, int argc, char **argv) { - char *binddn, *certfile, *nce, *nsdbname, *endptr; + char *binddn, *certfile, *nce, *nsdbname, *endptr, *data = NULL; unsigned short nsdbport = LDAP_PORT; - unsigned int type = FEDFS_SEC_NONE; - struct fedfs_secdata secdata = { - .type = type, - }; + FedFsConnectionSec type = FEDFS_SEC_NONE; + _Bool update_security = false; int arg, follow_referrals; FedFsStatus retval; unsigned long tmp; @@ -227,7 +274,9 @@ nsdbparams_update(const char *progname, int argc, char **argv) nce = optarg; break; case 'f': + type = FEDFS_SEC_TLS; certfile = optarg; + update_security = true; break; case 'g': if (optarg == NULL || *optarg == '\0') { @@ -287,6 +336,7 @@ nsdbparams_update(const char *progname, int argc, char **argv) nsdbparams_update_usage(progname); goto out; } + update_security = true; break; case 'u': if (optarg == NULL || *optarg == '\0') { @@ -348,62 +398,49 @@ nsdbparams_update(const char *progname, int argc, char **argv) retval = nsdbparams_test_nsdb(nsdbname, nsdbport); if (retval != FEDFS_OK) goto out; + retval = nsdb_create_nsdb(nsdbname, nsdbport); + if (retval != FEDFS_OK) { + xlog(L_ERROR, "Failed to create NSDB " + "connection parameters for %s:%d: %s", + nsdbname, nsdbport, + nsdb_display_fedfsstatus(retval)); + goto out; + } break; default: xlog(L_ERROR, "Failed to access NSDB " "connection parameter database: %s", - nsdbname, nsdbport, nsdb_display_fedfsstatus(retval)); + nsdb_display_fedfsstatus(retval)); goto out; } - if (type != FEDFS_SEC_NONE) { - if (certfile == NULL) { - xlog(L_ERROR, "No certfile was specified"); - nsdbparams_update_usage(progname); - goto out; - } - - retval = nsdb_read_certfile(certfile, - &secdata.data, &secdata.len); - if (retval != FEDFS_OK) { - xlog(L_ERROR, "Failed to read certfile: %s", - nsdb_display_fedfsstatus(retval)); + if (update_security) { + retval = nsdbparams_update_security(nsdbname, nsdbport, + type, certfile); + if (retval != FEDFS_OK) goto out; - } } - /* - * Ensure entry for this NSDB exists before trying to - * update bind DN, NCE, and referral flags for it. - */ - if (nsdb_update_nsdb(nsdbname, nsdbport, &secdata) == FEDFS_OK) { - printf("NSDB list was updated successfully.\n"); - rc = EXIT_SUCCESS; - } - free(secdata.data); - if (binddn != NULL) if (nsdb_update_default_binddn(nsdbname, nsdbport, - binddn) != FEDFS_OK) { - rc = EXIT_FAILURE; + binddn) != FEDFS_OK) goto out; - } if (nce != NULL) if (nsdb_update_default_nce(nsdbname, nsdbport, - nce) != FEDFS_OK) { - rc = EXIT_FAILURE; + nce) != FEDFS_OK) goto out; - } + if (follow_referrals != 0) { _Bool follow = follow_referrals == 2 ? true : false; if (nsdb_update_follow_referrals(nsdbname, nsdbport, - follow) != FEDFS_OK) { - rc = EXIT_FAILURE; + follow) != FEDFS_OK) goto out; - } } + printf("NSDB connection parameters updated successfully.\n"); + rc = EXIT_SUCCESS; out: + free(data); return rc; }