FEATURE: Add config auth_group command

namsic · namsic · commit 3b6d1f5b2488 · 2025-10-27T11:41:54.000+09:00
diff --git a/memcached.c b/memcached.c
@@ -9730,6 +9730,30 @@ static void process_config_auth_command(conn *c, token_t *tokens, const size_t n
         out_string(c, "CLIENT_ERROR bad command line format");
     }
 }
+
+static void process_config_auth_group_command(conn *c, token_t *tokens, const size_t ntokens)
+{
+    assert(c != NULL);
+    char *config_val = tokens[SUBCOMMAND_TOKEN+1].value;
+
+    if (ntokens == 3) {
+        char buf[50];
+        char *group_name = sasl_get_auth_group();
+        if (!group_name) {
+            out_string(c, "SERVER_ERROR internal");
+        } else {
+            sprintf(buf, "auth_group %s\r\nEND", group_name);
+            out_string(c, buf);
+            free(group_name);
+        }
+    } else if (ntokens == 4) {
+        if (sasl_set_auth_group(config_val) == 0) {
+            out_string(c, "END");
+        } else {
+            out_string(c, "SERVER_ERROR internal");
+        }
+    }
+}
 #endif
 
 static void process_config_command(conn *c, token_t *tokens, const size_t ntokens)
@@ -9810,6 +9834,9 @@ static void process_config_command(conn *c, token_t *tokens, const size_t ntoken
     else if (strcmp(config_key, "auth") == 0) {
         process_config_auth_command(c, tokens, ntokens);
     }
+    else if (strcmp(config_key, "auth_group") == 0) {
+        process_config_auth_group_command(c, tokens, ntokens);
+    }
 #endif
     else {
         print_invalid_command(c, tokens, ntokens);
diff --git a/sasl_auxprop.c b/sasl_auxprop.c
@@ -21,13 +21,16 @@
 
 static EXTENSION_LOGGER_DESCRIPTOR *mc_logger = NULL;
 
+static const char *zk_root = "/arcus_acl";
 static const char *ensemble_list;
-// 16: buffer for "/arcus_acl", "/" separator, "\0" terminator, etc.
-static char group_zpath[16 + GROUP_MAXLEN];
+static char g_group_name[GROUP_MAXLEN];
+static char new_group_name[GROUP_MAXLEN];
+// 16: buffer for zk_root, "/" separator, "\0" terminator, etc.
+static char g_group_zpath[16 + GROUP_MAXLEN];
 
 struct sasl_entry {
     struct sasl_entry *next;
-    char key[sizeof(group_zpath) + USERNAME_MAXLEN + PROPNAME_MAXLEN];
+    char key[16 + GROUP_MAXLEN + USERNAME_MAXLEN + PROPNAME_MAXLEN];
     size_t value_len;
     char value[];
 };
@@ -84,13 +87,13 @@ static void _table_free(struct sasl_entry **table)
     free(table);
 }
 
-static struct sasl_entry** get_arcus_acl_table(void)
+static struct sasl_entry** get_arcus_acl_table(char *group_zpath)
 {
     struct sasl_entry **table = NULL;
     zhandle_t *zh = NULL;
     struct String_vector users;
     struct String_vector props;
-    char user_zpath[sizeof(group_zpath) + USERNAME_MAXLEN];
+    char user_zpath[16 + GROUP_MAXLEN + USERNAME_MAXLEN];
     char prop_zpath[sizeof(user_zpath) + PROPNAME_MAXLEN];
     char value[VALUE_MAXLEN];
     int value_len;
@@ -168,6 +171,59 @@ static struct sasl_entry** get_arcus_acl_table(void)
     return table;
 }
 
+static int validate_group(char *group_name)
+{
+    char candidate_group_zpath[16 + GROUP_MAXLEN];
+    snprintf(candidate_group_zpath, sizeof(candidate_group_zpath), "%s/%s", zk_root, group_name);
+
+    struct sasl_entry **candidate_table = get_arcus_acl_table(candidate_group_zpath);
+    if (!candidate_table) {
+        mc_logger->log(EXTENSION_LOG_WARNING, NULL,
+            "SECURITY_EVENT ACL group change to %s failed: unable to fetch group data\n", group_name);
+        return -1;
+    }
+
+    pthread_mutex_lock(&g_sasltable_lock);
+    int origin_group_zpath_len = strlen(zk_root) + strlen(g_group_name) + 2;
+    for (int i = 0; i < SASL_TABLE_SIZE; i++) {
+        struct sasl_entry *old_entry = g_sasltable[i];
+        while (old_entry) {
+            char new_key[16 + GROUP_MAXLEN + USERNAME_MAXLEN + PROPNAME_MAXLEN];
+            snprintf(new_key, sizeof(new_key), "%s/%s",
+                candidate_group_zpath, old_entry->key + origin_group_zpath_len);
+            struct sasl_entry *new_entry = candidate_table[hash_function(new_key) % SASL_TABLE_SIZE];
+            bool found = false;
+            while (new_entry) {
+                if (strcmp(new_entry->key, new_key) == 0 &&
+                    new_entry->value_len == old_entry->value_len &&
+                    memcmp(new_entry->value, old_entry->value, old_entry->value_len) == 0) {
+                    found = true;
+                    break;
+                }
+                new_entry = new_entry->next;
+            }
+            if (!found) {
+                mc_logger->log(EXTENSION_LOG_WARNING, NULL,
+                    "SECURITY_EVENT ACL group change to %s failed: missing key %s\n",
+                    group_name, old_entry->key);
+                pthread_mutex_unlock(&g_sasltable_lock);
+                _table_free(candidate_table);
+                return -1;
+            }
+            old_entry = old_entry->next;
+        }
+    }
+
+    struct sasl_entry **old_table = g_sasltable;
+    g_sasltable = candidate_table;
+    snprintf(g_group_name, sizeof(g_group_name), "%s", group_name);
+    snprintf(g_group_zpath, sizeof(g_group_zpath), "%s", candidate_group_zpath);
+    pthread_mutex_unlock(&g_sasltable_lock);
+
+    _table_free(old_table);
+    return 0;
+}
+
 static void* acl_refresh_thread(void *arg)
 {
     struct timespec ts;
@@ -193,7 +249,22 @@ static void* acl_refresh_thread(void *arg)
         }
 
         mc_logger->log(EXTENSION_LOG_INFO, NULL, "ACL refresh started.\n");
-        new_table = get_arcus_acl_table();
+
+        pthread_mutex_lock(&acl_thread_lock);
+        bool update_req = new_group_name[0] != '\0';
+        pthread_mutex_unlock(&acl_thread_lock);
+        if (update_req) {
+            int ret = validate_group(new_group_name);
+            pthread_mutex_lock(&acl_thread_lock);
+            new_group_name[0] = '\0';
+            pthread_mutex_unlock(&acl_thread_lock);
+            if (ret == 0) {
+                mc_logger->log(EXTENSION_LOG_INFO, NULL, "SECURITY_EVENT ACL group changed to: %s\n", g_group_name);
+                continue;
+            }
+        }
+
+        new_table = get_arcus_acl_table(g_group_zpath);
         if (new_table != NULL) {
             pthread_mutex_lock(&g_sasltable_lock);
             old_table = g_sasltable;
@@ -223,18 +294,18 @@ static int _arcus_getdata(const char *user,
                           char *out, const size_t max_out,
                           size_t *out_len)
 {
-    char key[sizeof(group_zpath) + USERNAME_MAXLEN + PROPNAME_MAXLEN];
+    char key[sizeof(g_group_zpath) + USERNAME_MAXLEN + PROPNAME_MAXLEN];
+    pthread_mutex_lock(&g_sasltable_lock);
     if (propName) {
-        snprintf(key, sizeof(key), "%s/%s/%s", group_zpath, user, propName);
+        snprintf(key, sizeof(key), "%s/%s/%s", g_group_zpath, user, propName);
     } else {
-        snprintf(key, sizeof(key), "%s/%s", group_zpath, user);
+        snprintf(key, sizeof(key), "%s/%s", g_group_zpath, user);
     }
 
     int ret = SASL_NOUSER;
     unsigned long index = hash_function(key) % SASL_TABLE_SIZE;
     struct sasl_entry *entry;
 
-    pthread_mutex_lock(&g_sasltable_lock);
     if (g_sasltable) {
         entry = g_sasltable[index];
         while (entry) {
@@ -395,9 +466,10 @@ int arcus_auxprop_plug_init(const sasl_utils_t *utils,
         mc_logger->log(EXTENSION_LOG_WARNING, NULL, "ARCUS_ACL_GROUP environment is not set\n");
         return SASL_FAIL;
     }
-    snprintf(group_zpath, sizeof(group_zpath), "/arcus_acl/%s", acl_group);
+    snprintf(g_group_name, sizeof(g_group_name), "%s", acl_group);
+    snprintf(g_group_zpath, sizeof(g_group_zpath), "%s/%s", zk_root, acl_group);
 
-    g_sasltable = get_arcus_acl_table();
+    g_sasltable = get_arcus_acl_table(g_group_zpath);
     if (!g_sasltable) {
         mc_logger->log(EXTENSION_LOG_WARNING, NULL, "Failed to initialize SASL table\n");
         return SASL_FAIL;
@@ -428,5 +500,27 @@ void arcus_auxprop_wakeup(void)
     pthread_mutex_unlock(&acl_thread_lock);
 }
 
+char *arcus_auxprop_get_group(void)
+{
+    char *ret;
+    pthread_mutex_lock(&g_sasltable_lock);
+    ret = strdup(g_group_name);
+    pthread_mutex_unlock(&g_sasltable_lock);
+    return ret;
+}
+
+int arcus_auxprop_set_group(char *group_name)
+{
+    int ret = -1;
+    pthread_mutex_lock(&acl_thread_lock);
+    if (new_group_name[0] == '\0') {
+        snprintf(new_group_name, sizeof(new_group_name), "%s", group_name);
+        ret = 0;
+    }
+    pthread_cond_signal(&acl_thread_cond);
+    pthread_mutex_unlock(&acl_thread_lock);
+    return ret;
+}
+
 #endif /* ENABLE_ZK_INTEGRATION */
 #endif /* ENABLE_SASL */
diff --git a/sasl_auxprop.h b/sasl_auxprop.h
@@ -20,6 +20,8 @@ int arcus_auxprop_plug_init(const sasl_utils_t *utils,
 int arcus_getdata(const char *user, char *out, const size_t max_out);
 
 void arcus_auxprop_wakeup(void);
+char *arcus_auxprop_get_group(void);
+int arcus_auxprop_set_group(char *group_name);
 
 #endif /* ENABLE_ZK_INTEGRATION */
 #endif /* ENABLE_SASL */
diff --git a/sasl_defs.c b/sasl_defs.c
@@ -7,6 +7,10 @@
 #include <string.h>
 #include "sasl_auxprop.h"
 
+#if defined(ENABLE_SASL) && defined(ENABLE_ZK_INTEGRATION)
+static bool use_acl_zookeeper = false;
+#endif
+
 const char *sasl_engine_string(void)
 {
 #if defined(ENABLE_SASL)
@@ -31,10 +35,26 @@ void sasl_get_auth_data(sasl_conn_t *conn, auth_data_t *data)
 #endif
     }
 }
+
+char *sasl_get_auth_group(void)
+{
+#ifdef ENABLE_ZK_INTEGRATION
+    if (use_acl_zookeeper) {
+        return arcus_auxprop_get_group();
+    }
 #endif
+    return NULL;
+}
 
-#if defined(ENABLE_SASL) && defined(ENABLE_ZK_INTEGRATION)
-static bool use_acl_zookeeper = false;
+int sasl_set_auth_group(char *group_name)
+{
+#ifdef ENABLE_ZK_INTEGRATION
+    if (use_acl_zookeeper) {
+        return arcus_auxprop_set_group(group_name);
+    }
+#endif
+    return -1;
+}
 #endif
 
 #ifdef ENABLE_SASL_PWDB
diff --git a/sasl_defs.h b/sasl_defs.h
@@ -15,6 +15,8 @@ int init_sasl(EXTENSION_LOGGER_DESCRIPTOR *logger);
 void shutdown_sasl(void);
 int reload_sasl(void);
 void sasl_get_auth_data(sasl_conn_t *conn, auth_data_t *data);
+char *sasl_get_auth_group(void);
+int sasl_set_auth_group(char *group_name);
 
 
 #elif defined(ENABLE_ISASL)
@@ -27,6 +29,8 @@ int init_sasl(EXTENSION_LOGGER_DESCRIPTOR *logger);
 void shutdown_sasl(void);
 int reload_sasl(void);
 void sasl_get_auth_data(sasl_conn_t *conn, auth_data_t *data);
+char *sasl_get_auth_group(void);
+int sasl_set_auth_group(char *group_name);
 
 #endif /* End of SASL support */
 
