FEATURE: Add config auth_group command

Author: namsic

memcached.c

@@ -9730,6 +9730,30 @@ static void process_config_auth_command(conn *c, token_t *tokens, const size_t n
         out_string(c, "CLIENT_ERROR bad command line format");
     }
 }
+
+static void process_config_auth_group_command(conn *c, token_t *tokens, const size_t ntokens)
+{
+    assert(c != NULL);
+    char *config_val = tokens[SUBCOMMAND_TOKEN+1].value;
+
+    if (ntokens == 3) {
+        char buf[50];
+        char *group_name = sasl_get_auth_group();
+        if (group_name) {
+            sprintf(buf, "auth_group %s\r\nEND", group_name);
+            out_string(c, buf);
+            free(group_name);
+        } else {
+            out_string(c, "SERVER_ERROR internal");
+        }
+    } else if (ntokens == 4) {
+        if (sasl_set_auth_group(config_val) == 0) {
+            out_string(c, "END");
+        } else {
+            out_string(c, "SERVER_ERROR internal");
+        }
+    }
+}
 #endif
 
 static void process_config_command(conn *c, token_t *tokens, const size_t ntokens)
@@ -9810,6 +9834,9 @@ static void process_config_command(conn *c, token_t *tokens, const size_t ntoken
     else if (strcmp(config_key, "auth") == 0) {
         process_config_auth_command(c, tokens, ntokens);
     }
+    else if (strcmp(config_key, "auth_group") == 0) {
+        process_config_auth_group_command(c, tokens, ntokens);
+    }
 #endif
     else {
         print_invalid_command(c, tokens, ntokens);

sasl_auxprop.c

@@ -17,17 +17,21 @@
 #define GROUP_MAXLEN 32
 #define USERNAME_MAXLEN 32
 #define PROPNAME_MAXLEN 32
+// 16: buffer for "/arcus_acl", "/" separator, "\0" terminator, etc.
+#define TABLE_KEY_LEN 16 + GROUP_MAXLEN + USERNAME_MAXLEN + PROPNAME_MAXLEN
 #define VALUE_MAXLEN 8192 /* from Cyrus SASL's sasldb auxprop plugin */
 
 static EXTENSION_LOGGER_DESCRIPTOR *mc_logger = NULL;
 
 static const char *ensemble_list;
-// 16: buffer for "/arcus_acl", "/" separator, "\0" terminator, etc.
-static char group_zpath[16 + GROUP_MAXLEN];
+static char g_group_name[GROUP_MAXLEN];
+static volatile bool change_acl_group = false;
+static char new_group_name[GROUP_MAXLEN];
+static char g_group_zpath[16 + GROUP_MAXLEN];
 
 struct sasl_entry {
     struct sasl_entry *next;
-    char key[sizeof(group_zpath) + USERNAME_MAXLEN + PROPNAME_MAXLEN];
+    char key[TABLE_KEY_LEN];
     size_t value_len;
     char value[];
 };
@@ -84,14 +88,14 @@ static void _table_free(struct sasl_entry **table)
     free(table);
 }
 
-static struct sasl_entry** get_arcus_acl_table(void)
+static struct sasl_entry** get_arcus_acl_table(char *group_zpath)
 {
     struct sasl_entry **table = NULL;
     zhandle_t *zh = NULL;
     struct String_vector users;
     struct String_vector props;
-    char user_zpath[sizeof(group_zpath) + USERNAME_MAXLEN];
-    char prop_zpath[sizeof(user_zpath) + PROPNAME_MAXLEN];
+    char user_zpath[16 + GROUP_MAXLEN + USERNAME_MAXLEN];
+    char prop_zpath[TABLE_KEY_LEN];
     char value[VALUE_MAXLEN];
     int value_len;
     int ret;
@@ -168,6 +172,63 @@ static struct sasl_entry** get_arcus_acl_table(void)
     return table;
 }
 
+static int validate_new_acl_group(void)
+{
+    char new_group_zpath[16 + GROUP_MAXLEN];
+    snprintf(new_group_zpath, sizeof(new_group_zpath), "/arcus_acl/%s", new_group_name);
+
+    struct sasl_entry **new_table = get_arcus_acl_table(new_group_zpath);
+    if (!new_table) {
+        mc_logger->log(EXTENSION_LOG_WARNING, NULL,
+            "SECURITY_EVENT ACL group change to %s failed: unable to fetch group data\n", new_group_name);
+        return -1;
+    }
+
+    int origin_group_zpath_len = strlen("/arcus_acl") + strlen(g_group_name) + 2;
+    char new_key[TABLE_KEY_LEN];
+    struct sasl_entry *new_entry;
+    bool is_valid = true;
+
+    for (int i = 0; i < SASL_TABLE_SIZE; i++) {
+        struct sasl_entry *old_entry = g_sasltable[i];
+        while (old_entry) {
+            snprintf(new_key, sizeof(new_key), "%s/%s",
+                new_group_zpath, old_entry->key + origin_group_zpath_len);
+            new_entry = new_table[hash_function(new_key) % SASL_TABLE_SIZE];
+            while (new_entry) {
+                if (strcmp(new_entry->key, new_key) == 0 &&
+                    new_entry->value_len == old_entry->value_len &&
+                    memcmp(new_entry->value, old_entry->value, old_entry->value_len) == 0) {
+                    mc_logger->log(EXTENSION_LOG_WARNING, NULL,
+                        "SECURITY_EVENT ACL group change to %s failed: missing key %s\n",
+                        new_group_name, old_entry->key);
+                    break;
+                }
+                new_entry = new_entry->next;
+            }
+            if (new_entry == NULL) {
+              is_valid = false;
+              break;
+            }
+            old_entry = old_entry->next;
+        }
+    }
+
+    if (is_valid) {
+        pthread_mutex_lock(&g_sasltable_lock);
+        struct sasl_entry **old_table = g_sasltable;
+        g_sasltable = new_table;
+        snprintf(g_group_name, sizeof(g_group_name), "%s", new_group_name);
+        snprintf(g_group_zpath, sizeof(g_group_zpath), "%s", new_group_zpath);
+        pthread_mutex_unlock(&g_sasltable_lock);
+        _table_free(old_table);
+        return 0;
+    } else {
+        _table_free(new_table);
+        return -1;
+    }
+}
+
 static void* acl_refresh_thread(void *arg)
 {
     struct timespec ts;
@@ -184,7 +245,7 @@ static void* acl_refresh_thread(void *arg)
     while (!acl_thread_stopreq) {
         ts.tv_sec += REFRESH_PERIOD;
         pthread_mutex_lock(&acl_thread_lock);
-        if (!acl_thread_stopreq) {
+        if (!acl_thread_stopreq && !change_acl_group) {
             pthread_cond_timedwait(&acl_thread_cond, &acl_thread_lock, &ts);
         }
         pthread_mutex_unlock(&acl_thread_lock);
@@ -193,7 +254,8 @@ static void* acl_refresh_thread(void *arg)
         }
 
         mc_logger->log(EXTENSION_LOG_INFO, NULL, "ACL refresh started.\n");
-        new_table = get_arcus_acl_table();
+
+        new_table = get_arcus_acl_table(g_group_zpath);
         if (new_table != NULL) {
             pthread_mutex_lock(&g_sasltable_lock);
             old_table = g_sasltable;
@@ -202,6 +264,16 @@ static void* acl_refresh_thread(void *arg)
 
             _table_free(old_table);
         }
+
+        if (change_acl_group) {
+            int ret = validate_new_acl_group();
+            pthread_mutex_lock(&acl_thread_lock);
+            change_acl_group = false;
+            pthread_mutex_unlock(&acl_thread_lock);
+            if (ret == 0) {
+                mc_logger->log(EXTENSION_LOG_INFO, NULL, "SECURITY_EVENT ACL group changed to: %s\n", g_group_name);
+            }
+        }
         mc_logger->log(EXTENSION_LOG_INFO, NULL, "ACL refresh %s.\n", new_table ? "completed" : "failed");
     }
 
@@ -223,18 +295,18 @@ static int _arcus_getdata(const char *user,
                           char *out, const size_t max_out,
                           size_t *out_len)
 {
-    char key[sizeof(group_zpath) + USERNAME_MAXLEN + PROPNAME_MAXLEN];
+    char key[sizeof(g_group_zpath) + USERNAME_MAXLEN + PROPNAME_MAXLEN];
+    pthread_mutex_lock(&g_sasltable_lock);
     if (propName) {
-        snprintf(key, sizeof(key), "%s/%s/%s", group_zpath, user, propName);
+        snprintf(key, sizeof(key), "%s/%s/%s", g_group_zpath, user, propName);
     } else {
-        snprintf(key, sizeof(key), "%s/%s", group_zpath, user);
+        snprintf(key, sizeof(key), "%s/%s", g_group_zpath, user);
     }
 
     int ret = SASL_NOUSER;
     unsigned long index = hash_function(key) % SASL_TABLE_SIZE;
     struct sasl_entry *entry;
 
-    pthread_mutex_lock(&g_sasltable_lock);
     if (g_sasltable) {
         entry = g_sasltable[index];
         while (entry) {
@@ -395,9 +467,10 @@ int arcus_auxprop_plug_init(const sasl_utils_t *utils,
         mc_logger->log(EXTENSION_LOG_WARNING, NULL, "ARCUS_ACL_GROUP environment is not set\n");
         return SASL_FAIL;
     }
-    snprintf(group_zpath, sizeof(group_zpath), "/arcus_acl/%s", acl_group);
+    snprintf(g_group_name, sizeof(g_group_name), "%s", acl_group);
+    snprintf(g_group_zpath, sizeof(g_group_zpath), "/arcus_acl/%s", acl_group);
 
-    g_sasltable = get_arcus_acl_table();
+    g_sasltable = get_arcus_acl_table(g_group_zpath);
     if (!g_sasltable) {
         mc_logger->log(EXTENSION_LOG_WARNING, NULL, "Failed to initialize SASL table\n");
         return SASL_FAIL;
@@ -428,5 +501,28 @@ void arcus_auxprop_wakeup(void)
     pthread_mutex_unlock(&acl_thread_lock);
 }
 
+char *arcus_auxprop_get_group(void)
+{
+    char *ret;
+    pthread_mutex_lock(&g_sasltable_lock);
+    ret = strdup(g_group_name);
+    pthread_mutex_unlock(&g_sasltable_lock);
+    return ret;
+}
+
+int arcus_auxprop_set_group(char *group_name)
+{
+    int ret = -1;
+    pthread_mutex_lock(&acl_thread_lock);
+    if (!change_acl_group) {
+        snprintf(new_group_name, sizeof(new_group_name), "%s", group_name);
+        change_acl_group = true;
+        ret = 0;
+    }
+    pthread_cond_signal(&acl_thread_cond);
+    pthread_mutex_unlock(&acl_thread_lock);
+    return ret;
+}
+
 #endif /* ENABLE_ZK_INTEGRATION */
 #endif /* ENABLE_SASL */

sasl_auxprop.h

@@ -20,6 +20,8 @@ int arcus_auxprop_plug_init(const sasl_utils_t *utils,
 int arcus_getdata(const char *user, char *out, const size_t max_out);
 
 void arcus_auxprop_wakeup(void);
+char *arcus_auxprop_get_group(void);
+int arcus_auxprop_set_group(char *group_name);
 
 #endif /* ENABLE_ZK_INTEGRATION */
 #endif /* ENABLE_SASL */

sasl_defs.c

@@ -7,6 +7,10 @@
 #include <string.h>
 #include "sasl_auxprop.h"
 
+#if defined(ENABLE_SASL) && defined(ENABLE_ZK_INTEGRATION)
+static bool use_acl_zookeeper = false;
+#endif
+
 const char *sasl_engine_string(void)
 {
 #if defined(ENABLE_SASL)
@@ -31,10 +35,26 @@ void sasl_get_auth_data(sasl_conn_t *conn, auth_data_t *data)
 #endif
     }
 }
+
+char *sasl_get_auth_group(void)
+{
+#ifdef ENABLE_ZK_INTEGRATION
+    if (use_acl_zookeeper) {
+        return arcus_auxprop_get_group();
+    }
 #endif
+    return NULL;
+}
 
-#if defined(ENABLE_SASL) && defined(ENABLE_ZK_INTEGRATION)
-static bool use_acl_zookeeper = false;
+int sasl_set_auth_group(char *group_name)
+{
+#ifdef ENABLE_ZK_INTEGRATION
+    if (use_acl_zookeeper) {
+        return arcus_auxprop_set_group(group_name);
+    }
+#endif
+    return -1;
+}
 #endif
 
 #ifdef ENABLE_SASL_PWDB

sasl_defs.h

@@ -15,6 +15,8 @@ int init_sasl(EXTENSION_LOGGER_DESCRIPTOR *logger);
 void shutdown_sasl(void);
 int reload_sasl(void);
 void sasl_get_auth_data(sasl_conn_t *conn, auth_data_t *data);
+char *sasl_get_auth_group(void);
+int sasl_set_auth_group(char *group_name);
 
 
 #elif defined(ENABLE_ISASL)
@@ -27,6 +29,8 @@ int init_sasl(EXTENSION_LOGGER_DESCRIPTOR *logger);
 void shutdown_sasl(void);
 int reload_sasl(void);
 void sasl_get_auth_data(sasl_conn_t *conn, auth_data_t *data);
+char *sasl_get_auth_group(void);
+int sasl_set_auth_group(char *group_name);
 
 #endif /* End of SASL support */