diff --git a/mcrouter/Makefile.am b/mcrouter/Makefile.am index 42e9252e8..519132ff4 100644 --- a/mcrouter/Makefile.am +++ b/mcrouter/Makefile.am @@ -199,6 +199,8 @@ mcrouter_SOURCES = \ Server-inl.h \ Server.h \ ServerOnRequest.h \ + StandaloneConfig.cpp \ + StandaloneConfig.h \ StandaloneUtils.cpp \ StandaloneUtils.h \ standalone_options.h \ diff --git a/mcrouter/Server-inl.h b/mcrouter/Server-inl.h index 3e8b705df..48701782e 100644 --- a/mcrouter/Server-inl.h +++ b/mcrouter/Server-inl.h @@ -1,9 +1,8 @@ -/* - * Copyright (c) Facebook, Inc. - * - * This source code is licensed under the MIT license found in the LICENSE - * file in the root directory of this source tree. +/** + * Copyright (c) Facebook, Inc. and its affiliates. * + * This source code is licensed under the MIT license found in the LICENSE + * file in the root directory of this source tree. */ #include @@ -16,6 +15,7 @@ #include "mcrouter/Proxy.h" #include "mcrouter/ProxyThread.h" #include "mcrouter/ServerOnRequest.h" +#include "mcrouter/StandaloneConfig.h" #include "mcrouter/config.h" #include "mcrouter/lib/network/AsyncMcServer.h" #include "mcrouter/lib/network/AsyncMcServerWorker.h" @@ -27,6 +27,26 @@ namespace mcrouter { namespace detail { +inline std::function getAclChecker( + const McrouterOptions& opts, + const McrouterStandaloneOptions& standaloneOpts) { + if (standaloneOpts.acl_checker_enable) { + try { + return getConnectionAclChecker( + standaloneOpts.server_ssl_service_identity, + standaloneOpts.acl_checker_enforce); + } catch (const std::exception& ex) { + MC_LOG_FAILURE( + opts, + failure::Category::kSystemError, + "Error creating acl checker: {}", + ex.what()); + LOG(WARNING) << "Disabling acl checker on all threads."; + } + } + return [](McServerSession&) {}; +} + template class RequestHandler> void serverLoop( CarbonRouterInstance& router, @@ -47,9 +67,24 @@ void serverLoop( *routerClient, standaloneOpts.retain_source_ip, standaloneOpts.enable_pass_through_mode)); - worker.setOnConnectionAccepted([proxy](McServerSession&) { - proxy->stats().increment(num_client_connections_stat); - }); + + worker.setOnConnectionAccepted( + [proxy, + aclChecker = getAclChecker(proxy->router().opts(), standaloneOpts)]( + McServerSession& session) mutable { + proxy->stats().increment(num_client_connections_stat); + try { + aclChecker(session); + } catch (const std::exception& ex) { + MC_LOG_FAILURE( + proxy->router().opts(), + failure::Category::kSystemError, + "Error running acl checker: {}", + ex.what()); + LOG(WARNING) << "Disabling acl checker on this thread."; + aclChecker = [](McServerSession&) {}; + } + }); worker.setOnConnectionCloseFinish( [proxy](McServerSession&, bool onAcceptedCalled) { if (onAcceptedCalled) { diff --git a/mcrouter/StandaloneConfig.cpp b/mcrouter/StandaloneConfig.cpp new file mode 100644 index 000000000..c666444fe --- /dev/null +++ b/mcrouter/StandaloneConfig.cpp @@ -0,0 +1,36 @@ +/** + * Copyright (c) Facebook, Inc. and its affiliates. + * + * This source code is licensed under the MIT license found in the LICENSE + * file in the root directory of this source tree. + */ +#include "StandaloneConfig.h" + +#include +#include + +namespace facebook { +namespace memcache { +namespace mcrouter { + +void standalonePreInitFromCommandLineOpts( + const std::unordered_map& standaloneOptionsDict) { +} + +void standaloneInit( + const McrouterOptions& opts, + const McrouterStandaloneOptions& standaloneOpts) {} + +void initStandaloneSSL() {} + +void finalizeStandaloneOptions(McrouterStandaloneOptions& opts) {} + +std::function getConnectionAclChecker( + const std::string& /* serviceIdentity */, + bool /* enforce */) { + return [](McServerSession&) {}; +} + +} // namespace mcrouter +} // namespace memcache +} // namespace facebook diff --git a/mcrouter/StandaloneConfig.h b/mcrouter/StandaloneConfig.h new file mode 100644 index 000000000..abda334c8 --- /dev/null +++ b/mcrouter/StandaloneConfig.h @@ -0,0 +1,40 @@ +/** + * Copyright (c) Facebook, Inc. and its affiliates. + * + * This source code is licensed under the MIT license found in the LICENSE + * file in the root directory of this source tree. + */ +#pragma once + +#include +#include + +namespace facebook { +namespace memcache { + +// forward declarations +class McrouterOptions; +class McServerSession; + +namespace mcrouter { +// forward declarations +class McrouterStandaloneOptions; + +void standalonePreInitFromCommandLineOpts( + const std::unordered_map& standaloneOptionsDict); + +void standaloneInit( + const McrouterOptions& opts, + const McrouterStandaloneOptions& standaloneOpts); + +void initStandaloneSSL(); + +void finalizeStandaloneOptions(McrouterStandaloneOptions& opts); + +std::function getConnectionAclChecker( + const std::string& serviceIdentity, + bool enforce); + +} // namespace mcrouter +} // namespace memcache +} // namespace facebook diff --git a/mcrouter/StandaloneUtils.cpp b/mcrouter/StandaloneUtils.cpp index 9a071b5ec..91c1933cc 100644 --- a/mcrouter/StandaloneUtils.cpp +++ b/mcrouter/StandaloneUtils.cpp @@ -1,9 +1,8 @@ -/* - * Copyright (c) Facebook, Inc. - * - * This source code is licensed under the MIT license found in the LICENSE - * file in the root directory of this source tree. +/** + * Copyright (c) Facebook, Inc. and its affiliates. * + * This source code is licensed under the MIT license found in the LICENSE + * file in the root directory of this source tree. */ #include "StandaloneUtils.h" @@ -24,6 +23,7 @@ #include "mcrouter/McrouterLogFailure.h" #include "mcrouter/RouterRegistry.h" #include "mcrouter/Server.h" +#include "mcrouter/StandaloneConfig.h" #include "mcrouter/config.h" #include "mcrouter/options.h" #include "mcrouter/standalone_options.h" @@ -430,6 +430,9 @@ void setupStandaloneMcrouter( option); } + // finialize standalone options + finalizeStandaloneOptions(standaloneOptions); + // init a few things. initStandaloneSSL(); srand(time(nullptr) + getpid()); diff --git a/mcrouter/mcrouter_config.cpp b/mcrouter/mcrouter_config.cpp index 03bea4101..e13c679cf 100644 --- a/mcrouter/mcrouter_config.cpp +++ b/mcrouter/mcrouter_config.cpp @@ -1,9 +1,8 @@ -/* - * Copyright (c) 2014-present, Facebook, Inc. - * - * This source code is licensed under the MIT license found in the LICENSE - * file in the root directory of this source tree. +/** + * Copyright (c) Facebook, Inc. and its affiliates. * + * This source code is licensed under the MIT license found in the LICENSE + * file in the root directory of this source tree. */ #include @@ -133,8 +132,6 @@ folly::dynamic readStaticJsonFile(folly::StringPiece file) { return folly::parseJson(contents); } -void initStandaloneSSL() {} - } // namespace mcrouter } // namespace memcache } // namespace facebook diff --git a/mcrouter/mcrouter_config.h b/mcrouter/mcrouter_config.h index 4211d2306..b188a9172 100644 --- a/mcrouter/mcrouter_config.h +++ b/mcrouter/mcrouter_config.h @@ -1,9 +1,8 @@ -/* - * Copyright (c) Facebook, Inc. - * - * This source code is licensed under the MIT license found in the LICENSE - * file in the root directory of this source tree. +/** + * Copyright (c) Facebook, Inc. and its affiliates. * + * This source code is licensed under the MIT license found in the LICENSE + * file in the root directory of this source tree. */ #pragma once @@ -50,7 +49,6 @@ namespace mcrouter { class CarbonRouterInstanceBase; class ConfigApi; class McrouterLogger; -class McrouterStandaloneOptions; struct FailoverContext; class ProxyBase; struct RequestLoggerContext; @@ -107,13 +105,6 @@ std::unique_ptr createConfigApi(const McrouterOptions& opts); std::string performOptionSubstitution(std::string str); -inline void standalonePreInitFromCommandLineOpts( - const std::unordered_map& st_option_dict) {} - -inline void standaloneInit( - const McrouterOptions& opts, - const McrouterStandaloneOptions& standaloneOpts) {} - std::unique_ptr createMcrouterLogger( CarbonRouterInstanceBase& router); @@ -153,8 +144,6 @@ std::string getBinPath(folly::StringPiece name); void finalizeOptions(McrouterOptions& options); -void initStandaloneSSL(); - /** * Reads a static json file. Do not monitor for changes. * May throw if there's an error while parsing file contents. diff --git a/mcrouter/standalone_options_list.h b/mcrouter/standalone_options_list.h index b565bf33e..5f679a97b 100644 --- a/mcrouter/standalone_options_list.h +++ b/mcrouter/standalone_options_list.h @@ -67,14 +67,14 @@ MCROUTER_OPTION_TOGGLE( MCROUTER_OPTION_STRING( server_pem_cert_path, - "", + "", // this may get overwritten by finalizeOptions "server-pem-cert-path", no_short, "Path of pem-style server certificate for ssl.") MCROUTER_OPTION_STRING( server_pem_key_path, - "", + "", // this may get overwritten by finalizeOptions "server-pem-key-path", no_short, "Path of pem-style server key for ssl.") @@ -195,6 +195,27 @@ MCROUTER_OPTION_INTEGER( "use the zero copy optimization on TX." "If 0, the tcp zero copy optimization will not be applied.") +MCROUTER_OPTION_TOGGLE( + acl_checker_enable, + false, + "acl-checker-enable", + no_short, + "If true, incoming requests are checked against the ACL.") + +MCROUTER_OPTION_TOGGLE( + acl_checker_enforce, + false, + "acl-checker-enforce", + no_short, + "If true, enforces the result of the ACL check.") + +MCROUTER_OPTION_STRING( + server_ssl_service_identity, + "memcache", + "server-ssl-service-identity", + no_short, + "If true, enforces the result of the ACL check.") + #ifdef ADDITIONAL_STANDALONE_OPTIONS_FILE #include ADDITIONAL_STANDALONE_OPTIONS_FILE #endif