secret_id = riter->first;
secret = riter->second.key;
+ double const auth_mon_ticket_ttl = cct->_conf.get_val<double>("auth_mon_ticket_ttl");
+ double const auth_service_ticket_ttl= cct->_conf.get_val<double>("auth_service_ticket_ttl");
+
// ttl may have just been increased by the user
// cap it by expiration of "next" key to prevent handing out a ticket
// with a bogus, possibly way into the future, validity
- ttl = service_id == CEPH_ENTITY_TYPE_AUTH ?
- cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl;
+ ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? auth_mon_ticket_ttl : auth_service_ticket_ttl;
ttl = std::min(ttl, static_cast<double>(
secrets.secrets.rbegin()->second.expiration - now));
RotatingSecrets& r = pending_data.rotating_secrets[service_id];
int added = 0;
utime_t now = ceph_clock_now();
- double ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl;
+
+ double const auth_mon_ticket_ttl = cct->_conf.get_val<double>("auth_mon_ticket_ttl");
+ double const auth_service_ticket_ttl= cct->_conf.get_val<double>("auth_service_ticket_ttl");
+ auto const auth_service_cipher = cct->_conf.get_val<string>("auth_service_cipher");
+ const int auth_service_cipher_key_type = CryptoManager::get_key_type(auth_service_cipher);
+
+ ldout(cct, 10) << __func__
+ << ": auth_mon_ticket_ttl=" << auth_mon_ticket_ttl
+ << ", auth_service_ticket_ttl=" << auth_service_ticket_ttl
+ << ", auth_service_cipher=" << auth_service_cipher
+ << ", service_id=" << service_id
+ << dendl;;
+
+ double ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? auth_mon_ticket_ttl : auth_service_ticket_ttl;
while (r.need_new_secrets(now)) {
ExpiringCryptoKey ek;
- auto s = cct->_conf.get_val<string>("auth_service_cipher");
- int key_type = CryptoManager::get_key_type(s);
+ int key_type = auth_service_cipher_key_type;
if (key_type < 0 || key_type == CEPH_CRYPTO_NONE) {
key_type = CEPH_CRYPTO_AES256KRB5;
}
-
+
generate_secret(ek.key, key_type);
if (r.empty()) {
ek.expiration = now;
if (!crypto)
return false;
+ ldout(cct, 20) << __func__ << ": generating key type " << type << dendl;
+
if (crypto->create(cct->random(), bp) < 0)
return false;
info.secret_id = secret_id;
std::scoped_lock l{lock};
- return _build_session_auth_info(service_id, parent_ticket, key_type, info,
- cct->_conf->auth_service_ticket_ttl);
+ double const auth_service_ticket_ttl= cct->_conf.get_val<double>("auth_service_ticket_ttl");
+ return _build_session_auth_info(service_id, parent_ticket, key_type, info, auth_service_ticket_ttl);
}
type: float
level: advanced
default: 72_hr
- with_legacy: true
+ desc: The time-to-live for tickets with the auth subsystem of the Monitors.
+ long_desc: >
+ The time-to-live for tickets with the auth subsystem of the Monitors.
+ These tickets are used to reclaim the global ID associated with the
+ running client.
+ flags:
+ - runtime
- name: auth_service_ticket_ttl
type: float
level: advanced
default: 1_hr
- fmt_desc: When the Ceph Storage Cluster sends a Ceph Client a ticket for
- authentication, the Ceph Storage Cluster assigns the ticket a
- time to live.
- with_legacy: true
+ desc: The time-to-live for non-auth service tickets issued by the Monitors.
+ fmt_desc: >
+ The time-to-live for non-auth service tickets issued by the Monitors. These
+ tickets would include services like the OSD or MDS. This allows the client
+ to authenticate independently with the service for the given timeframe
+ before having to refresh its tickets with the Monitors again.
+ flags:
+ - runtime
- name: auth_allow_insecure_global_id_reclaim
type: bool
level: advanced
seastar::future<> Connection::renew_rotating_keyring()
{
+ auto&& conf = crimson::common::local_conf();
+ auto const service_ticket_ttl = conf.get_val<double>("auth_service_ticket_ttl");
+ auto ttl = std::chrono::seconds{static_cast<long>(service_ticket_ttl)};
auto now = clock_t::now();
- auto ttl = std::chrono::seconds{
- static_cast<long>(crimson::common::local_conf()->auth_service_ticket_ttl)};
auto cutoff = utime_t{now - std::min(std::chrono::seconds{30}, ttl / 4)};
if (!rotating_keyring->need_new_secrets(cutoff)) {
logger().debug("renew_rotating_keyring secrets are up-to-date "
return 0;
}
+ double auth_service_ticket_ttl = cct->_conf.get_val<double>("auth_service_ticket_ttl");
+
utime_t now = ceph_clock_now();
utime_t cutoff = now;
- cutoff -= std::min(30.0, cct->_conf->auth_service_ticket_ttl / 4.0);
+ cutoff -= std::min(30.0, auth_service_ticket_ttl / 4.0);
utime_t issued_at_lower_bound = now;
- issued_at_lower_bound -= cct->_conf->auth_service_ticket_ttl;
+ issued_at_lower_bound -= auth_service_ticket_ttl;
if (!rotating_secrets->need_new_secrets(cutoff)) {
ldout(cct, 10) << "_check_auth_rotating have uptodate secrets (they expire after " << cutoff << ")" << dendl;
rotating_secrets->dump_rotating();
if (!rotating_secrets)
return 0;
+ double auth_service_ticket_ttl = cct->_conf.get_val<double>("auth_service_ticket_ttl");
+
ldout(cct, 10) << __func__ << " waiting for " << timeout << dendl;
utime_t cutoff = ceph_clock_now();
- cutoff -= std::min(30.0, cct->_conf->auth_service_ticket_ttl / 4.0);
+ cutoff -= std::min(30.0, auth_service_ticket_ttl / 4.0);
if (auth_cond.wait_for(l, ceph::make_timespan(timeout), [this, cutoff] {
return (!auth_principal_needs_rotating_keys(entity_name) ||
!rotating_secrets->need_new_secrets(cutoff));
projects / ceph-ci.git / commitdiff