#include "CephxKeyServer.h"
#include <errno.h>
#include <sstream>
+#include <shared_mutex>
#include "include/random.h"
#include "common/config.h"
using std::dec;
using std::hex;
using std::vector;
+using namespace std::literals;
using ceph::bufferlist;
using ceph::decode;
using ceph::encode;
+CephxServiceHandler::CephxServiceHandler(CephContext *cct_, KeyServer *ks)
+ : AuthServiceHandler(cct_), key_server(ks), server_challenge(0) {
+ cct->_conf.add_observer(this);
+ init_conf(cct->_conf);
+}
+
+std::vector<std::string> CephxServiceHandler::get_tracked_keys() const noexcept
+{
+ return {
+ "cephx_allowed_ciphers"s
+ };
+}
+
+void CephxServiceHandler::init_conf(const ConfigProxy& conf) {
+ std::unique_lock wl(lock);
+ auto s = conf.get_val<std::string>("cephx_allowed_ciphers");
+
+ std::vector<std::string> v;
+ get_str_vec(s, ", ", v);
+
+ for (auto& cipher : v) {
+ int cipher_type = CryptoManager::get_key_type(cipher);
+ if (cipher_type > 0) {
+ allowed_ciphers.insert(cipher_type);
+ }
+ }
+}
+
+bool CephxServiceHandler::cipher_is_allowed(int cipher)
+{
+ std::shared_lock rl(lock);
+ return (allowed_ciphers.find(cipher) != allowed_ciphers.end());
+}
+
int CephxServiceHandler::do_start_session(
bool is_new_global_id,
bufferlist *result_bl,
break;
}
+ if (!cipher_is_allowed(eauth.key.get_type())) {
+ ldout(cct, 20) << __func__ << " authentication failed due to unallowed cipher type: " << eauth.key.get_type() << dendl;
+ ret = -EACCES;
+ break;
+ }
+
if (!server_challenge) {
ret = -EACCES;
break;
#include "auth/AuthServiceHandler.h"
#include "auth/Auth.h"
+#include "common/ceph_mutex.h"
+#include "common/config_obs.h"
+
class KeyServer;
struct CephXAuthenticate;
struct CephXServiceTicketInfo;
-class CephxServiceHandler : public AuthServiceHandler {
+class CephxServiceHandler : public AuthServiceHandler, md_config_obs_t {
KeyServer *key_server;
uint64_t server_challenge;
+ std::set<int> allowed_ciphers;
+ ceph::shared_mutex lock = ceph::make_shared_mutex("CephxServiceHandler::lock");
+
public:
- CephxServiceHandler(CephContext *cct_, KeyServer *ks)
- : AuthServiceHandler(cct_), key_server(ks), server_challenge(0) {}
+ CephxServiceHandler(CephContext *cct_, KeyServer *ks);
~CephxServiceHandler() override {}
int handle_request(
bool& should_enc_ticket);
void build_cephx_response_header(int request_type, int status,
ceph::buffer::list& bl);
+
+ std::vector<std::string> get_tracked_keys() const noexcept override;
+
+ void init_conf(const ConfigProxy& conf);
+ void handle_conf_change(const ConfigProxy& conf,
+ const std::set <std::string> &changed) override {
+ init_conf(conf);
+ }
+
+ bool cipher_is_allowed(int type);
};
#endif
fmt_desc: If the Ceph version supports message signing, Ceph will sign
all messages so they are more difficult to spoof.
with_legacy: true
+- name: cephx_allowed_ciphers
+ type: str
+ level: advanced
+ desc: list of allowed ciphers in cephx authentication
+ fmt_desc: This can be used to enable/disable specific key types
+ that are being used for connecting different entities to the
+ cluster.
+ default: aes, aes256k
+ with_legacy: false
+ flags:
+ - runtime
- name: auth_mon_ticket_ttl
type: float
level: advanced
projects / ceph-ci.git / commitdiff