return false;
}
-bool MDSDaemon::ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& is_valid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge)
-{
- Mutex::Locker l(mds_lock);
- if (stopping) {
- return false;
- }
- if (beacon.get_want_state() == CEPH_MDS_STATE_DNE)
- return false;
-
- AuthAuthorizeHandler *authorize_handler = 0;
- switch (peer_type) {
- case CEPH_ENTITY_TYPE_MDS:
- authorize_handler = authorize_handler_cluster_registry->get_handler(protocol);
- break;
- default:
- authorize_handler = authorize_handler_service_registry->get_handler(protocol);
- }
- if (!authorize_handler) {
- dout(0) << "No AuthAuthorizeHandler found for protocol " << protocol << dendl;
- is_valid = false;
- return true;
- }
-
- if (auto keys = monc->rotating_secrets.get(); keys) {
- is_valid = authorize_handler->verify_authorizer(
- cct, keys,
- authorizer_data, authorizer_reply,
- con->peer_name, con->peer_global_id,
- con->peer_caps_info,
- session_key, challenge);
- } else {
- dout(10) << __func__ << " no rotating_keys (yet), denied" << dendl;
- is_valid = false;
- }
-
- if (is_valid) {
- ms_handle_authentication(con);
- }
- return true;
-}
-
KeyStore *MDSDaemon::ms_get_auth1_authorizer_keystore()
{
return monc->rotating_secrets.get();
private:
bool ms_dispatch2(const Message::ref &m) override;
bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer, bool force_new) override;
- bool ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
int ms_handle_authentication(Connection *con) override;
KeyStore *ms_get_auth1_authorizer_keystore() override;
void ms_handle_accept(Connection *con) override;
return monc->rotating_secrets.get();
}
-bool DaemonServer::ms_verify_authorizer(
- Connection *con,
- int peer_type,
- int protocol,
- ceph::bufferlist& authorizer_data,
- ceph::bufferlist& authorizer_reply,
- bool& is_valid,
- CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge)
-{
- AuthAuthorizeHandler *handler = nullptr;
- if (peer_type == CEPH_ENTITY_TYPE_OSD ||
- peer_type == CEPH_ENTITY_TYPE_MON ||
- peer_type == CEPH_ENTITY_TYPE_MDS ||
- peer_type == CEPH_ENTITY_TYPE_MGR) {
- handler = auth_cluster_registry.get_handler(protocol);
- } else {
- handler = auth_service_registry.get_handler(protocol);
- }
- if (!handler) {
- dout(0) << "No AuthAuthorizeHandler found for protocol " << protocol << dendl;
- is_valid = false;
- return true;
- }
-
- if (auto keys = monc->rotating_secrets.get(); keys) {
- is_valid = handler->verify_authorizer(
- cct, keys,
- authorizer_data,
- authorizer_reply, con->peer_name,
- con->peer_global_id, con->peer_caps_info,
- session_key,
- challenge);
- } else {
- dout(10) << __func__ << " no rotating_keys (yet), denied" << dendl;
- is_valid = false;
- }
-
- if (is_valid) {
- ms_handle_authentication(con);
- }
-
- return true;
-}
-
int DaemonServer::ms_handle_authentication(Connection *con)
{
int ret = 0;
bool ms_handle_refused(Connection *con) override;
bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer,
bool force_new) override;
- bool ms_verify_authorizer(
- Connection *con,
- int peer_type,
- int protocol,
- ceph::bufferlist& authorizer,
- ceph::bufferlist& authorizer_reply,
- bool& isvalid,
- CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
KeyStore *ms_get_auth1_authorizer_keystore() override;
bool handle_open(MMgrOpen *m);
return true;
}
-bool Monitor::ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer_data,
- bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge)
-{
- dout(10) << "ms_verify_authorizer " << con->get_peer_addr()
- << " " << ceph_entity_type_name(peer_type)
- << " protocol " << protocol << dendl;
-
- if (is_shutdown())
- return false;
-
- if (peer_type == CEPH_ENTITY_TYPE_MON &&
- auth_cluster_required.is_supported_auth(CEPH_AUTH_CEPHX)) {
- // monitor, and cephx is enabled
- isvalid = false;
- if (protocol == CEPH_AUTH_CEPHX) {
- auto iter = authorizer_data.cbegin();
- CephXServiceTicketInfo auth_ticket_info;
-
- if (authorizer_data.length()) {
- bool ret = cephx_verify_authorizer(g_ceph_context, &keyring, iter,
- auth_ticket_info, challenge, authorizer_reply);
- if (ret) {
- session_key = auth_ticket_info.session_key;
- isvalid = true;
- } else {
- dout(0) << "ms_verify_authorizer bad authorizer from mon " << con->get_peer_addr() << dendl;
- }
- }
- } else {
- dout(0) << "ms_verify_authorizer cephx enabled, but no authorizer (required for mon)" << dendl;
- }
- } else {
- // who cares.
- isvalid = true;
- }
- return true;
-}
-
KeyStore *Monitor::ms_get_auth1_authorizer_keystore()
{
return &keyring;
//mon_caps is used for un-connected messages from monitors
MonCap mon_caps;
bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer, bool force_new) override;
- bool ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
KeyStore *ms_get_auth1_authorizer_keystore();
public: // for AuthMonitor msgr1:
int ms_handle_authentication(Connection *con) override;
* @return True if this function call properly filled in *a, false otherwise.
*/
virtual bool ms_get_authorizer(int dest_type, AuthAuthorizer **a, bool force_new) { return false; }
- /**
- * Verify the authorizer for a new incoming Connection.
- *
- * @param con The new incoming Connection
- * @param peer_type The type of the endpoint which initiated this Connection
- * @param protocol The ID of the protocol in use (at time of writing, cephx or none)
- * @param authorizer The authorization string supplied by the remote
- * @param authorizer_reply Output param: The string we should send back to
- * the remote to authorize ourselves. Only filled in if isvalid
- * @param isvalid Output param: True if authorizer is valid, false otherwise
- *
- * @return True if we were able to prove or disprove correctness of
- * authorizer, false otherwise.
- */
- virtual bool ms_verify_authorizer(Connection *con,
- int peer_type,
- int protocol,
- ceph::bufferlist& authorizer,
- ceph::bufferlist& authorizer_reply,
- bool& isvalid,
- CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) {
- return false;
- }
/**
* @} //Authentication
*/
return *authorizer != NULL;
}
-
-bool OSD::ms_verify_authorizer(
- Connection *con, int peer_type,
- int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge)
-{
- AuthAuthorizeHandler *authorize_handler = 0;
- switch (peer_type) {
- case CEPH_ENTITY_TYPE_MDS:
- /*
- * note: mds is technically a client from our perspective, but
- * this makes the 'cluster' consistent w/ monitor's usage.
- */
- case CEPH_ENTITY_TYPE_OSD:
- case CEPH_ENTITY_TYPE_MGR:
- authorize_handler = authorize_handler_cluster_registry->get_handler(protocol);
- break;
- default:
- authorize_handler = authorize_handler_service_registry->get_handler(protocol);
- }
- if (!authorize_handler) {
- dout(0) << "No AuthAuthorizeHandler found for protocol " << protocol << dendl;
- isvalid = false;
- return true;
- }
-
- auto keys = monc->rotating_secrets.get();
- if (keys) {
- isvalid = authorize_handler->verify_authorizer(
- cct, keys,
- authorizer_data, authorizer_reply,
- con->peer_name,
- con->peer_global_id,
- con->peer_caps_info,
- session_key,
- challenge);
- } else {
- dout(10) << __func__ << " no rotating_keys (yet), denied" << dendl;
- isvalid = false;
- }
-
- if (isvalid) {
- ms_handle_authentication(con);
- }
- return true;
-}
-
KeyStore *OSD::ms_get_auth1_authorizer_keystore()
{
return monc->rotating_secrets.get();
bool ms_handle_refused(Connection *con) override {
return osd->ms_handle_refused(con);
}
- bool ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
- isvalid = true;
- return true;
- }
int ms_handle_authentication(Connection *con) override {
return true;
}
void ms_fast_preprocess(Message *m) override;
bool ms_dispatch(Message *m) override;
bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer, bool force_new) override;
- bool ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
void ms_handle_connect(Connection *con) override;
void ms_handle_fast_connect(Connection *con) override;
void ms_handle_fast_accept(Connection *con) override;
bool ms_get_authorizer(int dest_type, AuthAuthorizer **a,
bool force_new) override { return false; };
- /**
- * Verify the authorizer for a new incoming Connection.
- *
- * @param con The new incoming Connection
- * @param peer_type The type of the endpoint which initiated this Connection
- * @param protocol The ID of the protocol in use (at time of writing, cephx
- * or none)
- * @param authorizer The authorization string supplied by the remote
- * @param authorizer_reply Output param: The string we should send back to
- * the remote to authorize ourselves. Only filled in if isvalid
- * @param isvalid Output param: True if authorizer is valid, false otherwise
- *
- * @return True if we were able to prove or disprove correctness of
- * authorizer, false otherwise.
- */
- bool ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer,
- bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
- /* always succeed */
- isvalid = true;
- return true;
- };
int ms_handle_authentication(Connection *con) override {
return 1;
}
virtual bool ms_get_authorizer(int dest_type, AuthAuthorizer **a,
bool force_new) { return false; };
- /**
- * Verify the authorizer for a new incoming Connection.
- *
- * @param con The new incoming Connection
- * @param peer_type The type of the endpoint which initiated this Connection
- * @param protocol The ID of the protocol in use (at time of writing, cephx
- * or none)
- * @param authorizer The authorization string supplied by the remote
- * @param authorizer_reply Output param: The string we should send back to
- * the remote to authorize ourselves. Only filled in if isvalid
- * @param isvalid Output param: True if authorizer is valid, false otherwise
- *
- * @return True if we were able to prove or disprove correctness of
- * authorizer, false otherwise.
- */
- virtual bool ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer,
- bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) {
- /* always succeed */
- isvalid = true;
- return true;
- };
};
bool ms_handle_reset(Connection *con) override { return true; }
void ms_handle_remote_reset(Connection *con) override {}
bool ms_handle_refused(Connection *con) override { return false; }
- bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
- bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
- isvalid = true;
- return true;
- }
int ms_handle_authentication(Connection *con) override {
return 1;
}
//cerr << __func__ << " reply message=" << m << std::endl;
op_wq.queue(m);
}
- bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
- bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
- isvalid = true;
- return true;
- }
int ms_handle_authentication(Connection *con) override {
return 1;
}
cond.Signal();
}
- bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
- bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
- isvalid = true;
- return true;
- }
-
int ms_handle_authentication(Connection *con) override {
return 1;
}
}
}
- bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
- bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
- isvalid = true;
- return true;
- }
-
int ms_handle_authentication(Connection *con) override {
return 1;
}
void ms_fast_dispatch(Message *m) override {
ceph_abort();
}
- bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
- bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
- isvalid = true;
- return true;
- }
int ms_handle_authentication(Connection *con) override {
return 1;
}
projects / ceph.git / commitdiff