explicit AuthAuthorizer(__u32 p) : protocol(p) {}
virtual ~AuthAuthorizer() {}
virtual bool verify_reply(bufferlist::iterator& reply) = 0;
+ virtual bool add_challenge(CephContext *cct, bufferlist& challenge) = 0;
+};
+
+struct AuthAuthorizerChallenge {
+ virtual ~AuthAuthorizerChallenge() {}
};
virtual bool verify_authorizer(CephContext *cct, KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id,
- AuthCapsInfo& caps_info, CryptoKey& session_key, uint64_t *auid = NULL) = 0;
+ AuthCapsInfo& caps_info, CryptoKey& session_key,
+ uint64_t *auid,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) = 0;
virtual int authorizer_session_crypto() = 0;
};
-bool CephxAuthorizeHandler::verify_authorizer(CephContext *cct, KeyStore *keys,
- bufferlist& authorizer_data, bufferlist& authorizer_reply,
- EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info, CryptoKey& session_key, uint64_t *auid)
+bool CephxAuthorizeHandler::verify_authorizer(
+ CephContext *cct, KeyStore *keys,
+ bufferlist& authorizer_data, bufferlist& authorizer_reply,
+ EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info,
+ CryptoKey& session_key, uint64_t *auid,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge)
{
bufferlist::iterator iter = authorizer_data.begin();
CephXServiceTicketInfo auth_ticket_info;
- bool isvalid = cephx_verify_authorizer(cct, keys, iter, auth_ticket_info, authorizer_reply);
+ bool isvalid = cephx_verify_authorizer(cct, keys, iter, auth_ticket_info, challenge,
+ authorizer_reply);
if (isvalid) {
caps_info = auth_ticket_info.ticket.caps;
bool verify_authorizer(CephContext *cct, KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id,
- AuthCapsInfo& caps_info, CryptoKey& session_key, uint64_t *auid = NULL);
- int authorizer_session_crypto();
+ AuthCapsInfo& caps_info, CryptoKey& session_key, uint64_t *auid,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
+ int authorizer_session_crypto() override;
};
::encode(service_id, a->bl);
::encode(ticket, a->bl);
+ a->base_bl = a->bl;
CephXAuthorize msg;
msg.nonce = a->nonce;
*/
bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys,
bufferlist::iterator& indata,
- CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl)
+ CephXServiceTicketInfo& ticket_info,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge,
+ bufferlist& reply_bl)
{
__u8 authorizer_v;
uint32_t service_id;
return false;
}
+ if (challenge) {
+ auto *c = static_cast<CephXAuthorizeChallenge*>(challenge->get());
+ if (!auth_msg.have_challenge || !c) {
+ c = new CephXAuthorizeChallenge;
+ challenge->reset(c);
+ get_random_bytes((char*)&c->server_challenge, sizeof(c->server_challenge));
+ ldout(cct,10) << __func__ << " adding server_challenge " << c->server_challenge
+ << dendl;
+
+ encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, reply_bl, error);
+ if (!error.empty()) {
+ ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl;
+ return false;
+ }
+ return false;
+ }
+ ldout(cct, 10) << __func__ << " got server_challenge+1 "
+ << auth_msg.server_challenge_plus_one
+ << " expecting " << c->server_challenge + 1 << dendl;
+ if (c->server_challenge + 1 != auth_msg.server_challenge_plus_one) {
+ return false;
+ }
+ }
+
/*
* Reply authorizer:
* {timestamp + 1}^session_key
return true;
}
+bool CephXAuthorizer::add_challenge(CephContext *cct, bufferlist& challenge)
+{
+ bl = base_bl;
+
+ CephXAuthorize msg;
+ msg.nonce = nonce;
+
+ auto p = challenge.begin();
+ if (!p.end()) {
+ std::string error;
+ CephXAuthorizeChallenge ch;
+ decode_decrypt_enc_bl(cct, ch, session_key, challenge, error);
+ if (!error.empty()) {
+ ldout(cct, 0) << "failed to decrypt challenge (" << challenge.length() << " bytes): "
+ << error << dendl;
+ return false;
+ }
+ msg.have_challenge = true;
+ msg.server_challenge_plus_one = ch.server_challenge + 1;
+ }
+
+ std::string error;
+ if (encode_encrypt(cct, msg, session_key, bl, error)) {
+ ldout(cct, 0) << __func__ << " failed to encrypt authorizer: " << error << dendl;
+ return false;
+ }
+ return true;
+}
CephContext *cct;
public:
uint64_t nonce;
+ bufferlist base_bl;
explicit CephXAuthorizer(CephContext *cct_)
: AuthAuthorizer(CEPH_AUTH_CEPHX), cct(cct_), nonce(0) {}
bool build_authorizer();
- bool verify_reply(bufferlist::iterator& reply);
+ bool verify_reply(bufferlist::iterator& reply) override;
+ bool add_challenge(CephContext *cct, bufferlist& challenge) override;
};
};
WRITE_CLASS_ENCODER(CephXServiceTicketInfo)
+struct CephXAuthorizeChallenge : public AuthAuthorizerChallenge {
+ uint64_t server_challenge;
+ void encode(bufferlist& bl) const {
+ __u8 struct_v = 1;
+ ::encode(struct_v, bl);
+ ::encode(server_challenge, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ __u8 struct_v;
+ ::decode(struct_v, bl);
+ ::decode(server_challenge, bl);
+ }
+};
+WRITE_CLASS_ENCODER(CephXAuthorizeChallenge)
+
struct CephXAuthorize {
uint64_t nonce;
+ bool have_challenge = false;
+ uint64_t server_challenge_plus_one = 0;
void encode(bufferlist& bl) const {
- __u8 struct_v = 1;
+ __u8 struct_v = 2;
::encode(struct_v, bl);
::encode(nonce, bl);
+ ::encode(have_challenge, bl);
+ ::encode(server_challenge_plus_one, bl);
}
void decode(bufferlist::iterator& bl) {
__u8 struct_v;
::decode(struct_v, bl);
::decode(nonce, bl);
+ if (struct_v >= 2) {
+ ::decode(have_challenge, bl);
+ ::decode(server_challenge_plus_one, bl);
+ }
+
}
};
WRITE_CLASS_ENCODER(CephXAuthorize)
/*
* Verify authorizer and generate reply authorizer
*/
-extern bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys,
- bufferlist::iterator& indata,
- CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl);
+extern bool cephx_verify_authorizer(
+ CephContext *cct, KeyStore *keys,
+ bufferlist::iterator& indata,
+ CephXServiceTicketInfo& ticket_info,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge,
+ bufferlist& reply_bl);
bufferlist tmp_bl;
CephXServiceTicketInfo auth_ticket_info;
- if (!cephx_verify_authorizer(cct, key_server, indata, auth_ticket_info, tmp_bl)) {
+ // note: no challenge here.
+ if (!cephx_verify_authorizer(cct, key_server, indata, auth_ticket_info, nullptr,
+ tmp_bl)) {
ret = -EPERM;
break;
}
#define dout_subsys ceph_subsys_auth
-bool AuthNoneAuthorizeHandler::verify_authorizer(CephContext *cct, KeyStore *keys,
- bufferlist& authorizer_data, bufferlist& authorizer_reply,
- EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info, CryptoKey& session_key,
-uint64_t *auid)
+bool AuthNoneAuthorizeHandler::verify_authorizer(
+ CephContext *cct, KeyStore *keys,
+ bufferlist& authorizer_data, bufferlist& authorizer_reply,
+ EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info,
+ CryptoKey& session_key,
+ uint64_t *auid,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge)
{
bufferlist::iterator iter = authorizer_data.begin();
bool verify_authorizer(CephContext *cct, KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id,
- AuthCapsInfo& caps_info, CryptoKey& session_key, uint64_t *auid=NULL);
- int authorizer_session_crypto();
+ AuthCapsInfo& caps_info, CryptoKey& session_key, uint64_t *auid,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
+ int authorizer_session_crypto() override;
};
#include "../Auth.h"
+class CephContext;
+
struct AuthNoneAuthorizer : public AuthAuthorizer {
AuthNoneAuthorizer() : AuthAuthorizer(CEPH_AUTH_NONE) { }
bool build_authorizer(const EntityName &ename, uint64_t global_id) {
::encode(global_id, bl);
return 0;
}
- bool verify_reply(bufferlist::iterator& reply) { return true; }
+ bool verify_reply(bufferlist::iterator& reply) override { return true; }
+ bool add_challenge(CephContext *cct, bufferlist& ch) override { return true; }
};
#endif
#define dout_subsys ceph_subsys_auth
-bool AuthUnknownAuthorizeHandler::verify_authorizer(CephContext *cct, KeyStore *keys,
- bufferlist& authorizer_data, bufferlist& authorizer_reply,
- EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info, CryptoKey& session_key,
-uint64_t *auid)
+bool AuthUnknownAuthorizeHandler::verify_authorizer(
+ CephContext *cct, KeyStore *keys,
+ bufferlist& authorizer_data, bufferlist& authorizer_reply,
+ EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info,
+ CryptoKey& session_key,
+ uint64_t *auid,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge)
{
// For unknown authorizers, there's nothing to verify. They're "OK" by definition. PLR
bool verify_authorizer(CephContext *cct, KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id,
- AuthCapsInfo& caps_info, CryptoKey& session_key, uint64_t *auid=NULL);
- int authorizer_session_crypto();
+ AuthCapsInfo& caps_info, CryptoKey& session_key, uint64_t *auid,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
+ int authorizer_session_crypto() override;
};
#define CEPH_MSGR_TAG_SEQ 13 /* 64-bit int follows with seen seq number */
#define CEPH_MSGR_TAG_KEEPALIVE2 14
#define CEPH_MSGR_TAG_KEEPALIVE2_ACK 15 /* keepalive reply */
-
+#define CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER 16 /* ceph v2 doing server challenge */
/*
* connection negotiation
bool MDSDaemon::ms_verify_authorizer(Connection *con, int peer_type,
int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& is_valid, CryptoKey& session_key)
+ bool& is_valid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge)
{
Mutex::Locker l(mds_lock);
if (stopping) {
EntityName name;
uint64_t global_id;
- is_valid = authorize_handler->verify_authorizer(cct, monc->rotating_secrets,
- authorizer_data, authorizer_reply, name, global_id, caps_info, session_key);
+ RotatingKeyRing *keys = monc->rotating_secrets;
+ if (keys) {
+ is_valid = authorize_handler->verify_authorizer(
+ cct, keys,
+ authorizer_data, authorizer_reply, name, global_id, caps_info,
+ session_key, nullptr, challenge);
+ } else {
+ dout(10) << __func__ << " no rotating_keys (yet), denied" << dendl;
+ is_valid = false;
+ }
if (is_valid) {
entity_name_t n(con->get_peer_type(), global_id);
bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer, bool force_new);
bool ms_verify_authorizer(Connection *con, int peer_type,
int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key);
- void ms_handle_accept(Connection *con);
- void ms_handle_connect(Connection *con);
- bool ms_handle_reset(Connection *con);
- void ms_handle_remote_reset(Connection *con);
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
+ void ms_handle_accept(Connection *con) override;
+ void ms_handle_connect(Connection *con) override;
+ bool ms_handle_reset(Connection *con) override;
+ void ms_handle_remote_reset(Connection *con) override;
protected:
// admin socket handling
}
bool Monitor::ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key)
+ int protocol, bufferlist& authorizer_data,
+ bufferlist& authorizer_reply,
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge)
{
dout(10) << "ms_verify_authorizer " << con->get_peer_addr()
<< " " << ceph_entity_type_name(peer_type)
if (authorizer_data.length()) {
bool ret = cephx_verify_authorizer(g_ceph_context, &keyring, iter,
- auth_ticket_info, authorizer_reply);
+ auth_ticket_info, challenge, authorizer_reply);
if (ret) {
session_key = auth_ticket_info.session_key;
isvalid = true;
bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer, bool force_new);
bool ms_verify_authorizer(Connection *con, int peer_type,
int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key);
- bool ms_handle_reset(Connection *con);
- void ms_handle_remote_reset(Connection *con) {}
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
+ bool ms_handle_reset(Connection *con) override;
+ void ms_handle_remote_reset(Connection *con) override {}
int write_default_keyring(bufferlist& bl);
void extract_save_mon_key(KeyRing& keyring);
#define CEPH_DISPATCHER_H
#include "include/assert.h"
+#include <memory>
#include "include/buffer_fwd.h"
#include "include/assert.h"
class AuthAuthorizer;
class CryptoKey;
class CephContext;
+class AuthAuthorizerChallenge;
class Dispatcher {
public:
ceph::bufferlist& authorizer,
ceph::bufferlist& authorizer_reply,
bool& isvalid,
- CryptoKey& session_key) { return false; }
+ CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) {
+ return false;
+ }
/**
* @} //Authentication
*/
*/
bool ms_deliver_verify_authorizer(Connection *con, int peer_type,
int protocol, bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) {
for (list<Dispatcher*>::iterator p = dispatchers.begin();
p != dispatchers.end();
++p) {
- if ((*p)->ms_verify_authorizer(con, peer_type, protocol, authorizer, authorizer_reply, isvalid, session_key))
+ if ((*p)->ms_verify_authorizer(con, peer_type, protocol, authorizer, authorizer_reply,
+ isvalid, session_key, challenge))
return true;
}
return false;
case STATE_CONNECTING_SEND_CONNECT_MSG:
{
- if (!got_bad_auth) {
- delete authorizer;
+ if (!authorizer) {
authorizer = async_msgr->get_authorizer(peer_type, false);
}
bufferlist bl;
}
authorizer_reply.append(state_buffer, connect_reply.authorizer_len);
- bufferlist::iterator iter = authorizer_reply.begin();
+
+ if (connect_reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER) {
+ ldout(async_msgr->cct,10) << __func__ << " connect got auth challenge" << dendl;
+ authorizer->add_challenge(async_msgr->cct, authorizer_reply);
+ state = STATE_CONNECTING_SEND_CONNECT_MSG;
+ break;
+ }
+
+ auto iter = authorizer_reply.begin();
if (authorizer && !authorizer->verify_reply(iter)) {
ldout(async_msgr->cct, 0) << __func__ << " failed verifying authorize reply" << dendl;
goto fail;
lock.Unlock();
bool authorizer_valid;
- if (!async_msgr->verify_authorizer(this, peer_type, connect.authorizer_protocol, authorizer_bl,
- authorizer_reply, authorizer_valid, session_key) || !authorizer_valid) {
- ldout(async_msgr->cct,0) << __func__ << ": got bad authorizer" << dendl;
+ bool need_challenge = connect.features & CEPH_FEATURE_CEPHX_V2;
+ bool had_challenge = (bool)authorizer_challenge;
+ if (!async_msgr->verify_authorizer(
+ this, peer_type, connect.authorizer_protocol, authorizer_bl,
+ authorizer_reply, authorizer_valid, session_key,
+ need_challenge ? &authorizer_challenge : nullptr) ||
+ !authorizer_valid) {
+ char tag;
+ if (need_challenge && !had_challenge && authorizer_challenge) {
+ ldout(async_msgr->cct,0) << __func__ << ": challenging authorizer"
+ << dendl;
+ assert(authorizer_reply.length());
+ tag = CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER;
+ } else {
+ ldout(async_msgr->cct,0) << __func__ << ": got bad authorizer" << dendl;
+ tag = CEPH_MSGR_TAG_BADAUTHORIZER;
+ }
session_security.reset();
- return _reply_accept(CEPH_MSGR_TAG_BADAUTHORIZER, connect, reply, authorizer_reply);
+ return _reply_accept(tag, connect, reply, authorizer_reply);
}
// We've verified the authorizer for this AsyncConnection, so set up the session security structure. PLR
ldout(async_msgr->cct, 0) << __func__ << " reply fault for existing connection." << dendl;
existing->fault();
}
+ existing->authorizer_challenge.reset();
ldout(async_msgr->cct, 1) << __func__ << " stop myself to swap existing" << dendl;
_stop();
NetHandler net;
EventCenter *center;
ceph::shared_ptr<AuthSessionHandler> session_security;
+ std::unique_ptr<AuthAuthorizerChallenge> authorizer_challenge; // accept side
#if !defined(MSG_NOSIGNAL) && !defined(SO_NOSIGPIPE)
sigset_t sigpipe_mask;
* This wraps ms_deliver_verify_authorizer; we use it for AsyncConnection.
*/
bool verify_authorizer(Connection *con, int peer_type, int protocol, bufferlist& auth, bufferlist& auth_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) {
return ms_deliver_verify_authorizer(con, peer_type, protocol, auth,
- auth_reply, isvalid, session_key);
+ auth_reply, isvalid, session_key, challenge);
}
/**
* Increment the global sequence for this AsyncMessenger and return it.
// used for reading in the remote acked seq on connect
uint64_t newly_acked_seq = 0;
+ bool need_challenge = false;
+ bool had_challenge = false;
+ std::unique_ptr<AuthAuthorizerChallenge> authorizer_challenge;
+
recv_reset();
set_socket_options();
pipe_lock.Unlock();
- if (!msgr->verify_authorizer(connection_state.get(), peer_type, connect.authorizer_protocol, authorizer,
- authorizer_reply, authorizer_valid, session_key) ||
+ need_challenge = connect.features & CEPH_FEATURE_CEPHX_V2;
+ had_challenge = (bool)authorizer_challenge;
+ authorizer_reply.clear();
+ if (!msgr->verify_authorizer(
+ connection_state.get(), peer_type, connect.authorizer_protocol, authorizer,
+ authorizer_reply, authorizer_valid, session_key,
+ need_challenge ? &authorizer_challenge : nullptr) ||
!authorizer_valid) {
- ldout(msgr->cct,0) << "accept: got bad authorizer" << dendl;
pipe_lock.Lock();
if (state != STATE_ACCEPTING)
goto shutting_down_msgr_unlocked;
- reply.tag = CEPH_MSGR_TAG_BADAUTHORIZER;
+ if (!had_challenge && need_challenge && authorizer_challenge) {
+ ldout(msgr->cct,0) << "accept: challenging authorizer "
+ << authorizer_reply.length()
+ << " bytes" << dendl;
+ assert(authorizer_reply.length());
+ reply.tag = CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER;
+ } else {
+ ldout(msgr->cct,0) << "accept: got bad authorizer" << dendl;
+ reply.tag = CEPH_MSGR_TAG_BADAUTHORIZER;
+ }
session_security.reset();
goto reply;
}
while (1) {
- delete authorizer;
- authorizer = msgr->get_authorizer(peer_type, false);
+ if (!authorizer) {
+ authorizer = msgr->get_authorizer(peer_type, false);
+ }
bufferlist authorizer_reply;
ceph_msg_connect connect;
authorizer_reply.push_back(bp);
}
+ if (reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER) {
+ authorizer->add_challenge(msgr->cct, authorizer_reply);
+ ldout(msgr->cct,10) << " got authorizer challenge, " << authorizer_reply.length()
+ << " bytes" << dendl;
+ continue;
+ }
+
if (authorizer) {
bufferlist::iterator iter = authorizer_reply.begin();
if (!authorizer->verify_reply(iter)) {
bool SimpleMessenger::verify_authorizer(Connection *con, int peer_type,
int protocol, bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid,CryptoKey& session_key)
+ bool& isvalid,CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge)
{
- return ms_deliver_verify_authorizer(con, peer_type, protocol, authorizer, authorizer_reply, isvalid,session_key);
+ return ms_deliver_verify_authorizer(con, peer_type, protocol, authorizer, authorizer_reply,
+ isvalid, session_key,
+ challenge);
}
ConnectionRef SimpleMessenger::get_connection(const entity_inst_t& dest)
/**
* This wraps ms_deliver_verify_authorizer; we use it for Pipe.
*/
- bool verify_authorizer(Connection *con, int peer_type, int protocol, bufferlist& auth, bufferlist& auth_reply,
- bool& isvalid,CryptoKey& session_key);
+ bool verify_authorizer(Connection *con, int peer_type, int protocol, bufferlist& auth,
+ bufferlist& auth_reply,
+ bool& isvalid,CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge);
/**
* Increment the global sequence for this SimpleMessenger and return it.
* This is for the connect protocol, although it doesn't hurt if somebody
}
-bool OSD::ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key)
+bool OSD::ms_verify_authorizer(
+ Connection *con, int peer_type,
+ int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge)
{
AuthAuthorizeHandler *authorize_handler = 0;
switch (peer_type) {
uint64_t global_id;
uint64_t auid = CEPH_AUTH_UID_DEFAULT;
- isvalid = authorize_handler->verify_authorizer(cct, monc->rotating_secrets,
- authorizer_data, authorizer_reply, name, global_id, caps_info, session_key, &auid);
+ RotatingKeyRing *keys = monc->rotating_secrets;
+ if (keys) {
+ isvalid = authorize_handler->verify_authorizer(
+ cct, keys,
+ authorizer_data, authorizer_reply, name, global_id, caps_info, session_key,
+ &auid, challenge);
+ } else {
+ dout(10) << __func__ << " no rotating_keys (yet), denied" << dendl;
+ isvalid = false;
+ }
if (isvalid) {
Session *s = static_cast<Session *>(con->get_priv());
void ms_handle_remote_reset(Connection *con) {}
bool ms_verify_authorizer(Connection *con, int peer_type,
int protocol, bufferlist& authorizer_data, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
isvalid = true;
return true;
}
bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer, bool force_new);
bool ms_verify_authorizer(Connection *con, int peer_type,
int protocol, bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key);
- void ms_handle_connect(Connection *con);
- void ms_handle_fast_connect(Connection *con);
- void ms_handle_fast_accept(Connection *con);
- bool ms_handle_reset(Connection *con);
- void ms_handle_remote_reset(Connection *con) {}
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
+ void ms_handle_connect(Connection *con) override;
+ void ms_handle_fast_connect(Connection *con) override;
+ void ms_handle_fast_accept(Connection *con) override;
+ bool ms_handle_reset(Connection *con) override;
+ void ms_handle_remote_reset(Connection *con) override {}
io_queue get_io_queue() const {
if (cct->_conf->osd_op_queue == "debug_random") {
* @return True if we were able to prove or disprove correctness of
* authorizer, false otherwise.
*/
- virtual bool ms_verify_authorizer(Connection *con, int peer_type,
- int protocol, bufferlist& authorizer,
- bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool ms_verify_authorizer(Connection *con, int peer_type,
+ int protocol, bufferlist& authorizer,
+ bufferlist& authorizer_reply,
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
/* always succeed */
isvalid = true;
return true;
virtual bool ms_verify_authorizer(Connection *con, int peer_type,
int protocol, bufferlist& authorizer,
bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) {
/* always succeed */
isvalid = true;
return true;
void ms_handle_remote_reset(Connection *con) {}
bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
isvalid = true;
return true;
}
}
bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
isvalid = true;
return true;
}
bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
isvalid = true;
return true;
}
bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
isvalid = true;
return true;
}
}
bool ms_verify_authorizer(Connection *con, int peer_type, int protocol,
bufferlist& authorizer, bufferlist& authorizer_reply,
- bool& isvalid, CryptoKey& session_key) {
+ bool& isvalid, CryptoKey& session_key,
+ std::unique_ptr<AuthAuthorizerChallenge> *challenge) override {
isvalid = true;
return true;
}
projects / ceph.git / commitdiff