cephx: use 'next' key for ticketes when 'current' is expired

When generating tickets for clients, use next key if the current
is expired.  That ensures they will renew before their ticket
times out.

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index b268f87c2153f297c4561cd23b1e492d1fbcd04f..933168c4fc135acd1b14e7d03d47131430002ecd 100644 (file)
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -33,11 +33,14 @@ bool KeyServerData::get_service_secret(uint32_t service_id, ExpiringCryptoKey& s
 
   RotatingSecrets& secrets = iter->second;
 
-  // second to oldest
+  // second to oldest, unless it's expired
   map<uint64_t, ExpiringCryptoKey>::iterator riter = secrets.secrets.begin();
   if (secrets.secrets.size() > 1)
     ++riter;
 
+  if (riter->second.expiration < g_clock.now())
+    ++riter;   // "current" key has expired, use "next" key instead
+
   secret_id = riter->first;
   secret = riter->second;
   dout(10) << "get_service_secret service " << ceph_entity_type_name(service_id)