rgw: add support for client cert and key for vault

Authenticate vault with help of user supplied client cert and keys.

Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
(cherry picked from commit 5b9139bd366d029871d29ca90971c5ad058fcf01)

Conflicts:
	src/common/options/rgw.yaml.in
- added required changes in options.cc and legacy_config_opts.h

diff --git a/src/common/legacy_config_opts.h b/src/common/legacy_config_opts.h
index 5f81a7c414436af6f62f3557c7c20c08dc3ba957..476a16cc2162f8c28af18ce012bd96f9f78c28c8 100644 (file)
--- a/src/common/legacy_config_opts.h
+++ b/src/common/legacy_config_opts.h
@@ -1511,6 +1511,8 @@ OPTION(rgw_crypt_vault_secret_engine, OPT_STR) // kv, transit or other supported
 OPTION(rgw_crypt_vault_namespace, OPT_STR) // Vault Namespace (only availabe in Vault Enterprise Version)
 OPTION(rgw_crypt_vault_verify_ssl, OPT_BOOL) // should we try to verify vault's ssl
 OPTION(rgw_crypt_vault_ssl_cacert, OPT_STR) // optional ca certificate for accessing vault
+OPTION(rgw_crypt_vault_ssl_clientcert, OPT_STR) // client certificate for accessing vault
+OPTION(rgw_crypt_vault_ssl_clientkey, OPT_STR) // private key for client certificate
 
 OPTION(rgw_crypt_kmip_addr, OPT_STR) // kmip server address
 OPTION(rgw_crypt_kmip_ca_path, OPT_STR) // ca for kmip servers

diff --git a/src/common/options.cc b/src/common/options.cc
index 21ff3344c1f97090aec6fc04dc73ee795a538c56..96bbf56c1a023a29dce44669c819ed82856c0ccb 100644 (file)
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -7183,6 +7183,14 @@ std::vector<Option> get_rgw_options() {
     .set_default("")
     .set_description("Path for custom ca certificate for accessing vault server"),
 
+    Option("rgw_crypt_vault_ssl_clientcert", Option::TYPE_STR, Option::LEVEL_ADVANCED)
+    .set_default("")
+    .set_description("Path for customed client certificate for accessing vault server"),
+
+    Option("rgw_crypt_vault_ssl_clientkey", Option::TYPE_STR, Option::LEVEL_ADVANCED)
+    .set_default("")
+    .set_description("Path for private key required for client cert"),
+
     Option("rgw_crypt_kmip_addr", Option::TYPE_STR, Option::LEVEL_ADVANCED)
     .set_default("")
     .set_description("kmip server address"),

diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc
index 2b7675768d36ffc4600127eec32a0ee9d0ce6b74..01457a7c98ae9cce3e9360748d70143d6912af1d 100644 (file)
--- a/src/rgw/rgw_http_client.cc
+++ b/src/rgw/rgw_http_client.cc
@@ -564,9 +564,21 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data)
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L);
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L);
     dout(20) << "ssl verification is set to off" << dendl;
-  } else if (!ca_path.empty()) {
-    curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
-    dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
+  } else {
+    if (!ca_path.empty()) {
+      curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
+      dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
+    }
+    if (!client_cert.empty()) {
+      if (!client_key.empty()) {
+       curl_easy_setopt(easy_handle, CURLOPT_SSLCERT, client_cert.c_str());
+       curl_easy_setopt(easy_handle, CURLOPT_SSLKEY, client_key.c_str());
+       dout(20) << "using custom client cert " << client_cert.c_str()
+         << " and private key " << client_key.c_str() << dendl;
+      } else {
+       dout(5) << "private key is missing for client certificate" << dendl;
+      }
+    }
   }
   curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data);
   curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout);

diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h
index 265ae2615793a659e3c73938b7d58f17d7a321cd..79de60a179660cebaf90a00d55f88ed1a9eb4565 100644 (file)
--- a/src/rgw/rgw_http_client.h
+++ b/src/rgw/rgw_http_client.h
@@ -42,6 +42,10 @@ class RGWHTTPClient : public RGWIOProvider
 
   string ca_path;
 
+  string client_cert;
+
+  string client_key;
+
   std::atomic<unsigned> stopped { 0 };
 
 
@@ -177,6 +181,14 @@ public:
   void set_ca_path(const string& _ca_path) {
     ca_path = _ca_path;
   }
+
+  void set_client_cert(const string& _client_cert) {
+    client_cert = _client_cert;
+  }
+
+  void set_client_key(const string& _client_key) {
+    client_key = _client_key;
+  }
 };
 
 

diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc
index 687adb7700b8d0145527b6c70a0e8c9537bb8578..dcdcf875115dbe5f042084cd8b631df2de045954 100644 (file)
--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@@ -258,6 +258,13 @@ protected:
       secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert);
     }
 
+    if (!cct->_conf->rgw_crypt_vault_ssl_clientcert.empty()) {
+      secret_req.set_client_cert(cct->_conf->rgw_crypt_vault_ssl_clientcert);
+    }
+    if (!cct->_conf->rgw_crypt_vault_ssl_clientkey.empty()) {
+      secret_req.set_client_key(cct->_conf->rgw_crypt_vault_ssl_clientkey);
+    }
+
     res = secret_req.process(null_yield);
     if (res < 0) {
       ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;