rgw: add support for client cert and key for vault

Authenticate vault with help of user supplied client cert and keys.

Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index 847e0fdacef977668097bf7b420a01184d56f581..6f7f769d5790b567ea7247c85453beb972b2f984 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -2393,6 +2393,20 @@ options:
   services:
   - rgw
   with_legacy: true
+- name: rgw_crypt_vault_ssl_clientcert
+  type: str
+  level: advanced
+  desc: Path for custom client certificate for accessing vault server
+  services:
+  - rgw
+  with_legacy: true
+- name: rgw_crypt_vault_ssl_clientkey
+  type: str
+  level: advanced
+  desc: Path for private key required for client cert
+  services:
+  - rgw
+  with_legacy: true
 - name: rgw_crypt_kmip_addr
   type: str
   level: advanced

diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc
index dacf9fecadba60e04eff286472d8e4974ce772ec..059a2091bbde19578ca326e220e55bf8620138bd 100644 (file)
--- a/src/rgw/rgw_http_client.cc
+++ b/src/rgw/rgw_http_client.cc
@@ -614,9 +614,21 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data)
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L);
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L);
     dout(20) << "ssl verification is set to off" << dendl;
-  } else if (!ca_path.empty()) {
-    curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
-    dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
+  } else {
+    if (!ca_path.empty()) {
+      curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
+      dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
+    }
+    if (!client_cert.empty()) {
+      if (!client_key.empty()) {
+       curl_easy_setopt(easy_handle, CURLOPT_SSLCERT, client_cert.c_str());
+       curl_easy_setopt(easy_handle, CURLOPT_SSLKEY, client_key.c_str());
+       dout(20) << "using custom client cert " << client_cert.c_str()
+         << " and private key " << client_key.c_str() << dendl;
+      } else {
+       dout(5) << "private key is missing for client certificate" << dendl;
+      }
+    }
   }
   curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data);
   curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout);

diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h
index 5782be6da5cc954e242fc139a1fc723fc8a9b78b..355e4181df93bf0434083d8401cc7a0f82e0ecb6 100644 (file)
--- a/src/rgw/rgw_http_client.h
+++ b/src/rgw/rgw_http_client.h
@@ -42,6 +42,10 @@ class RGWHTTPClient : public RGWIOProvider,
 
   string ca_path;
 
+  string client_cert;
+
+  string client_key;
+
   std::atomic<unsigned> stopped { 0 };
 
 
@@ -178,6 +182,14 @@ public:
   void set_ca_path(const string& _ca_path) {
     ca_path = _ca_path;
   }
+
+  void set_client_cert(const string& _client_cert) {
+    client_cert = _client_cert;
+  }
+
+  void set_client_key(const string& _client_key) {
+    client_key = _client_key;
+  }
 };
 
 

diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc
index 687adb7700b8d0145527b6c70a0e8c9537bb8578..dcdcf875115dbe5f042084cd8b631df2de045954 100644 (file)
--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@@ -258,6 +258,13 @@ protected:
       secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert);
     }
 
+    if (!cct->_conf->rgw_crypt_vault_ssl_clientcert.empty()) {
+      secret_req.set_client_cert(cct->_conf->rgw_crypt_vault_ssl_clientcert);
+    }
+    if (!cct->_conf->rgw_crypt_vault_ssl_clientkey.empty()) {
+      secret_req.set_client_key(cct->_conf->rgw_crypt_vault_ssl_clientkey);
+    }
+
     res = secret_req.process(null_yield);
     if (res < 0) {
       ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;