mon: keep mon. secret in an external keyring

- Keep the mon. key in a separate keyring files, "keyring", in the mon
  data dir.
- During init, if we don't find that file, copy the key from the keyserver
  database.
- During mkfs, put the mon. key in that file, and remove it from the seed
  file that primes the auth database.

This will allow admins to change the mon. key without bringing the cluster
online and doing something wonky.

Signed-off-by: Sage Weil <sage@newdream.net>

diff --git a/src/auth/KeyRing.h b/src/auth/KeyRing.h
index 4771ff22f63447599b94e1dd07275c6d2e2dd37c..6bf26915061023a077ec70c000d71d1b98159aa6 100644 (file)
--- a/src/auth/KeyRing.h
+++ b/src/auth/KeyRing.h
@@ -63,6 +63,9 @@ public:
   void add(const EntityName& name, EntityAuth &a) {
     keys[name] = a;
   }
+  void remove(const EntityName& name) {
+    keys.erase(name);
+  }
   void set_caps(EntityName& name, map<string, bufferlist>& caps) {
     keys[name].caps = caps;
   }

diff --git a/src/auth/cephx/CephxKeyServer.h b/src/auth/cephx/CephxKeyServer.h
index fafeaa864875c14303a54374a909cf910f74724e..2fc316d9f0966540f3e1df00df3ca4d754c17980 100644 (file)
--- a/src/auth/cephx/CephxKeyServer.h
+++ b/src/auth/cephx/CephxKeyServer.h
@@ -153,10 +153,6 @@ struct KeyServerData {
     }
   };
 
-  void bootstrap_keyring(KeyRing& keyring) {
-    secrets = keyring.get_keys();
-  }
-
   void apply_incremental(Incremental& inc) {
     switch (inc.op) {
     case AUTH_INC_ADD:
@@ -284,10 +280,6 @@ public:
   bool get_service_caps(const EntityName& name, uint32_t service_id,
                        AuthCapsInfo& caps) const;
 
-  void bootstrap_keyring(KeyRing& keyring) {
-    data.bootstrap_keyring(keyring);
-  }
-
 };
 WRITE_CLASS_ENCODER(KeyServer);
 

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 91f65dab3968a83749ebad98f7666dd9b63aed36..054b1ad98d29dd94fcb983f32a770fef787c6c1c 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -62,6 +62,7 @@
 #include "osd/OSDMap.h"
 
 #include "auth/AuthSupported.h"
+#include "auth/KeyRing.h"
 
 #include "common/config.h"
 
@@ -222,7 +223,7 @@ void Monitor::handle_signal(int signum)
   shutdown();
 }
 
-void Monitor::init()
+int Monitor::init()
 {
   lock.Lock();
 
@@ -296,13 +297,32 @@ void Monitor::init()
     KeyRing keyring;
     bufferlist::iterator p = bl.begin();
     ::decode(keyring, p);
-    key_server.bootstrap_keyring(keyring);
+    extract_save_mon_key(keyring);
+  }
+
+  ostringstream os;
+  os << g_conf->mon_data << "/keyring";
+  int r = keyring.load(cct, os.str());
+  if (r < 0) {
+    EntityName mon_name;
+    mon_name.set_type(CEPH_ENTITY_TYPE_MON);
+    EntityAuth mon_key;
+    if (key_server.get_auth(mon_name, mon_key)) {
+      dout(1) << "copying mon. key from old db to external keyring" << dendl;
+      keyring.add(mon_name, mon_key);
+      bufferlist bl;
+      keyring.encode_plaintext(bl);
+      store->put_bl_ss(bl, "keyring", NULL);
+    } else {
+      derr << "unable to load initial keyring " << g_conf->keyring << dendl;
+      return r;
+    }
   }
 
   admin_hook = new AdminHook(this);
   AdminSocket* admin_socket = cct->get_admin_socket();
-  int r = admin_socket->register_command("mon_status", admin_hook,
-                                        "show current monitor status");
+  r = admin_socket->register_command("mon_status", admin_hook,
+                                    "show current monitor status");
   assert(r == 0);
   r = admin_socket->register_command("quorum_status", admin_hook,
                                         "show current quorum status");
@@ -319,6 +339,7 @@ void Monitor::init()
   bootstrap();
   
   lock.Unlock();
+  return 0;
 }
 
 void Monitor::register_cluster_logger()
@@ -1851,13 +1872,33 @@ int Monitor::mkfs(bufferlist& osdmapbl)
     derr << "unable to load initial keyring " << g_conf->keyring << dendl;
     return r;
   }
+
+  // put mon. key in external keyring; seed with everything else.
+  extract_save_mon_key(keyring);
+
   bufferlist keyringbl;
-  ::encode(keyring, keyringbl);
+  keyring.encode_plaintext(keyringbl);
   store->put_bl_ss(keyringbl, "mkfs", "keyring");
 
   return 0;
 }
 
+void Monitor::extract_save_mon_key(KeyRing& keyring)
+{
+  EntityName mon_name;
+  mon_name.set_type(CEPH_ENTITY_TYPE_MON);
+  EntityAuth mon_key;
+  if (keyring.get_auth(mon_name, mon_key)) {
+    dout(10) << "extract_save_mon_key moving mon. key to separate keyring" << dendl;
+    KeyRing pkey;
+    pkey.add(mon_name, mon_key);
+    bufferlist bl;
+    pkey.encode_plaintext(bl);
+    store->put_bl_ss(bl, "keyring", NULL);
+    keyring.remove(mon_name);
+  }
+}
+
 bool Monitor::ms_get_authorizer(int service_id, AuthAuthorizer **authorizer, bool force_new)
 {
   dout(10) << "ms_get_authorizer for " << ceph_entity_type_name(service_id) << dendl;

diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h
index 55fc24241d98df56493d9ffc74d8275fad2593f3..888ff0dd290b39c1b4f23bb599d517d77c9fb432 100644 (file)
--- a/src/mon/Monitor.h
+++ b/src/mon/Monitor.h
@@ -39,6 +39,7 @@
 
 #include "auth/cephx/CephxKeyServer.h"
 #include "auth/AuthSupported.h"
+#include "auth/KeyRing.h"
 
 #include "perfglue/heap_profiler.h"
 
@@ -111,6 +112,7 @@ public:
   MonMap *monmap;
 
   LogClient clog;
+  KeyRing keyring;
   KeyServer key_server;
 
   AuthSupported auth_supported;
@@ -339,11 +341,13 @@ public:
   bool ms_handle_reset(Connection *con);
   void ms_handle_remote_reset(Connection *con) {}
 
+  void extract_save_mon_key(KeyRing& keyring);
+
  public:
   Monitor(CephContext *cct_, string nm, MonitorStore *s, Messenger *m, MonMap *map);
   ~Monitor();
 
-  void init();
+  int init();
   void shutdown();
   void tick();