return false;
}
-bool Client::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer)
-{
- if (dest_type == CEPH_ENTITY_TYPE_MON)
- return true;
- *authorizer = monclient->build_authorizer(dest_type);
- return true;
-}
-
Inode *Client::get_quota_root(Inode *in, const UserPerm& perms)
{
Inode *quota_in = root_ancestor;
bool ms_handle_reset(Connection *con) override;
void ms_handle_remote_reset(Connection *con) override;
bool ms_handle_refused(Connection *con) override;
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override;
int authenticate();
#undef dout_prefix
#define dout_prefix *_dout << "librados: "
-bool librados::RadosClient::ms_get_authorizer(int dest_type,
- AuthAuthorizer **authorizer) {
- //ldout(cct, 0) << "RadosClient::ms_get_authorizer type=" << dest_type << dendl;
- /* monitor authorization is being handled on different layer */
- if (dest_type == CEPH_ENTITY_TYPE_MON)
- return true;
- *authorizer = monclient.build_authorizer(dest_type);
- return *authorizer != NULL;
-}
-
librados::RadosClient::RadosClient(CephContext *cct_)
: Dispatcher(cct_->get()),
cct_deleter{cct_, [](CephContext *p) {p->put();}},
bool _dispatch(Message *m);
bool ms_dispatch(Message *m) override;
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override;
void ms_handle_connect(Connection *con) override;
bool ms_handle_reset(Connection *con) override;
void ms_handle_remote_reset(Connection *con) override;
}
}
-bool MDSDaemon::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer)
-{
- dout(10) << "MDSDaemon::ms_get_authorizer type="
- << ceph_entity_type_name(dest_type) << dendl;
-
- /* monitor authorization is being handled on different layer */
- if (dest_type == CEPH_ENTITY_TYPE_MON)
- return true;
-
- *authorizer = monc->build_authorizer(dest_type);
- return *authorizer != NULL;
-}
-
-
/*
* high priority messages we always process
*/
return false;
}
-KeyStore *MDSDaemon::ms_get_auth1_authorizer_keystore()
-{
- return monc->rotating_secrets.get();
-}
-
bool MDSDaemon::parse_caps(const AuthCapsInfo& info, MDSAuthCaps& caps)
{
caps.clear();
private:
bool ms_dispatch2(const ref_t<Message> &m) override;
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override;
int ms_handle_authentication(Connection *con) override;
- KeyStore *ms_get_auth1_authorizer_keystore() override;
void ms_handle_accept(Connection *con) override;
void ms_handle_connect(Connection *con) override;
bool ms_handle_reset(Connection *con) override;
return msgr->get_myaddrs();
}
-KeyStore *DaemonServer::ms_get_auth1_authorizer_keystore()
-{
- return monc->rotating_secrets.get();
-}
-
int DaemonServer::ms_handle_authentication(Connection *con)
{
MgrSession *s = new MgrSession(cct);
return 1;
}
-bool DaemonServer::ms_get_authorizer(
- int dest_type,
- AuthAuthorizer **authorizer)
-{
- dout(10) << "type=" << ceph_entity_type_name(dest_type) << dendl;
-
- if (dest_type == CEPH_ENTITY_TYPE_MON) {
- return true;
- }
-
- *authorizer = monc->build_authorizer(dest_type);
- dout(20) << "got authorizer " << *authorizer << dendl;
- return *authorizer != NULL;
-}
-
bool DaemonServer::ms_handle_reset(Connection *con)
{
if (con->get_peer_type() == CEPH_ENTITY_TYPE_OSD) {
bool ms_handle_reset(Connection *con) override;
void ms_handle_remote_reset(Connection *con) override {}
bool ms_handle_refused(Connection *con) override;
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override;
- KeyStore *ms_get_auth1_authorizer_keystore() override;
bool handle_open(const ceph::ref_t<MMgrOpen>& m);
bool handle_close(const ceph::ref_t<MMgrClose>& m);
}
-bool MgrStandby::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer)
-{
- if (dest_type == CEPH_ENTITY_TYPE_MON)
- return true;
-
- *authorizer = monc.build_authorizer(dest_type);
- return *authorizer != NULL;
-}
-
bool MgrStandby::ms_handle_refused(Connection *con)
{
// do nothing for now
bool ms_dispatch2(const ceph::ref_t<Message>& m) override;
bool ms_handle_reset(Connection *con) override { return false; }
void ms_handle_remote_reset(Connection *con) override {}
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override;
bool ms_handle_refused(Connection *con) override;
int init();
return -EACCES;
}
AuthAuthorizer *auth;
- if (!ms_get_authorizer(con->get_peer_type(), &auth)) {
+ if (!get_authorizer(con->get_peer_type(), &auth)) {
return -EACCES;
}
auth_meta->authorizer.reset(auth);
return -EACCES;
}
-bool Monitor::ms_get_authorizer(int service_id, AuthAuthorizer **authorizer)
+bool Monitor::get_authorizer(int service_id, AuthAuthorizer **authorizer)
{
- dout(10) << "ms_get_authorizer for " << ceph_entity_type_name(service_id)
+ dout(10) << "get_authorizer for " << ceph_entity_type_name(service_id)
<< dendl;
if (is_shutdown())
CephXTicketBlob blob;
if (!cephx_build_service_ticket_blob(cct, info, blob)) {
- dout(0) << "ms_get_authorizer failed to build service ticket" << dendl;
+ dout(0) << "get_authorizer failed to build service ticket" << dendl;
return false;
}
bufferlist ticket_data;
return true;
}
-KeyStore *Monitor::ms_get_auth1_authorizer_keystore()
-{
- return &keyring;
-}
-
int Monitor::handle_auth_request(
Connection *con,
AuthConnectionMeta *auth_meta,
void dispatch_op(MonOpRequestRef op);
//mon_caps is used for un-connected messages from monitors
MonCap mon_caps;
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override;
- KeyStore *ms_get_auth1_authorizer_keystore();
+ bool get_authorizer(int dest_type, AuthAuthorizer **authorizer);
public: // for AuthMonitor msgr1:
int ms_handle_authentication(Connection *con) override;
private:
class Messenger;
class Connection;
-class AuthAuthorizer;
class CryptoKey;
class CephContext;
-class AuthAuthorizerChallenge;
class KeyStore;
class Dispatcher {
return 0;
}
- /**
- * get authentication keyring
- *
- * Return the keyring to use for authentication with msgr1. Remove me
- * someday.
- */
- virtual KeyStore* ms_get_auth1_authorizer_keystore() {
- return nullptr;
- }
-
- /**
- * Retrieve the AuthAuthorizer for the given peer type. It might not
- * provide one if it knows there is no AuthAuthorizer for that type.
- *
- * @param dest_type The peer type we want the authorizer for.
- * @param a Double pointer to an AuthAuthorizer. The Dispatcher will fill
- * in *a with the correct AuthAuthorizer, if it can. Make sure that you have
- * set *a to NULL before calling in.
- * @param force_new Force the Dispatcher to wait for a new set of keys before
- * returning the authorizer.
- *
- * @return True if this function call properly filled in *a, false otherwise.
- */
- virtual bool ms_get_authorizer(int dest_type, AuthAuthorizer **a) {
- return false;
- }
/**
* @} //Authentication
*/
return bind(addrs.legacy_addr());
}
-bool Messenger::ms_deliver_verify_authorizer(
- Connection *con,
- int peer_type,
- int protocol,
- bufferlist& authorizer,
- bufferlist& authorizer_reply,
- bool& isvalid,
- CryptoKey& session_key,
- std::string *connection_secret,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge)
-{
- if (authorizer.length() == 0) {
- for (auto dis : dispatchers) {
- if (!dis->require_authorizer) {
- //ldout(cct,10) << __func__ << " tolerating missing authorizer" << dendl;
- isvalid = true;
- return true;
- }
- }
- }
- AuthAuthorizeHandler *ah = auth_registry.get_handler(peer_type, protocol);
- if (get_mytype() == CEPH_ENTITY_TYPE_MON &&
- peer_type != CEPH_ENTITY_TYPE_MON) {
- // the monitor doesn't do authenticators for msgr1.
- isvalid = true;
- return true;
- }
- if (!ah) {
- lderr(cct) << __func__ << " no AuthAuthorizeHandler found for protocol "
- << protocol << dendl;
- isvalid = false;
- return false;
- }
-
- for (auto dis : dispatchers) {
- KeyStore *ks = dis->ms_get_auth1_authorizer_keystore();
- if (ks) {
- isvalid = ah->verify_authorizer(
- cct,
- ks,
- authorizer,
- 0,
- &authorizer_reply,
- &con->peer_name,
- &con->peer_global_id,
- &con->peer_caps_info,
- &session_key,
- connection_secret,
- challenge);
- if (isvalid) {
- return dis->ms_handle_authentication(con)>=0;
- }
- return true;
- }
- }
- return false;
-}
}
}
- /**
- * Get the AuthAuthorizer for a new outgoing Connection.
- *
- * @param peer_type The peer type for the new Connection
- * @param force_new True if we want to wait for new keys, false otherwise.
- * @return A pointer to the AuthAuthorizer, if we have one; NULL otherwise
- */
- AuthAuthorizer *ms_deliver_get_authorizer(int peer_type) {
- AuthAuthorizer *a = 0;
- for (const auto& dispatcher : dispatchers) {
- if (dispatcher->ms_get_authorizer(peer_type, &a))
- return a;
- }
- return NULL;
- }
- /**
- * Verify that the authorizer on a new incoming Connection is correct.
- *
- * @param con The new incoming Connection
- * @param peer_type The type of the endpoint on the new Connection
- * @param protocol The ID of the protocol in use (at time of writing, cephx or none)
- * @param authorizer The authorization string supplied by the remote
- * @param authorizer_reply Output param: The string we should send back to
- * the remote to authorize ourselves. Only filled in if isvalid
- * @param isvalid Output param: True if authorizer is valid, false otherwise
- *
- * @return True if we were able to prove or disprove correctness of
- * authorizer, false otherwise.
- */
- bool ms_deliver_verify_authorizer(
- Connection *con, int peer_type,
- int protocol, ceph::buffer::list& authorizer, ceph::buffer::list& authorizer_reply,
- bool& isvalid,
- CryptoKey& session_key,
- std::string *connection_secret,
- std::unique_ptr<AuthAuthorizerChallenge> *challenge);
-
/**
* @} // Dispatcher Interfacing
*/
OID_EVENT_TRACE_WITH_MSG(m, "MS_FAST_DISPATCH_END", false);
}
-bool OSD::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer)
-{
- dout(10) << "OSD::ms_get_authorizer type=" << ceph_entity_type_name(dest_type) << dendl;
-
- if (is_stopping()) {
- dout(10) << __func__ << " bailing, we are shutting down" << dendl;
- return false;
- }
-
- if (dest_type == CEPH_ENTITY_TYPE_MON)
- return true;
-
- *authorizer = monc->build_authorizer(dest_type);
- return *authorizer != NULL;
-}
-
-KeyStore *OSD::ms_get_auth1_authorizer_keystore()
-{
- return monc->rotating_secrets.get();
-}
-
int OSD::ms_handle_authentication(Connection *con)
{
int ret = 0;
int ms_handle_authentication(Connection *con) override {
return true;
}
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override {
- // some pre-nautilus OSDs get confused if you include an
- // authorizer but they are not expecting it. do not try to authorize
- // heartbeat connections until all OSDs are nautilus.
- if (osd->get_osdmap()->require_osd_release >= CEPH_RELEASE_NAUTILUS) {
- return osd->ms_get_authorizer(dest_type, authorizer);
- }
- return false;
- }
- KeyStore *ms_get_auth1_authorizer_keystore() override {
- return osd->ms_get_auth1_authorizer_keystore();
- }
} heartbeat_dispatcher;
private:
}
void ms_fast_dispatch(Message *m) override;
bool ms_dispatch(Message *m) override;
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override;
void ms_handle_connect(Connection *con) override;
void ms_handle_fast_connect(Connection *con) override;
void ms_handle_fast_accept(Connection *con) override;
int ms_handle_authentication(Connection *con) override;
- KeyStore *ms_get_auth1_authorizer_keystore() override;
bool ms_handle_reset(Connection *con) override;
void ms_handle_remote_reset(Connection *con) override {}
bool ms_handle_refused(Connection *con) override;
return false;
}
-bool Objecter::ms_get_authorizer(int dest_type,
- AuthAuthorizer **authorizer)
-{
- if (!initialized)
- return false;
- if (dest_type == CEPH_ENTITY_TYPE_MON)
- return true;
- *authorizer = monc->build_authorizer(dest_type);
- return *authorizer != NULL;
-}
-
void Objecter::op_target_t::dump(Formatter *f) const
{
f->dump_stream("pg") << pgid;
bool ms_handle_reset(Connection *con) override;
void ms_handle_remote_reset(Connection *con) override;
bool ms_handle_refused(Connection *con) override;
- bool ms_get_authorizer(int dest_type,
- AuthAuthorizer **authorizer) override;
void blacklist_self(bool set);
}
-bool MDSUtility::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer)
-{
- if (dest_type == CEPH_ENTITY_TYPE_MON)
- return true;
-
- *authorizer = monc->build_authorizer(dest_type);
- return *authorizer != NULL;
-}
bool ms_handle_reset(Connection *con) override { return false; }
void ms_handle_remote_reset(Connection *con) override {}
bool ms_handle_refused(Connection *con) override { return false; }
- bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override;
int init();
void shutdown();
};
projects / ceph.git / commitdiff