return ls;
}
-bool KeyServer::generate_secret(CryptoKey& secret)
+bool KeyServer::generate_secret(CryptoKey& secret, std::optional<int> key_type)
{
+ int type = key_type.value_or(CEPH_CRYPTO_AES256KRB5);
bufferptr bp;
- auto crypto = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
+ auto crypto = cct->get_crypto_manager()->get_handler(type);
if (!crypto)
return false;
if (crypto->create(cct->random(), bp) < 0)
return false;
- secret.set_secret(CEPH_CRYPTO_AES256KRB5, bp, ceph_clock_now());
+ secret.set_secret(type, bp, ceph_clock_now());
return true;
}
int KeyServer::_build_session_auth_info(uint32_t service_id,
const AuthTicket& parent_ticket,
+ std::optional<int> key_type,
CephXSessionAuthInfo& info,
double ttl)
{
info.ticket.init_timestamps(ceph_clock_now(), ttl);
info.validity.set_from_double(ttl);
- generate_secret(info.session_key);
+ generate_secret(info.session_key, key_type);
// mon keys are stored externally. and the caps are blank anyway.
if (service_id != CEPH_ENTITY_TYPE_MON) {
int KeyServer::build_session_auth_info(uint32_t service_id,
const AuthTicket& parent_ticket,
+ std::optional<int> key_type,
CephXSessionAuthInfo& info)
{
double ttl;
return -EACCES;
}
+ /* either use the provided key type, or the one that the service
+ * is using. As things are, there are two different cases:
+ * one that this is being called as a result of a client call
+ * and in which case we'll be provided with the client's key type.
+ * The second case is when the monitor generates tickets to
+ * connects to the manager, in which case we want to use
+ * the manager's key type. In any case, we assume that services
+ * are upgraded first before clients, so we prioritize client's
+ * key type over the service key type.
+ */
+ int ktype = key_type.value_or(info.service_secret.get_type());
+
std::scoped_lock l{lock};
- return _build_session_auth_info(service_id, parent_ticket, info, ttl);
+ return _build_session_auth_info(service_id, parent_ticket,
+ ktype, info, ttl);
}
int KeyServer::build_session_auth_info(uint32_t service_id,
const AuthTicket& parent_ticket,
const CryptoKey& service_secret,
uint64_t secret_id,
+ std::optional<int> key_type,
CephXSessionAuthInfo& info)
{
info.service_secret = service_secret;
info.secret_id = secret_id;
std::scoped_lock l{lock};
- return _build_session_auth_info(service_id, parent_ticket, info,
+ return _build_session_auth_info(service_id, parent_ticket, key_type, info,
cct->_conf->auth_service_ticket_ttl);
}
void _dump_rotating_secrets();
int _build_session_auth_info(uint32_t service_id,
const AuthTicket& parent_ticket,
+ std::optional<int> key_type,
CephXSessionAuthInfo& info,
double ttl);
bool _get_service_caps(const EntityName& name, uint32_t service_id,
KeyServer() : lock{ceph::make_mutex("KeyServer::lock")} {}
KeyServer(CephContext *cct_, KeyRing *extra_secrets);
KeyServer& operator=(const KeyServer&) = delete;
- bool generate_secret(CryptoKey& secret);
+ bool generate_secret(CryptoKey& secret, std::optional<int> type = std::nullopt);
bool get_secret(const EntityName& name, CryptoKey& secret) const override;
bool get_auth(const EntityName& name, EntityAuth& auth) const;
int build_session_auth_info(uint32_t service_id,
const AuthTicket& parent_ticket,
+ std::optional<int> key_type,
CephXSessionAuthInfo& info);
int build_session_auth_info(uint32_t service_id,
const AuthTicket& parent_ticket,
const CryptoKey& service_secret,
uint64_t secret_id,
+ std::optional<int> key_type,
CephXSessionAuthInfo& info);
/* get current secret for specific service type */
info.ticket.init_timestamps(ceph_clock_now(), ttl);
info.validity.set_from_double(ttl);
- key_server->generate_secret(session_key);
+ key_server->generate_secret(session_key, eauth.key.get_type());
info.session_key = session_key;
if (psession_key) {
key_server->build_session_auth_info(
service_id,
info.ticket,
+ eauth.key.get_type(),
svc_info);
info_vec.push_back(svc_info);
}
int r = key_server->build_session_auth_info(
service_id,
auth_ticket_info.ticket, // parent ticket (client's auth ticket)
+ auth_ticket_info.session_key.get_type(), /* keep the same encryption type as in the session key */
info);
// tolerate missing MGR rotating key for the purposes of upgrades.
if (r < 0) {
}
ret = key_server.build_session_auth_info(
- service_id, auth_ticket_info.ticket, secret, (uint64_t)-1, info);
+ service_id, auth_ticket_info.ticket, secret, (uint64_t)-1, secret.get_type(), info);
if (ret < 0) {
dout(0) << __func__ << " failed to build mon session_auth_info "
<< cpp_strerror(ret) << dendl;
} else if (service_id == CEPH_ENTITY_TYPE_MGR) {
// mgr
ret = key_server.build_session_auth_info(
- service_id, auth_ticket_info.ticket, info);
+ service_id, auth_ticket_info.ticket, std::nullopt, info);
if (ret < 0) {
derr << __func__ << " failed to build mgr service session_auth_info "
<< cpp_strerror(ret) << dendl;
projects / ceph-ci.git / commitdiff