]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph-ci.git/commitdiff
projects / ceph-ci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2607266)
mon: use key_server for looking up mon key
authorPatrick Donnelly <pdonnell@ibm.com>
Thu, 29 May 2025 14:07:52 +0000 (10:07 -0400)
committerPatrick Donnelly <pdonnell@ibm.com>
Mon, 29 Dec 2025 22:30:04 +0000 (17:30 -0500)
Note: the key_server is already configured to fallback (via
KeyServerData::extra_secrets) to the Monitor::keyring which is sourced from the
mon's keyring file.

Using the Monitor::key_server allows us to maintain the mon's secret in the
auth database alongside all other secrets. This makes rotating the mons' keys
the same as all other entities in Ceph. Before this, to rotate the mons' key
you would need to turn off all montitors and then rotate the key files
manually. This is obviously disruptive since it's not a rolling upgrade.

If the key is sourced from the Monitor::key_server, then the key can be rotated
and all mons are aware of the new key. The mons can then proceed to restart as
needed in a non-disruptive fashion.

A followup commit will cleanup the monitor to try either its local keyring key
or the key in the key_server (if present) when authenticating with other mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
src/mon/Monitor.cc patch | blob | history

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index c6a4e62be769cfd6b5062d6524a6aa58c330204e..03ec222073ce325ca56f2a6c7a185782432bc22f 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -6468,9 +6468,10 @@ int Monitor::handle_auth_request(
       return -EOPNOTSUPP;
     }
     bool was_challenge = (bool)auth_meta->authorizer_challenge;
+    dout(20) << __func__ << ": verify authorizer was_challenge=" << was_challenge << dendl;
     bool isvalid = ah->verify_authorizer(
       cct,
-      keyring,
+      key_server,
       payload,
       auth_meta->get_connection_secret_length(),
       reply,
@@ -6540,6 +6541,11 @@ int Monitor::handle_auth_request(
       dout(1) << __func__ << " failed to decode, " << e.what() << dendl;
       return -EACCES;
     }
+    dout(15) << __func__ << ": decoded"
+            << " mode=" << mode
+            << " entity_name=" << entity_name
+            << " con->peer_global_id=" << con->peer_global_id
+            << dendl;
 
     // supported method?
     if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
@@ -6580,6 +6586,8 @@ int Monitor::handle_auth_request(
     s->auth_handler = auth_handler.release();
     con->set_priv(RefCountedPtr{s, false});
 
+    dout(20) << __func__ << ": starting session: " << *s << dendl;
+
     r = s->auth_handler->start_session(
       entity_name,
       con->peer_global_id,
Unnamed repository; edit this file 'description' to name the repository.