void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
bufferlist& request)
{
- AuthAuthenticateRequest req(principal_name, principal_addr, g_clock.now());
+ AuthAuthenticateRequest req(principal_name, principal_addr);
::encode(req, request);
}
return true;
}
-bool verify_authenticate_request(CryptoKey& service_secret,
- bufferlist::iterator& indata)
-{
- AuthAuthenticateRequest msg;
- ::decode(msg, indata);
- dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << dendl;
-
- /* FIXME: validate that request makes sense */
- return true;
-}
-
bool verify_service_ticket_request(CryptoKey& service_secret,
CryptoKey& session_key,
uint32_t& keys,
* period.
*/
struct AuthTicket {
+ EntityName name;
entity_addr_t addr;
utime_t created, renew_after, expires;
string nonce;
map<string, bufferlist> caps;
__u32 flags;
+ AuthTicket() : flags(0) {}
+
void encode(bufferlist& bl) const {
__u8 v = 1;
::encode(v, bl);
+ ::encode(name, bl);
::encode(addr, bl);
::encode(created, bl);
::encode(expires, bl);
void decode(bufferlist::iterator& bl) {
__u8 v;
::decode(v, bl);
+ ::decode(name, bl);
::decode(addr, bl);
::decode(created, bl);
::decode(expires, bl);
struct AuthAuthenticateRequest {
EntityName name;
entity_addr_t addr;
- utime_t timestamp;
AuthAuthenticateRequest() {}
- AuthAuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr, utime_t t) :
- name(principal_name), addr(principal_addr), timestamp(t) {}
+ AuthAuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr) :
+ name(principal_name), addr(principal_addr) {}
void encode(bufferlist& bl) const {
::encode(name, bl);
::encode(addr, bl);
- ::encode(timestamp, bl);
}
void decode(bufferlist::iterator& bl) {
::decode(name, bl);
::decode(addr, bl);
- ::decode(timestamp, bl);
}
};
WRITE_CLASS_ENCODER(AuthAuthenticateRequest)
/*
* Verify authorizer and generate reply authorizer
*/
-extern bool verify_authenticate_request(CryptoKey& service_secret,
- bufferlist::iterator& indata);
extern bool verify_service_ticket_request(CryptoKey& service_secret,
CryptoKey& session_key,
uint32_t& keys,
int buf_len = len*4;
char buf[buf_len];
int pos = 0;
- for (unsigned int i=0; i<len && pos<buf_len - 8; i++) {
+ for (int i=0; i<len && pos<buf_len - 8; i++) {
if (i && !(i%8))
pos += snprintf(&buf[pos], buf_len-pos, " ");
if (i && !(i%16))
}
/* FIXME: temporary stabs */
- int get_client_secret(CryptoKey& secret) {
+ int lookup_entity(const EntityName& name, CryptoKey& secret, map<string,bufferlist>& caps) {
secret = client_secret;
return 0;
}
case CEPHX_GET_AUTH_SESSION_KEY:
{
dout(0) << "CEPHX_GET_AUTH_SESSION_KEY" << dendl;
- EntityName name; /* FIXME should take it from the request */
- entity_addr_t addr;
+
+ AuthAuthenticateRequest req;
+ ::decode(req, indata);
+
AuthTicket ticket;
+
CryptoKey principal_secret;
- CryptoKey session_key;
- CryptoKey auth_secret;
+ if (auth_server.lookup_entity(req.name, principal_secret, ticket.caps) < 0) {
+ ret = -EPERM;
+ break;
+ }
- ticket.expires = g_clock.now();
+ ticket.name = req.name;
+ ticket.addr = req.addr;
+ ticket.created = g_clock.now();
+ ticket.expires = ticket.created;
+ ticket.expires += g_conf.auth_mon_ticket_ttl;
+ ticket.renew_after = ticket.created;
+ ticket.renew_after += g_conf.auth_mon_ticket_ttl / 2.0;
+ generate_random_string(ticket.nonce, g_conf.auth_nonce_len);
- auth_server.get_client_secret(principal_secret);
+
+ CryptoKey session_key;
+ CryptoKey auth_secret;
auth_server.get_service_session_key(session_key, CEPHX_PRINCIPAL_AUTH);
auth_server.get_service_secret(auth_secret, CEPHX_PRINCIPAL_AUTH);
- if (!verify_authenticate_request(auth_secret, indata)) {
- ret = -EPERM;
- break;
- }
-
- // checking password?
build_cephx_response_header(request_type, 0, result_bl);
vector<SessionAuthInfo> info_vec;
#include <errno.h>
-static int get_random_bytes(int len, bufferlist& out)
+static int get_random_bytes(char *buf, int len)
{
- char buf[len];
char *t = buf;
int fd = ::open("/dev/urandom", O_RDONLY);
int l = len;
t += r;
l -= r;
}
- out.append(buf, len);
return 0;
}
+static int get_random_bytes(int len, bufferlist& bl)
+{
+ char buf[len];
+ get_random_bytes(buf, len);
+ bl.append(buf, len);
+ return 0;
+}
+
+void generate_random_string(string& s, int len)
+{
+ char buf[len+1];
+ get_random_bytes(buf, len);
+ buf[len] = 0;
+ s = buf;
+}
+
// ---------------------------------------------------
class CryptoNone : public CryptoHandler {
extern CryptoManager ceph_crypto_mgr;
+extern void generate_random_string(string& s, int len);
+
#endif
OPTION(mon_clientid_prealloc, 0, OPT_INT, 100), // how many clientids to prealloc
OPTION(paxos_propose_interval, 0, OPT_DOUBLE, 1.0), // gather updates for this long before proposing a map update
OPTION(paxos_observer_timeout, 0, OPT_DOUBLE, 5*60), // gather updates for this long before proposing a map update
+ OPTION(auth_mon_ticket_ttl, 0, OPT_DOUBLE, 60*60*24),
+ OPTION(auth_service_ticket_ttl, 0, OPT_DOUBLE, 60*60),
+ OPTION(auth_nonce_len, 0, OPT_INT, 16),
OPTION(client_cache_size, 0, OPT_INT, 1000),
OPTION(client_cache_mid, 0, OPT_FLOAT, .5),
OPTION(client_cache_stat_ttl, 0, OPT_INT, 0), // seconds until cached stat results become invalid
double paxos_propose_interval;
double paxos_observer_timeout;
+ // auth
+ double auth_mon_ticket_ttl;
+ double auth_service_ticket_ttl;
+ int auth_nonce_len;
+
// client
int client_cache_size;
float client_cache_mid;