auth: build an almost real mon ticket

author Sage Weil <sage@newdream.net>

Wed, 23 Sep 2009 19:13:15 +0000 (12:13 -0700)

committer Sage Weil <sage@newdream.net>

Wed, 23 Sep 2009 19:13:15 +0000 (12:13 -0700)
author Sage Weil <sage@newdream.net>
Wed, 23 Sep 2009 19:13:15 +0000 (12:13 -0700)
committer Sage Weil <sage@newdream.net>
Wed, 23 Sep 2009 19:13:15 +0000 (12:13 -0700)
diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc

index bc30797bb0b90b14fc505ab1ad0d65baad3aa17d..a242f170dca4532deaae0e7e1b90b578084d85cb 100644 (file)
--- a/src/auth/Auth.cc
+++ b/src/auth/Auth.cc
@@ -34,7 +34,7 @@ static void hexdump(string msg, const char *s, int len)
  void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
                                 bufferlist& request)
  {
-  AuthAuthenticateRequest req(principal_name, principal_addr, g_clock.now());
+  AuthAuthenticateRequest req(principal_name, principal_addr);
    ::encode(req, request);
  }
  
@@ -97,17 +97,6 @@ bool build_service_ticket_reply(
    return true;
  }
  
-bool verify_authenticate_request(CryptoKey& service_secret,
-                                bufferlist::iterator& indata)
-{
-  AuthAuthenticateRequest msg;
-  ::decode(msg, indata);
-  dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << dendl;
-
-  /* FIXME: validate that request makes sense */
-  return true;
-}
-
  bool verify_service_ticket_request(CryptoKey& service_secret,
                                     CryptoKey& session_key,
                                     uint32_t& keys,
diff --git a/src/auth/Auth.h b/src/auth/Auth.h

index 607194491387f056e5061d64d7b273799083d0c6..fdb079f469e405cf54125333d499dc61ff9d7944 100644 (file)
--- a/src/auth/Auth.h
+++ b/src/auth/Auth.h
@@ -112,15 +112,19 @@ inline bool operator<(const EntityName& a, const EntityName& b) {
   * period.
   */
  struct AuthTicket {
+  EntityName name;
    entity_addr_t addr;
    utime_t created, renew_after, expires;
    string nonce;
    map<string, bufferlist> caps;
    __u32 flags;
  
+  AuthTicket() : flags(0) {}
+
    void encode(bufferlist& bl) const {
      __u8 v = 1;
      ::encode(v, bl);
+    ::encode(name, bl);
      ::encode(addr, bl);
      ::encode(created, bl);
      ::encode(expires, bl);
@@ -131,6 +135,7 @@ struct AuthTicket {
    void decode(bufferlist::iterator& bl) {
      __u8 v;
      ::decode(v, bl);
+    ::decode(name, bl);
      ::decode(addr, bl);
      ::decode(created, bl);
      ::decode(expires, bl);
@@ -182,21 +187,18 @@ extern bool build_service_ticket_reply(CryptoKey& principal_secret,
  struct AuthAuthenticateRequest {
    EntityName name;
    entity_addr_t addr;
-  utime_t timestamp;
  
    AuthAuthenticateRequest() {}
-  AuthAuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr, utime_t t) :
-    name(principal_name), addr(principal_addr), timestamp(t) {}
+  AuthAuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr) :
+    name(principal_name), addr(principal_addr) {}
  
    void encode(bufferlist& bl) const {
      ::encode(name, bl);
      ::encode(addr, bl);
-    ::encode(timestamp, bl);
    }
    void decode(bufferlist::iterator& bl) {
      ::decode(name, bl);
      ::decode(addr, bl);
-    ::decode(timestamp, bl);
    }
  };
  WRITE_CLASS_ENCODER(AuthAuthenticateRequest)
@@ -392,8 +394,6 @@ int encode_encrypt(const T& t, CryptoKey& key, bufferlist& out) {
  /*
   * Verify authorizer and generate reply authorizer
   */
-extern bool verify_authenticate_request(CryptoKey& service_secret,
-                                       bufferlist::iterator& indata);
  extern bool verify_service_ticket_request(CryptoKey& service_secret,
                                           CryptoKey& session_key,
                                           uint32_t& keys,
diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc

index 9bd167271b092cfe910b5fa6061dc01a18f58ce5..cda0f43629a9ed8c2f1e9d8b9e0e90ef7aa2fd0f 100644 (file)
--- a/src/auth/AuthServiceManager.cc
+++ b/src/auth/AuthServiceManager.cc
@@ -35,7 +35,7 @@ static inline void hexdump(string msg, const char *s, int len)
    int buf_len = len*4;
    char buf[buf_len];
    int pos = 0;
-  for (unsigned int i=0; i<len && pos<buf_len - 8; i++) {
+  for (int i=0; i<len && pos<buf_len - 8; i++) {
      if (i && !(i%8))
        pos += snprintf(&buf[pos], buf_len-pos, " ");
      if (i && !(i%16))
@@ -66,7 +66,7 @@ public:
     }
  
  /* FIXME: temporary stabs */
-  int get_client_secret(CryptoKey& secret) {
+  int lookup_entity(const EntityName& name, CryptoKey& secret, map<string,bufferlist>& caps) {
       secret = client_secret;
       return 0;
    }
@@ -178,25 +178,33 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
    case CEPHX_GET_AUTH_SESSION_KEY:
      {
        dout(0) << "CEPHX_GET_AUTH_SESSION_KEY" << dendl;
-      EntityName name; /* FIXME should take it from the request */
-      entity_addr_t addr;
+
+      AuthAuthenticateRequest req;
+      ::decode(req, indata);
+
        AuthTicket ticket;
+
        CryptoKey principal_secret;
-      CryptoKey session_key;
-      CryptoKey auth_secret;
+      if (auth_server.lookup_entity(req.name, principal_secret, ticket.caps) < 0) {
+       ret = -EPERM;
+       break;
+      }
  
-      ticket.expires = g_clock.now();
+      ticket.name = req.name;
+      ticket.addr = req.addr;
+      ticket.created = g_clock.now();
+      ticket.expires = ticket.created;
+      ticket.expires += g_conf.auth_mon_ticket_ttl;
+      ticket.renew_after = ticket.created;
+      ticket.renew_after += g_conf.auth_mon_ticket_ttl / 2.0;
+      generate_random_string(ticket.nonce, g_conf.auth_nonce_len);
  
-      auth_server.get_client_secret(principal_secret);
+
+      CryptoKey session_key;
+      CryptoKey auth_secret;
        auth_server.get_service_session_key(session_key, CEPHX_PRINCIPAL_AUTH);
        auth_server.get_service_secret(auth_secret, CEPHX_PRINCIPAL_AUTH);
  
-      if (!verify_authenticate_request(auth_secret, indata)) {
-         ret = -EPERM;
-         break;
-      }
-
-      // checking password?
  
        build_cephx_response_header(request_type, 0, result_bl);
        vector<SessionAuthInfo> info_vec;
diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc

index 07c7abb0a4d658641daf908b5869ed8b019e1bb2..03d0ab201f2cadf0261bc3a911f5c35111e9161a 100644 (file)
--- a/src/auth/Crypto.cc
+++ b/src/auth/Crypto.cc
@@ -21,9 +21,8 @@
  
  #include <errno.h>
  
-static int get_random_bytes(int len, bufferlist& out)
+static int get_random_bytes(char *buf, int len)
  {
-  char buf[len];
    char *t = buf;
    int fd = ::open("/dev/urandom", O_RDONLY);
    int l = len;
@@ -36,10 +35,25 @@ static int get_random_bytes(int len, bufferlist& out)
      t += r;
      l -= r;
    }
-  out.append(buf, len);
    return 0;
  }
  
+static int get_random_bytes(int len, bufferlist& bl)
+{
+  char buf[len];
+  get_random_bytes(buf, len);
+  bl.append(buf, len);
+  return 0;
+}
+
+void generate_random_string(string& s, int len)
+{
+  char buf[len+1];
+  get_random_bytes(buf, len);
+  buf[len] = 0;
+  s = buf;
+}
+
  // ---------------------------------------------------
  
  class CryptoNone : public CryptoHandler {
diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h

index 8f606386cbc279845d8bea8336813150c2424a56..74596ce80315170a6af7be4d8f529057ab9b9075 100644 (file)
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -75,5 +75,7 @@ public:
  
  extern CryptoManager ceph_crypto_mgr;
  
+extern void generate_random_string(string& s, int len);
+
  
  #endif
diff --git a/src/config.cc b/src/config.cc

index 7f2647d32c069f6fc3290743241a7af9c902a249..da554e1818c0dbbbc14b9db4313adb6367df5c18 100644 (file)
--- a/src/config.cc
+++ b/src/config.cc
@@ -363,6 +363,9 @@ static struct config_option config_optionsp[] = {
         OPTION(mon_clientid_prealloc, 0, OPT_INT, 100),   // how many clientids to prealloc
         OPTION(paxos_propose_interval, 0, OPT_DOUBLE, 1.0),  // gather updates for this long before proposing a map update
         OPTION(paxos_observer_timeout, 0, OPT_DOUBLE, 5*60), // gather updates for this long before proposing a map update
+       OPTION(auth_mon_ticket_ttl, 0, OPT_DOUBLE, 60*60*24),
+       OPTION(auth_service_ticket_ttl, 0, OPT_DOUBLE, 60*60),
+       OPTION(auth_nonce_len, 0, OPT_INT, 16),
         OPTION(client_cache_size, 0, OPT_INT, 1000),
         OPTION(client_cache_mid, 0, OPT_FLOAT, .5),
         OPTION(client_cache_stat_ttl, 0, OPT_INT, 0), // seconds until cached stat results become invalid
diff --git a/src/config.h b/src/config.h

index 3d408c7770fde2f7fc59e712f11325a7f85f13b1..04979e9dc74fb61dc3e18f107a10ab36bd6c2841 100644 (file)
--- a/src/config.h
+++ b/src/config.h
@@ -145,6 +145,11 @@ struct md_config_t {
    double paxos_propose_interval;
    double paxos_observer_timeout;
  
+  // auth
+  double auth_mon_ticket_ttl;
+  double auth_service_ticket_ttl;
+  int auth_nonce_len;
+
    // client
    int      client_cache_size;
    float    client_cache_mid;
author	Sage Weil <sage@newdream.net>
	Wed, 23 Sep 2009 19:13:15 +0000 (12:13 -0700)
committer	Sage Weil <sage@newdream.net>
	Wed, 23 Sep 2009 19:13:15 +0000 (12:13 -0700)
src/auth/Auth.cc		patch \| blob \| history
src/auth/Auth.h		patch \| blob \| history
src/auth/AuthServiceManager.cc		patch \| blob \| history
src/auth/Crypto.cc		patch \| blob \| history
src/auth/Crypto.h		patch \| blob \| history
src/config.cc		patch \| blob \| history
src/config.h		patch \| blob \| history