auth: move keys_server to the monitor

diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc
index 57914b4f960857d61aa9b35f04d8da2e73a0ea3d..848a08ecc85c1a24db41102675c2515f44cc0a6d 100644 (file)
--- a/src/auth/Auth.cc
+++ b/src/auth/Auth.cc
@@ -97,7 +97,8 @@ bool build_service_ticket_reply(
   return true;
 }
 
-bool verify_service_ticket_request(CryptoKey& service_secret,
+bool verify_service_ticket_request(EntityName& name,
+                                   CryptoKey& service_secret,
                                    CryptoKey& session_key,
                                   AuthServiceTicketRequest& ticket_req,
                                   AuthServiceTicketInfo& ticket_info,

diff --git a/src/auth/Auth.h b/src/auth/Auth.h
index 55ae950a1dafda495b54885ed9cc5a02490fb2bc..dabae1222de7fc579ca0513d3c49b8d06a26f73e 100644 (file)
--- a/src/auth/Auth.h
+++ b/src/auth/Auth.h
@@ -394,7 +394,8 @@ int encode_encrypt(const T& t, CryptoKey& key, bufferlist& out) {
 /*
  * Verify authorizer and generate reply authorizer
  */
-extern bool verify_service_ticket_request(CryptoKey& service_secret,
+extern bool verify_service_ticket_request(EntityName& name,
+                                          CryptoKey& service_secret,
                                          CryptoKey& session_key,
                                          AuthServiceTicketRequest& ticket_req,
                                          AuthServiceTicketInfo& ticket_info,

diff --git a/src/auth/AuthProtocol.h b/src/auth/AuthProtocol.h
index 2067d87dc055b270b5d868ce6466dd28683a241b..efebb7e52b213f0ba0f9c31f7a8bb878ac5b2cb8 100644 (file)
--- a/src/auth/AuthProtocol.h
+++ b/src/auth/AuthProtocol.h
@@ -38,7 +38,7 @@ struct CephXPremable {
 };
 WRITE_CLASS_ENCODER(CephXPremable)
 
-/*
+/* 
   Ceph X-Envelope protocol
 */
 struct CephXEnvRequest1 {
@@ -58,15 +58,12 @@ struct CephXEnvRequest1 {
   void decode(bufferlist::iterator& bl) {
     uint32_t num_auth;
     ::decode(num_auth, bl);
-
-    dout(0) << "num_auth=" << num_auth << dendl;
-
+ 
     auth_types.clear();
 
     for (uint32_t i=0; i<num_auth; i++) {
       uint32_t auth_type;
       ::decode(auth_type, bl);
-    dout(0) << "auth_type[" << i << "] = " << auth_type << dendl;
       auth_types[auth_type] = true;
     }
   }

diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc
index 3ac3ef05f0abac2a19675b95eea90add5e2bdcfe..2895f8f9a002cfc17158ef4bddde6b30a8153497 100644 (file)
--- a/src/auth/AuthServiceManager.cc
+++ b/src/auth/AuthServiceManager.cc
@@ -45,7 +45,6 @@ static inline void hexdump(string msg, const char *s, int len)
   dout(0) << msg << ":\n" << buf << dendl;
 }
 
-
 class CephAuthServer {
   /* FIXME: this is all temporary */
   AuthTicket ticket;
@@ -233,10 +232,12 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
     {
       CryptoKey auth_secret;
       auth_server.get_service_secret(auth_secret, CEPHX_PRINCIPAL_AUTH);
+      // ... FIXME .. get entity name, session_key from Monitor::Session
 
       AuthServiceTicketRequest ticket_req;
       AuthServiceTicketInfo ticket_info;
-      if (!verify_service_ticket_request(auth_secret, session_key, ticket_req, ticket_info, indata)) {
+      EntityName name;
+      if (!verify_service_ticket_request(name, auth_secret, session_key, ticket_req, ticket_info, indata)) {
         ret = -EPERM;
         break;
       }

diff --git a/src/auth/KeysServer.cc b/src/auth/KeysServer.cc
index b7562dcced5af45d3d67c2cb9bbe27ae6b537186..35353e3e858cef35516e8f5e9887e9bbf840bca2 100644 (file)
--- a/src/auth/KeysServer.cc
+++ b/src/auth/KeysServer.cc
@@ -54,6 +54,9 @@ bool KeysServerData::get_service_secret(uint32_t service_id, RotatingSecrets& se
   if (iter == rotating_secrets.end())
     return false;
 
+  if (rotating_secrets.size() > 1)
+    ++iter; /* avoid giving the oldest rotating secret, as it'll expire soon */
+
   secret = iter->second;
   return true;
 }
@@ -189,6 +192,8 @@ bool KeysServer::contains(EntityName& name)
 
 void KeysServer::list_secrets(stringstream& ss)
 {
+  Mutex::Locker l(lock);
+
   map<EntityName, CryptoKey>::iterator mapiter = data.secrets_begin();
   if (mapiter != data.secrets_end()) {
     ss << "installed auth entries: " << std::endl;      

diff --git a/src/auth/KeysServer.h b/src/auth/KeysServer.h
index b233ea88faa6a23f74761edd3619fad9084072c0..afe4f76ce2a8672001784b041d1ef024b0071f2d 100644 (file)
--- a/src/auth/KeysServer.h
+++ b/src/auth/KeysServer.h
@@ -106,6 +106,7 @@ public:
   KeysServer();
 
   bool get_secret(EntityName& name, CryptoKey& secret);
+  bool get_active_rotating_secret(EntityName& name, CryptoKey& secret);
   int start_server(bool init);
   void rotate_timeout(double timeout);
 
@@ -118,6 +119,7 @@ public:
     ::encode(data, bl);
   }
   void decode(bufferlist::iterator& bl) {
+    Mutex::Locker l(lock);
     ::decode(data, bl);
   }
   bool contains(EntityName& name);
@@ -155,6 +157,8 @@ public:
   void decode_rotating(bufferlist& rotating_bl);
 
   bool get_rotating_encrypted(EntityName& name, bufferlist& enc_bl);
+
+  Mutex& get_lock() { return lock; }
 };
 WRITE_CLASS_ENCODER(KeysServer);
 

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 06ef3cd0e33da982ebe8114d31762bc0bac6fdcf..c0295d479c6d48520d37ae6838b59de3879803e6 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -53,7 +53,7 @@ ostream& operator<<(ostream& out, AuthMonitor& pm)
 void AuthMonitor::check_rotate()
 {
   AuthLibEntry entry;
-  if (!keys_server.updated_rotating(entry.rotating_bl, last_rotating_ver))
+  if (!mon->keys_server.updated_rotating(entry.rotating_bl, last_rotating_ver))
     return;
   dout(0) << "AuthMonitor::tick() updated rotating, now calling propose_pending" << dendl;
 
@@ -87,7 +87,7 @@ void AuthMonitor::on_active()
 
   if (!mon->is_leader())
     return;
-  keys_server.start_server(true);
+  mon->keys_server.start_server(true);
 
   check_rotate();
 }
@@ -121,7 +121,7 @@ bool AuthMonitor::update_from_paxos()
 {
   dout(0) << "AuthMonitor::update_from_paxos()" << dendl;
   version_t paxosv = paxos->get_version();
-  version_t keys_ver = keys_server.get_ver();
+  version_t keys_ver = mon->keys_server.get_ver();
   if (paxosv == keys_ver) return true;
   assert(paxosv >= keys_ver);
 
@@ -132,7 +132,7 @@ bool AuthMonitor::update_from_paxos()
     if (v) {
       dout(7) << "update_from_paxos startup: loading summary e" << v << dendl;
       bufferlist::iterator p = latest.begin();
-      ::decode(keys_server, p);
+      ::decode(mon->keys_server, p);
     }
   } 
 
@@ -150,18 +150,18 @@ bool AuthMonitor::update_from_paxos()
     switch (inc.op) {
     case AUTH_INC_ADD:
       if (!entry.rotating) {
-        keys_server.add_secret(entry.name, entry.secret);
+        mon->keys_server.add_secret(entry.name, entry.secret);
       } else {
         derr(0) << "got AUTH_INC_ADD with entry.rotating" << dendl;
       }
       break;
     case AUTH_INC_DEL:
-      keys_server.remove_secret(entry.name);
+      mon->keys_server.remove_secret(entry.name);
       break;
     case AUTH_INC_SET_ROTATING:
       {
         dout(0) << "AuthMonitor::update_from_paxos: decode_rotating" << dendl;
-        keys_server.decode_rotating(entry.rotating_bl);
+        mon->keys_server.decode_rotating(entry.rotating_bl);
       }
       break;
     case AUTH_INC_NOP:
@@ -171,11 +171,12 @@ bool AuthMonitor::update_from_paxos()
     }
 
     keys_ver++;
-    keys_server.set_ver(keys_ver);
+    mon->keys_server.set_ver(keys_ver);
   }
 
   bufferlist bl;
-  ::encode(keys_server, bl);
+  Mutex::Locker l(mon->keys_server.get_lock());
+  ::encode(mon->keys_server, bl);
   paxos->stash_latest(paxosv, bl);
 
   return true;
@@ -291,7 +292,7 @@ bool AuthMonitor::preprocess_auth_rotating(MAuthRotating *m)
   if (!reply)
     return true;
 
-  if (keys_server.get_rotating_encrypted(m->entity_name, reply->response_bl)) {
+  if (mon->keys_server.get_rotating_encrypted(m->entity_name, reply->response_bl)) {
     reply->status = 0;
   } else {
     reply->status = -EPERM;
@@ -313,7 +314,7 @@ bool AuthMonitor::preprocess_auth_mon(MAuthMon *m)
   for (deque<AuthLibEntry>::iterator p = m->info.begin();
        p != m->info.end();
        p++) {
-    if (!keys_server.contains((*p).name))
+    if (!mon->keys_server.contains((*p).name))
       num_new++;
   }
   if (!num_new) {
@@ -430,7 +431,7 @@ bool AuthMonitor::prepare_command(MMonCommand *m)
       string name = m->cmd[2];
       AuthLibEntry entry;
       entry.name.from_str(name);
-      if (!keys_server.contains(entry.name)) {
+      if (!mon->keys_server.contains(entry.name)) {
         ss << "couldn't find entry " << name;
         rs = -ENOENT;
         goto done;
@@ -445,7 +446,7 @@ bool AuthMonitor::prepare_command(MMonCommand *m)
       paxos->wait_for_commit(new Monitor::C_Command(mon, m, 0, rs, paxos->get_version()));
       return true;
     } else if (m->cmd[1] == "list") {
-      keys_server.list_secrets(ss);
+      mon->keys_server.list_secrets(ss);
       err = 0;
       goto done;
     } else {

diff --git a/src/mon/AuthMonitor.h b/src/mon/AuthMonitor.h
index f5d9ba6bac3016d59b011b03fa65b57bebace0d0..afd2705f0d0211e270440445b6fda0534e4d5c0e 100644 (file)
--- a/src/mon/AuthMonitor.h
+++ b/src/mon/AuthMonitor.h
@@ -38,7 +38,6 @@ class MAuthRotating;
 class AuthMonitor : public PaxosService {
   void auth_usage(stringstream& ss);
   vector<AuthLibIncremental> pending_auth;
-  KeysServer keys_server;
   version_t last_rotating_ver;
 
   AuthServiceManager auth_mgr;

diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h
index 94062f13dccf70230413b936d837586d6835e315..31b2b983c3fcb1c26beac92dfc75bacaf7c9af09 100644 (file)
--- a/src/mon/Monitor.h
+++ b/src/mon/Monitor.h
@@ -37,6 +37,8 @@
 
 #include "common/LogClient.h"
 
+#include "auth/KeysServer.h"
+
 
 class MonitorStore;
 
@@ -67,6 +69,8 @@ public:
   void reset_tick();
   friend class C_Mon_Tick;
 
+  KeysServer keys_server;
+
   // -- local storage --
 public:
   MonitorStore *store;