public:
virtual ~KeyStore() {}
virtual bool get_secret(EntityName& name, CryptoKey& secret) = 0;
- //virtual bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret) = 0;
+ virtual bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret) = 0;
};
static inline bool auth_principal_needs_rotating_keys(EntityName& name)
(name.entity_type == CEPH_ENTITY_TYPE_MDS));
}
-
#endif
struct AuthAuthorizeHandler {
virtual ~AuthAuthorizeHandler() {}
- virtual bool verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys,
+ virtual bool verify_authorizer(KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info) = 0;
};
#include "auth/Crypto.h"
#include "auth/Auth.h"
-class KeyRing : public KeyStore {
+class KeyRing {
map<EntityName, EntityAuth> keys;
public:
#include "Crypto.h"
#include "auth/RotatingKeyRing.h"
+#include "auth/KeyRing.h"
#define DOUT_SUBSYS auth
#undef dout_prefix
dout(0) << " id " << iter->first << " " << iter->second << dendl;
}
-bool RotatingKeyRing::get_service_secret(uint64_t secret_id, CryptoKey& secret)
+bool RotatingKeyRing::get_secret(EntityName& name, CryptoKey& secret)
{
Mutex::Locker l(lock);
+ return keyring->get_secret(name, secret);
+}
+
+bool RotatingKeyRing::get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret)
+{
+ Mutex::Locker l(lock);
+
+ if (service_id != this->service_id) {
+ dout(0) << "do not have service " << ceph_entity_type_name(service_id)
+ << ", i am " << ceph_entity_type_name(this->service_id) << dendl;
+ return false;
+ }
map<uint64_t, ExpiringCryptoKey>::iterator iter = secrets.secrets.find(secret_id);
if (iter == secrets.secrets.end()) {
#include "auth/Auth.h"
/*
- * mediate access to a service's rotating secrets
+ * mediate access to a service's keyring and rotating secrets
*/
-class RotatingKeyRing {
+class KeyRing;
+
+class RotatingKeyRing : public KeyStore {
+ uint32_t service_id;
RotatingSecrets secrets;
+ KeyRing *keyring;
Mutex lock;
public:
- RotatingKeyRing() : lock("RotatingKeyRing::lock") {}
+ RotatingKeyRing(uint32_t s, KeyRing *kr) :
+ service_id(s),
+ keyring(kr),
+ lock("RotatingKeyRing::lock") {}
bool need_new_secrets();
void set_secrets(RotatingSecrets& s);
void dump_rotating();
- bool get_service_secret(uint64_t secret_id, CryptoKey& secret);
+ bool get_secret(EntityName& name, CryptoKey& secret);
+ bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret);
};
#endif
#include "CephxAuthorizeHandler.h"
-bool CephxAuthorizeHandler::verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys,
+bool CephxAuthorizeHandler::verify_authorizer(KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info)
{
CephXServiceTicketInfo auth_ticket_info;
- bool isvalid = cephx_verify_authorizer(keys, rkeys, iter, auth_ticket_info, authorizer_reply);
+ bool isvalid = cephx_verify_authorizer(keys, iter, auth_ticket_info, authorizer_reply);
dout(0) << "CephxAuthorizeHandler::verify_authorizer isvalid=" << isvalid << dendl;
if (isvalid) {
#include "../AuthAuthorizeHandler.h"
struct CephxAuthorizeHandler : public AuthAuthorizeHandler {
- bool verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys,
+ bool verify_authorizer(KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info);
};
AuthAuthorizer *CephxClientHandler::build_authorizer(uint32_t service_id)
{
- dout(10) << "build_authorizer for service " << service_id << dendl;
+ dout(10) << "build_authorizer for service " << ceph_entity_type_name(service_id) << dendl;
return tickets.build_authorizer(service_id);
}
if (iter == tickets_map.end()) {
have &= ~service_id;
need |= service_id;
- dout(10) << "couldn't find entry for service_id " << service_id << dendl;
+ dout(10) << "couldn't find entry for service_id " << ceph_entity_type_name(service_id) << dendl;
return;
}
- dout(10) << "service_id=" << service_id << " need=" << iter->second.need_key() << " have=" << iter->second.have_key() << dendl;
+ dout(10) << "set_have_need_key service " << ceph_entity_type_name(service_id) << " (" << service_id << ")"
+ << " need=" << iter->second.need_key() << " have=" << iter->second.have_key() << dendl;
if (iter->second.need_key())
need |= service_id;
else
for (int i=0; i<(int)num; i++) {
uint32_t type;
::decode(type, indata);
- dout(10) << "got key for service_id=" << type << dendl;
+ dout(10) << "got key for service_id " << ceph_entity_type_name(type) << dendl;
CephXTicketHandler& handler = tickets_map[type];
handler.service_id = type;
if (!handler.verify_service_ticket_reply(secret, indata)) {
{
map<uint32_t, CephXTicketHandler>::iterator iter = tickets_map.find(service_id);
if (iter == tickets_map.end()) {
- dout(0) << "no TicketHandler for service " << service_id << dendl;
+ dout(0) << "no TicketHandler for service " << ceph_entity_type_name(service_id) << dendl;
return NULL;
}
set_have_need_key(i, have, need);
}
}
+ dout(10) << "validate_tickets want " << mask << " have " << have << " need " << need << dendl;
}
-bool cephx_decode_ticket(KeyStore *keys, RotatingKeyRing *rkeys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info)
+bool cephx_decode_ticket(KeyStore *keys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info)
{
uint64_t secret_id = ticket_blob.secret_id;
CryptoKey service_secret;
return false;
}
- if (secret_id == (uint64_t)-1 || rkeys == NULL) {
+ if (secret_id == (uint64_t)-1) {
if (!keys->get_secret(*g_conf.entity_name, service_secret)) {
dout(0) << "ceph_decode_ticket could not get general service secret for service_id="
- << service_id << " secret_id=" << secret_id << dendl;
+ << ceph_entity_type_name(service_id) << " secret_id=" << secret_id << dendl;
return false;
}
} else {
- if (!rkeys->get_service_secret(secret_id, service_secret)) {
+ if (!keys->get_service_secret(service_id, secret_id, service_secret)) {
dout(0) << "ceph_decode_ticket could not get service secret for service_id="
- << service_id << " secret_id=" << secret_id << dendl;
+ << ceph_entity_type_name(service_id) << " secret_id=" << secret_id << dendl;
return false;
}
}
*
* {timestamp + 1}^session_key
*/
-bool cephx_verify_authorizer(KeyStore *keys, RotatingKeyRing *rkeys,
+bool cephx_verify_authorizer(KeyStore *keys,
bufferlist::iterator& indata,
CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl)
{
// ticket blob
CephXTicketBlob ticket;
::decode(ticket, indata);
- dout(10) << "verify_authorizer decrypted service_id=" << service_id
+ dout(10) << "verify_authorizer decrypted service " << ceph_entity_type_name(service_id)
<< " secret_id=" << ticket.secret_id << dendl;
- if (ticket.secret_id == (uint64_t)-1 || rkeys == NULL) {
+ if (ticket.secret_id == (uint64_t)-1) {
EntityName name;
name.entity_type = service_id;
if (!keys->get_secret(name, service_secret)) {
- dout(0) << "verify_authorizer could not get general service secret for service_id=" << service_id
- << " secret_id=" << ticket.secret_id << dendl;
+ dout(0) << "verify_authorizer could not get general service secret for service "
+ << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl;
return false;
}
} else {
- if (!rkeys->get_service_secret(ticket.secret_id, service_secret)) {
- dout(0) << "verify_authorizer could not get service secret for service_id=" << service_id
- << " secret_id=" << ticket.secret_id << dendl;
+ if (!keys->get_service_secret(service_id, ticket.secret_id, service_secret)) {
+ dout(0) << "verify_authorizer could not get service secret for service "
+ << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl;
return false;
}
}
/*
* Decode an extract ticket
*/
-bool cephx_decode_ticket(KeyStore *keys, RotatingKeyRing *rkeys,
+bool cephx_decode_ticket(KeyStore *keys,
uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info);
/*
* Verify authorizer and generate reply authorizer
*/
-extern bool cephx_verify_authorizer(KeyStore *keys, RotatingKeyRing *rkeys,
+extern bool cephx_verify_authorizer(KeyStore *keys,
bufferlist::iterator& indata,
CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl);
}
CephXServiceTicketInfo old_ticket_info;
- if (cephx_decode_ticket(key_server, NULL, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket_info)) {
+ if (cephx_decode_ticket(key_server, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket_info)) {
global_id = old_ticket_info.ticket.global_id;
dout(10) << "decoded old_ticket with global_id=" << global_id << dendl;
should_enc_ticket = true;
bufferlist tmp_bl;
CephXServiceTicketInfo auth_ticket_info;
- if (!cephx_verify_authorizer(key_server, NULL, indata, auth_ticket_info, tmp_bl)) {
+ if (!cephx_verify_authorizer(key_server, indata, auth_ticket_info, tmp_bl)) {
ret = -EPERM;
break;
}
vector<CephXSessionAuthInfo> info_vec;
for (uint32_t service_id = 1; service_id <= ticket_req.keys; service_id <<= 1) {
if (ticket_req.keys & service_id) {
- dout(10) << " adding key for service " << service_id << dendl;
+ dout(10) << " adding key for service " << ceph_entity_type_name(service_id) << dendl;
CephXSessionAuthInfo info;
int r = key_server->build_session_auth_info(service_id, auth_ticket_info, info);
if (r < 0) {
#include "AuthNoneAuthorizeHandler.h"
-bool AuthNoneAuthorizeHandler::verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys,
+bool AuthNoneAuthorizeHandler::verify_authorizer(KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info)
{
#include "../AuthAuthorizeHandler.h"
struct AuthNoneAuthorizeHandler : public AuthAuthorizeHandler {
- bool verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys,
+ bool verify_authorizer(KeyStore *keys,
bufferlist& authorizer_data, bufferlist& authorizer_reply,
EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info);
};
#include "mon/MonClient.h"
+#include "auth/KeyRing.h"
+
void usage()
{
cerr << "usage: cmds -i name [flags] [--mds rank] [--shadow rank]\n";
if (g_conf.clock_tare) g_clock.tare();
// get monmap
- RotatingKeyRing rkeys;
+ RotatingKeyRing rkeys(CEPH_ENTITY_TYPE_MDS, &g_keyring);
MonClient mc(&rkeys);
if (mc.build_initial_monmap() < 0)
return -1;
_dout_create_courtesy_output_symlink("osd", whoami);
// get monmap
- RotatingKeyRing rkeys;
+ RotatingKeyRing rkeys(CEPH_ENTITY_TYPE_OSD, &g_keyring);
MonClient mc(&rkeys);
if (mc.build_initial_monmap() < 0)
return -1;
EntityName name;
uint64_t global_id;
- is_valid = authorize_handler->verify_authorizer(&g_keyring, monc->rotating_secrets,
+ is_valid = authorize_handler->verify_authorizer(monc->rotating_secrets,
authorizer_data, authorizer_reply, name, global_id, caps_info);
if (is_valid) {
authenticate_cond.Wait(monc_lock);
if (state == MC_STATE_HAVE_SESSION) {
- dout(5) << "authenticate success, global_id" << global_id << dendl;
+ dout(5) << "authenticate success, global_id " << global_id << dendl;
}
return authenticate_err;
_send_mon_message(m);
}
- if (!rotating_secrets)
- return 0;
-
- if (!rotating_secrets->need_new_secrets())
+ if (!rotating_secrets ||
+ !auth_principal_needs_rotating_keys(entity_name)) {
+ dout(20) << "_check_auth_rotating not needed by " << entity_name << dendl;
return 0;
+ }
- if (!auth_principal_needs_rotating_keys(entity_name)) {
- dout(20) << "_check_auth_rotating not needed by " << entity_name << dendl;
+ if (!rotating_secrets->need_new_secrets()) {
+ dout(20) << "_check_auth_rotating have uptodate secrets" << dendl;
+ rotating_secrets->dump_rotating();
return 0;
}
if (!authorizer_data.length())
return true; /* we're not picky */
- int ret = cephx_verify_authorizer(&key_server, NULL, iter, auth_ticket_info, authorizer_reply);
+ int ret = cephx_verify_authorizer(&key_server, iter, auth_ticket_info, authorizer_reply);
dout(0) << "Monitor::verify_authorizer returns " << ret << dendl;
isvalid = (ret >= 0);
heartbeat_messenger->add_dispatcher_head(&heartbeat_dispatcher);
+ monc->set_want_keys(CEPH_ENTITY_TYPE_MON | CEPH_ENTITY_TYPE_OSD);
monc->init();
monc->sub_want("monmap", 0);
EntityName name;
uint64_t global_id;
- isvalid = authorize_handler->verify_authorizer(&g_keyring, monc->rotating_secrets,
+ isvalid = authorize_handler->verify_authorizer(monc->rotating_secrets,
authorizer_data, authorizer_reply, name, global_id, caps_info);
dout(10) << "OSD::ms_verify_authorizer name=" << name << dendl;
projects / ceph.git / commitdiff