]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph-ci.git/commitdiff
projects / ceph-ci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 31482c1)
mon: use key_server for looking up mon key
authorPatrick Donnelly <pdonnell@ibm.com>
Thu, 29 May 2025 14:07:52 +0000 (10:07 -0400)
committerPatrick Donnelly <pdonnell@ibm.com>
Mon, 26 Jan 2026 15:27:07 +0000 (10:27 -0500)
Note: the key_server is already configured to fallback (via
KeyServerData::extra_secrets) to the Monitor::keyring which is sourced from the
mon's keyring file.

Using the Monitor::key_server allows us to maintain the mon's secret in the
auth database alongside all other secrets. This makes rotating the mons' keys
the same as all other entities in Ceph. Before this, to rotate the mons' key
you would need to turn off all montitors and then rotate the key files
manually. This is obviously disruptive since it's not a rolling upgrade.

If the key is sourced from the Monitor::key_server, then the key can be rotated
and all mons are aware of the new key. The mons can then proceed to restart as
needed in a non-disruptive fashion.

A followup commit will cleanup the monitor to try either its local keyring key
or the key in the key_server (if present) when authenticating with other mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
src/mon/Monitor.cc patch | blob | history

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 4409cc9b0b72752c54b8175f27566d779c062ac1..63c02d920dd5a23ac5372106d01b360d59d1b827 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -6488,9 +6488,10 @@ int Monitor::handle_auth_request(
       return -EOPNOTSUPP;
     }
     bool was_challenge = (bool)auth_meta->authorizer_challenge;
+    dout(20) << __func__ << ": verify authorizer was_challenge=" << was_challenge << dendl;
     bool isvalid = ah->verify_authorizer(
       cct,
-      keyring,
+      key_server,
       payload,
       auth_meta->get_connection_secret_length(),
       reply,
@@ -6560,6 +6561,11 @@ int Monitor::handle_auth_request(
       dout(1) << __func__ << " failed to decode, " << e.what() << dendl;
       return -EACCES;
     }
+    dout(15) << __func__ << ": decoded"
+            << " mode=" << mode
+            << " entity_name=" << entity_name
+            << " con->peer_global_id=" << con->peer_global_id
+            << dendl;
 
     // supported method?
     if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
@@ -6600,6 +6606,8 @@ int Monitor::handle_auth_request(
     s->auth_handler = auth_handler.release();
     con->set_priv(RefCountedPtr{s, false});
 
+    dout(20) << __func__ << ": starting session: " << *s << dendl;
+
     r = s->auth_handler->start_session(
       entity_name,
       con->peer_global_id,
Unnamed repository; edit this file 'description' to name the repository.