From: Yehuda Sadeh <ysadehwe@ibm.com>
Date: Fri, 7 Mar 2025 18:20:58 +0000 (-0500)
Subject: auth: add a configurable to control rotating keys cipher type
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0e97dce619a1ad235cb1d08b929012cda3dd79fd;p=ceph-ci.git

auth: add a configurable to control rotating keys cipher type

auth_service_cipher: a mon configurable that determines what type of cipher
the rotating keys are using. The configurable can change at runtime. Note
that the change does not invalidate existing keys, these would expire
based on their ttl.

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>
---

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index a31ff47044e..0af4db935bf 100644
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -184,7 +184,14 @@ int KeyServer::_rotate_secret(uint32_t service_id, KeyServerData &pending_data)
 
   while (r.need_new_secrets(now)) {
     ExpiringCryptoKey ek;
-    generate_secret(ek.key);
+    auto s = cct->_conf.get_val<string>("auth_service_cipher");
+
+    int key_type = CryptoManager::get_key_type(s);
+    if (key_type < 0 || key_type == CEPH_CRYPTO_NONE) {
+      key_type = CEPH_CRYPTO_AES256KRB5;
+    }
+    
+    generate_secret(ek.key, key_type);
     if (r.empty()) {
       ek.expiration = now;
     } else {
diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in
index 222dc89076e..7792f3d60dc 100644
--- a/src/common/options/global.yaml.in
+++ b/src/common/options/global.yaml.in
@@ -2163,6 +2163,33 @@ options:
    Ceph services. Valid settings are ``cephx`` or ``none``.
   default: cephx
   with_legacy: true
+- name: auth_service_cipher
+  type: str
+  level: advanced
+  desc: cipher type that is used to encrypt service tickets.
+  fmt_desc: When service tickets are being generaeted, this would
+   be the cipher that will be used to encrypt them. This requires
+   that all the services support the specific cipher. Valid settings
+   are ``aes` or ``aes256k``.
+  default: aes
+  services:
+  - mon
+  enum_values:
+  - aes
+  - aes256k
+  with_legacy: false
+  flags:
+  - runtime
+- name: auth_cipher_allow
+  type: str
+  level: advanced
+  desc: cipher types that are allowed to be used for authentication
+  fmt_desc: This list of cipher types determines which ciphers are
+   allowed to be used for the clients and services to establish
+   a connection to the cluster via the cephx autentication protocol.
+   Valid options are ``aes` or ``aes256k``.
+  default: aes, aes256k
+  with_legacy: true
 # what clients require of daemons
 - name: auth_client_required
   type: str