From: Tobias Urdin Date: Sun, 26 Jun 2022 23:12:42 +0000 (+0000) Subject: rgw/auth: Cache service tokens separately X-Git-Tag: v18.1.0~1023^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0fd0a28dec1e4c63f8c00ca222916dac90d12cd1;p=ceph.git rgw/auth: Cache service tokens separately This changes so that the service tokens is cached separately in it's own map and LRU list so that the cache cannot be poisioned and used to lookup an expired token. Signed-off-by: Tobias Urdin --- diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc index d247ffabd918..b818325db9f8 100644 --- a/src/rgw/rgw_auth_keystone.cc +++ b/src/rgw/rgw_auth_keystone.cc @@ -254,7 +254,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp, ldpp_dout(dpp, 20) << "service_token_id=" << service_token_id << dendl; /* Check cache for service token first. */ - st = token_cache.find(service_token_id); + st = token_cache.find_service(service_token_id); if (st) { ldpp_dout(dpp, 20) << "cached service_token.project.id=" << st->get_project_id() << dendl; @@ -293,7 +293,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp, << " is valid, role: " << role << dendl; allow_expired = true; - token_cache.add(service_token_id, *st); + token_cache.add_service(service_token_id, *st); break; } } diff --git a/src/rgw/rgw_keystone.cc b/src/rgw/rgw_keystone.cc index 15033aee261b..2df417bd0e7a 100644 --- a/src/rgw/rgw_keystone.cc +++ b/src/rgw/rgw_keystone.cc @@ -379,11 +379,18 @@ bool TokenCache::find(const std::string& token_id, rgw::keystone::TokenEnvelope& token) { std::lock_guard l{lock}; - return find_locked(token_id, token); + return find_locked(token_id, token, tokens, tokens_lru); } -bool TokenCache::find_locked(const std::string& token_id, - rgw::keystone::TokenEnvelope& token) +bool TokenCache::find_service(const std::string& token_id, + rgw::keystone::TokenEnvelope& token) +{ + std::lock_guard l{lock}; + return find_locked(token_id, token, service_tokens, service_tokens_lru); +} + +bool TokenCache::find_locked(const std::string& token_id, rgw::keystone::TokenEnvelope& token, + std::map& tokens, std::list& tokens_lru) { ceph_assert(ceph_mutex_is_locked_by_me(lock)); map::iterator iter = tokens.find(token_id); @@ -414,25 +421,32 @@ bool TokenCache::find_admin(rgw::keystone::TokenEnvelope& token) { std::lock_guard l{lock}; - return find_locked(admin_token_id, token); + return find_locked(admin_token_id, token, tokens, tokens_lru); } bool TokenCache::find_barbican(rgw::keystone::TokenEnvelope& token) { std::lock_guard l{lock}; - return find_locked(barbican_token_id, token); + return find_locked(barbican_token_id, token, tokens, tokens_lru); } void TokenCache::add(const std::string& token_id, const rgw::keystone::TokenEnvelope& token) { std::lock_guard l{lock}; - add_locked(token_id, token); + add_locked(token_id, token, tokens, tokens_lru); +} + +void TokenCache::add_service(const std::string& token_id, + const rgw::keystone::TokenEnvelope& token) +{ + std::lock_guard l{lock}; + add_locked(token_id, token, service_tokens, service_tokens_lru); } -void TokenCache::add_locked(const std::string& token_id, - const rgw::keystone::TokenEnvelope& token) +void TokenCache::add_locked(const std::string& token_id, const rgw::keystone::TokenEnvelope& token, + std::map& tokens, std::list& tokens_lru) { ceph_assert(ceph_mutex_is_locked_by_me(lock)); map::iterator iter = tokens.find(token_id); @@ -460,7 +474,7 @@ void TokenCache::add_admin(const rgw::keystone::TokenEnvelope& token) std::lock_guard l{lock}; rgw_get_token_id(token.token.id, admin_token_id); - add_locked(admin_token_id, token); + add_locked(admin_token_id, token, tokens, tokens_lru); } void TokenCache::add_barbican(const rgw::keystone::TokenEnvelope& token) @@ -468,7 +482,7 @@ void TokenCache::add_barbican(const rgw::keystone::TokenEnvelope& token) std::lock_guard l{lock}; rgw_get_token_id(token.token.id, barbican_token_id); - add_locked(barbican_token_id, token); + add_locked(barbican_token_id, token, tokens, tokens_lru); } void TokenCache::invalidate(const DoutPrefixProvider *dpp, const std::string& token_id) diff --git a/src/rgw/rgw_keystone.h b/src/rgw/rgw_keystone.h index ff79c07f9f04..9a18d8de8c08 100644 --- a/src/rgw/rgw_keystone.h +++ b/src/rgw/rgw_keystone.h @@ -219,7 +219,9 @@ class TokenCache { std::string admin_token_id; std::string barbican_token_id; std::map tokens; + std::map service_tokens; std::list tokens_lru; + std::list service_tokens_lru; ceph::mutex lock = ceph::make_mutex("rgw::keystone::TokenCache"); @@ -249,6 +251,7 @@ public: } bool find(const std::string& token_id, TokenEnvelope& token); + bool find_service(const std::string& token_id, TokenEnvelope& token); boost::optional find(const std::string& token_id) { TokenEnvelope token_envlp; if (find(token_id, token_envlp)) { @@ -256,17 +259,26 @@ public: } return boost::none; } + boost::optional find_service(const std::string& token_id) { + TokenEnvelope token_envlp; + if (find_service(token_id, token_envlp)) { + return token_envlp; + } + return boost::none; + } bool find_admin(TokenEnvelope& token); bool find_barbican(TokenEnvelope& token); void add(const std::string& token_id, const TokenEnvelope& token); + void add_service(const std::string& token_id, const TokenEnvelope& token); void add_admin(const TokenEnvelope& token); void add_barbican(const TokenEnvelope& token); void invalidate(const DoutPrefixProvider *dpp, const std::string& token_id); bool going_down() const; private: - void add_locked(const std::string& token_id, const TokenEnvelope& token); - bool find_locked(const std::string& token_id, TokenEnvelope& token); - + void add_locked(const std::string& token_id, const TokenEnvelope& token, + std::map& tokens, std::list& tokens_lru); + bool find_locked(const std::string& token_id, TokenEnvelope& token, + std::map& tokens, std::list& tokens_lru); };