From: Patrick Donnelly Date: Wed, 26 Mar 2025 02:04:20 +0000 (-0400) Subject: auth,mon: lookup ticket ttl at runtime X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=116f1aef9ccacc556a2e83c3dd16249097b1122a;p=ceph-ci.git auth,mon: lookup ticket ttl at runtime and improve debugging. Signed-off-by: Patrick Donnelly --- diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index 0fa026ee332..49813ef320d 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -54,11 +54,13 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id, secret_id = riter->first; secret = riter->second.key; + double const auth_mon_ticket_ttl = cct->_conf.get_val("auth_mon_ticket_ttl"); + double const auth_service_ticket_ttl= cct->_conf.get_val("auth_service_ticket_ttl"); + // ttl may have just been increased by the user // cap it by expiration of "next" key to prevent handing out a ticket // with a bogus, possibly way into the future, validity - ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? - cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl; + ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? auth_mon_ticket_ttl : auth_service_ticket_ttl; ttl = std::min(ttl, static_cast( secrets.secrets.rbegin()->second.expiration - now)); @@ -179,17 +181,29 @@ int KeyServer::_rotate_secret(uint32_t service_id, KeyServerData &pending_data) RotatingSecrets& r = pending_data.rotating_secrets[service_id]; int added = 0; utime_t now = ceph_clock_now(); - double ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl; + + double const auth_mon_ticket_ttl = cct->_conf.get_val("auth_mon_ticket_ttl"); + double const auth_service_ticket_ttl= cct->_conf.get_val("auth_service_ticket_ttl"); + auto const auth_service_cipher = cct->_conf.get_val("auth_service_cipher"); + const int auth_service_cipher_key_type = CryptoManager::get_key_type(auth_service_cipher); + + ldout(cct, 10) << __func__ + << ": auth_mon_ticket_ttl=" << auth_mon_ticket_ttl + << ", auth_service_ticket_ttl=" << auth_service_ticket_ttl + << ", auth_service_cipher=" << auth_service_cipher + << ", service_id=" << service_id + << dendl;; + + double ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? auth_mon_ticket_ttl : auth_service_ticket_ttl; while (r.need_new_secrets(now)) { ExpiringCryptoKey ek; - auto s = cct->_conf.get_val("auth_service_cipher"); - int key_type = CryptoManager::get_key_type(s); + int key_type = auth_service_cipher_key_type; if (key_type < 0 || key_type == CEPH_CRYPTO_NONE) { key_type = CEPH_CRYPTO_AES256KRB5; } - + generate_secret(ek.key, key_type); if (r.empty()) { ek.expiration = now; @@ -285,6 +299,8 @@ bool KeyServer::generate_secret(CryptoKey& secret, std::optional key_type) if (!crypto) return false; + ldout(cct, 20) << __func__ << ": generating key type " << type << dendl; + if (crypto->create(cct->random(), bp) < 0) return false; @@ -495,7 +511,7 @@ int KeyServer::build_session_auth_info(uint32_t service_id, info.secret_id = secret_id; std::scoped_lock l{lock}; - return _build_session_auth_info(service_id, parent_ticket, key_type, info, - cct->_conf->auth_service_ticket_ttl); + double const auth_service_ticket_ttl= cct->_conf.get_val("auth_service_ticket_ttl"); + return _build_session_auth_info(service_id, parent_ticket, key_type, info, auth_service_ticket_ttl); } diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in index a5b9f368dc9..9309a8fe031 100644 --- a/src/common/options/global.yaml.in +++ b/src/common/options/global.yaml.in @@ -2279,15 +2279,25 @@ options: type: float level: advanced default: 72_hr - with_legacy: true + desc: The time-to-live for tickets with the auth subsystem of the Monitors. + long_desc: > + The time-to-live for tickets with the auth subsystem of the Monitors. + These tickets are used to reclaim the global ID associated with the + running client. + flags: + - runtime - name: auth_service_ticket_ttl type: float level: advanced default: 1_hr - fmt_desc: When the Ceph Storage Cluster sends a Ceph Client a ticket for - authentication, the Ceph Storage Cluster assigns the ticket a - time to live. - with_legacy: true + desc: The time-to-live for non-auth service tickets issued by the Monitors. + fmt_desc: > + The time-to-live for non-auth service tickets issued by the Monitors. These + tickets would include services like the OSD or MDS. This allows the client + to authenticate independently with the service for the given timeframe + before having to refresh its tickets with the Monitors again. + flags: + - runtime - name: auth_allow_insecure_global_id_reclaim type: bool level: advanced diff --git a/src/crimson/mon/MonClient.cc b/src/crimson/mon/MonClient.cc index 3d6f7fd2f9f..82f874ab2bf 100644 --- a/src/crimson/mon/MonClient.cc +++ b/src/crimson/mon/MonClient.cc @@ -153,9 +153,10 @@ seastar::future<> Connection::renew_tickets() seastar::future<> Connection::renew_rotating_keyring() { + auto&& conf = crimson::common::local_conf(); + auto const service_ticket_ttl = conf.get_val("auth_service_ticket_ttl"); + auto ttl = std::chrono::seconds{static_cast(service_ticket_ttl)}; auto now = clock_t::now(); - auto ttl = std::chrono::seconds{ - static_cast(crimson::common::local_conf()->auth_service_ticket_ttl)}; auto cutoff = utime_t{now - std::min(std::chrono::seconds{30}, ttl / 4)}; if (!rotating_keyring->need_new_secrets(cutoff)) { logger().debug("renew_rotating_keyring secrets are up-to-date " diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index 164dd28dc76..cfbbfd7ab73 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -1105,11 +1105,13 @@ int MonClient::_check_auth_rotating() return 0; } + double auth_service_ticket_ttl = cct->_conf.get_val("auth_service_ticket_ttl"); + utime_t now = ceph_clock_now(); utime_t cutoff = now; - cutoff -= std::min(30.0, cct->_conf->auth_service_ticket_ttl / 4.0); + cutoff -= std::min(30.0, auth_service_ticket_ttl / 4.0); utime_t issued_at_lower_bound = now; - issued_at_lower_bound -= cct->_conf->auth_service_ticket_ttl; + issued_at_lower_bound -= auth_service_ticket_ttl; if (!rotating_secrets->need_new_secrets(cutoff)) { ldout(cct, 10) << "_check_auth_rotating have uptodate secrets (they expire after " << cutoff << ")" << dendl; rotating_secrets->dump_rotating(); @@ -1151,9 +1153,11 @@ int MonClient::wait_auth_rotating(double timeout) if (!rotating_secrets) return 0; + double auth_service_ticket_ttl = cct->_conf.get_val("auth_service_ticket_ttl"); + ldout(cct, 10) << __func__ << " waiting for " << timeout << dendl; utime_t cutoff = ceph_clock_now(); - cutoff -= std::min(30.0, cct->_conf->auth_service_ticket_ttl / 4.0); + cutoff -= std::min(30.0, auth_service_ticket_ttl / 4.0); if (auth_cond.wait_for(l, ceph::make_timespan(timeout), [this, cutoff] { return (!auth_principal_needs_rotating_keys(entity_name) || !rotating_secrets->need_new_secrets(cutoff));