From: Sage Weil <sage@newdream.net>
Date: Thu, 11 Feb 2010 17:24:42 +0000 (-0800)
Subject: cephx: use 'next' key for ticketes when 'current' is expired
X-Git-Tag: v0.19~54
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3d1c0797d196bbec005af5fc73a7f673ad57ab70;p=ceph.git

cephx: use 'next' key for ticketes when 'current' is expired

When generating tickets for clients, use next key if the current
is expired.  That ensures they will renew before their ticket
times out.
---

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index b268f87c2153..933168c4fc13 100644
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -33,11 +33,14 @@ bool KeyServerData::get_service_secret(uint32_t service_id, ExpiringCryptoKey& s
 
   RotatingSecrets& secrets = iter->second;
 
-  // second to oldest
+  // second to oldest, unless it's expired
   map<uint64_t, ExpiringCryptoKey>::iterator riter = secrets.secrets.begin();
   if (secrets.secrets.size() > 1)
     ++riter;
 
+  if (riter->second.expiration < g_clock.now())
+    ++riter;   // "current" key has expired, use "next" key instead
+
   secret_id = riter->first;
   secret = riter->second;
   dout(10) << "get_service_secret service " << ceph_entity_type_name(service_id)