From: Patrick Donnelly Date: Fri, 21 Mar 2025 16:56:06 +0000 (-0400) Subject: mon/AuthMonitor: add key-type switch X-Git-Tag: testing/wip-pdonnell-testing-20260210.212535~86 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=47f4b7b533c829394f5d8e6990fea67695608c59;p=ceph-ci.git mon/AuthMonitor: add key-type switch So it's possible to test with various key-types. Signed-off-by: Patrick Donnelly --- diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc index d319f8bce5e..da21fdad48d 100644 --- a/src/auth/Crypto.cc +++ b/src/auth/Crypto.cc @@ -1140,6 +1140,9 @@ int CryptoManager::get_key_type(const std::string& s) { auto l = s; std::transform(l.begin(), l.end(), l.begin(), ::tolower); + if (l == "recommended") { + return CEPH_CRYPTO_AES256KRB5; + } if (l == "aes") { return CEPH_CRYPTO_AES; } @@ -1152,6 +1155,12 @@ int CryptoManager::get_key_type(const std::string& s) return -ENOENT; } +const std::set& CryptoManager::get_secure_key_types() +{ + static const std::set secure_keys{CEPH_CRYPTO_AES256KRB5}; + return secure_keys; +} + bool CryptoManager::crypto_type_supported(int type) const { return supported_crypto_types.find(type) != supported_crypto_types.end(); diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h index 27ace688733..56ff7e9ff47 100644 --- a/src/auth/Crypto.h +++ b/src/auth/Crypto.h @@ -276,6 +276,7 @@ public: } static int get_key_type(const std::string& s); + static const std::set& get_secure_key_types(); bool crypto_type_supported(int type) const; std::shared_ptr get_handler(int type); diff --git a/src/common/options/mon.yaml.in b/src/common/options/mon.yaml.in index 9e9554b60df..0ca496848db 100644 --- a/src/common/options/mon.yaml.in +++ b/src/common/options/mon.yaml.in @@ -817,6 +817,22 @@ options: services: - mon with_legacy: true +- name: mon_auth_allow_insecure_key + type: bool + level: advanced + desc: Allow the creation of keys with insecure type. + long_desc: > + By default, the Monitors will allow creation of keys with a cipher type + known to be insecure so long as the Monitors also allow that cipher to + authenticate. When that cipher type is removed from the authentication + list, the Monitors will also disable the default value of this + configuration. When disabled, ceph commands can no longer create keys with + an insecure cipher type. + default: false + services: + - mon + flags: + - runtime - name: mon_auth_validate_all_caps type: bool level: advanced diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index 0f8f229bff6..d8b3b83f7c7 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -31,6 +31,7 @@ #include "auth/AuthServiceHandler.h" #include "auth/KeyRing.h" +#include "auth/Crypto.h" #include "include/stringify.h" #include "include/ceph_assert.h" @@ -38,6 +39,11 @@ #include "mgr/MgrCap.h" #include "osd/OSDCap.h" +#include +#include +using namespace std::literals::string_view_literals; +using namespace std::literals::string_literals; + #define dout_subsys ceph_subsys_mon #undef dout_prefix #define dout_prefix _prefix(_dout, mon, get_last_committed()) @@ -1359,6 +1365,22 @@ bool AuthMonitor::valid_caps(const map& caps, ostream *out) return true; } +int AuthMonitor::get_cipher_type(const cmdmap_t& cmdmap, std::ostream& ss) const +{ + std::string key_string_type; + cmd_getval_or(cmdmap, "key_type"sv, key_string_type, "recommended"s); + auto key_type = CryptoManager::get_key_type(key_string_type); + auto&& secure_key_types = CryptoManager::get_secure_key_types(); + if (!secure_key_types.contains(key_type)) { + if (!cct->_conf.get_val("mon_auth_allow_insecure_key")) { + ss << "creating key with insecure key type (\"" << key_string_type << "\") not allowed"; + return -EPERM; + } + } + return key_type; +} + + bool AuthMonitor::prepare_command(MonOpRequestRef op) { auto m = op->get_req(); @@ -1452,6 +1474,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) bufferlist bl = m->get_data(); bool has_keyring = (bl.length() > 0); + int key_type = get_cipher_type(cmdmap, ss); + if (key_type < 0) { + goto done; + } + KeyRing new_keyring; if (has_keyring) { auto iter = bl.cbegin(); @@ -1514,7 +1541,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) if (!has_keyring) { dout(10) << "AuthMonitor::prepare_command generating random key for " << auth_inc.name << dendl; - new_inc.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); + new_inc.key.create(g_ceph_context, key_type); } new_inc.caps = encoded_caps; @@ -1542,6 +1569,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) goto done; } + int key_type = get_cipher_type(cmdmap, ss); + if (key_type < 0) { + goto done; + } + // is there an uncommitted pending_key? (or any change for this entity) for (auto& p : pending_auth) { if (p.inc_type == AUTH_DATA) { @@ -1569,7 +1601,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) auth_inc.op = KeyServerData::AUTH_INC_ADD; auth_inc.name = entity; auth_inc.auth = entity_auth; - auth_inc.auth.pending_key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); + auth_inc.auth.pending_key.create(g_ceph_context, key_type); push_cephx_inc(auth_inc); kr.add(entity, auth_inc.auth.key, auth_inc.auth.pending_key); push_cephx_inc(auth_inc); @@ -1620,6 +1652,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) goto done; } + int key_type = get_cipher_type(cmdmap, ss); + if (key_type < 0) { + goto done; + } + // do we have it? EntityAuth entity_auth; if (mon.key_server.get_auth(entity, entity_auth)) { @@ -1668,7 +1705,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) KeyServerData::Incremental auth_inc; auth_inc.op = KeyServerData::AUTH_INC_ADD; auth_inc.name = entity; - auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); + auth_inc.auth.key.create(g_ceph_context, key_type); auth_inc.auth.caps = wanted_caps; push_cephx_inc(auth_inc); @@ -1696,6 +1733,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) string mds_cap_string, osd_cap_string; string osd_cap_wanted = "r"; + int key_type = get_cipher_type(cmdmap, ss); + if (key_type < 0) { + goto done; + } + const Filesystem* fs = nullptr; if (filesystem != "*" && filesystem != "all") { const auto& fsmap = mon.mdsmon()->get_fsmap(); @@ -1792,7 +1834,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) dout(20) << it.first << " cap = \"" << it.second << "\"" << dendl; } - err = _update_caps(entity, newcaps, op, ss, ds, &rdata, f.get()); + err = _update_caps(entity, key_type, newcaps, op, ss, ds, &rdata, f.get()); if (err == 0) { return true; } else { @@ -1800,14 +1842,14 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) } } - err = _create_entity(entity, newcaps, op, ss, ds, &rdata, f.get()); + err = _create_entity(entity, key_type, newcaps, op, ss, ds, &rdata, f.get()); if (err == 0) { return true; } else { goto done; } } else if (prefix == "auth caps" && !entity_name.empty()) { - err = _update_caps(entity, ceph_caps, op, ss, ds, &rdata, f.get()); + err = _update_caps(entity, CEPH_CRYPTO_AES256KRB5, ceph_caps, op, ss, ds, &rdata, f.get()); if (err == 0) { return true; } else { @@ -1834,6 +1876,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) goto done; } + int key_type = get_cipher_type(cmdmap, ss); + if (key_type < 0) { + goto done; + } + EntityAuth entity_auth; if (!mon.key_server.get_auth(entity, entity_auth)) { ss << "entity does not exist"; @@ -1841,7 +1888,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) goto done; } - entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); + entity_auth.key.create(g_ceph_context, key_type); KeyServerData::Incremental auth_inc; auth_inc.op = KeyServerData::AUTH_INC_ADD; @@ -2012,6 +2059,7 @@ int AuthMonitor::_check_and_encode_caps(const map& caps, // Pass both, rdata as well as fmtr, to enable printing of the key after // update int AuthMonitor::_update_or_create_entity(const EntityName& entity, + int key_type, const map& caps, MonOpRequestRef op, stringstream& ss, stringstream& ds, bufferlist* rdata, Formatter* fmtr, bool create_entity) { @@ -2040,7 +2088,7 @@ int AuthMonitor::_update_or_create_entity(const EntityName& entity, auth_inc.op = KeyServerData::AUTH_INC_ADD; auth_inc.auth.caps = encoded_caps; if (create_entity) { - auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); + auth_inc.auth.key.create(g_ceph_context, key_type); } push_cephx_inc(auth_inc); @@ -2061,20 +2109,20 @@ int AuthMonitor::_update_or_create_entity(const EntityName& entity, return 0; } -int AuthMonitor::_update_caps(const EntityName& entity, +int AuthMonitor::_update_caps(const EntityName& entity, int key_type, const map& caps, MonOpRequestRef op, stringstream& ss, stringstream& ds, bufferlist* rdata, Formatter* fmtr) { - return _update_or_create_entity(entity, caps, op, ss, ds, rdata, fmtr, - false); + return _update_or_create_entity(entity, key_type, caps, op, ss, + ds, rdata, fmtr, false); } -int AuthMonitor::_create_entity(const EntityName& entity, +int AuthMonitor::_create_entity(const EntityName& entity, int key_type, const map& caps, MonOpRequestRef op, stringstream& ss, stringstream& ds, bufferlist* rdata, Formatter* fmtr) { - return _update_or_create_entity(entity, caps, op, ss, ds, rdata, fmtr, - true); + return _update_or_create_entity(entity, key_type, caps, op, ss, + ds, rdata, fmtr, true); } bool AuthMonitor::prepare_global_id(MonOpRequestRef op) diff --git a/src/mon/AuthMonitor.h b/src/mon/AuthMonitor.h index 9007180b0ec..e1386466568 100644 --- a/src/mon/AuthMonitor.h +++ b/src/mon/AuthMonitor.h @@ -106,8 +106,9 @@ public: private: std::vector pending_auth; - uint64_t max_global_id; - uint64_t last_allocated_id; + uint64_t max_global_id = 0; + uint64_t last_allocated_id = 0; + boost::intrusive_ptr cct; // these are protected by mon->auth_lock int mon_num = 0, mon_rank = 0; @@ -178,6 +179,8 @@ private: bool prep_auth(MonOpRequestRef op, bool paxos_writable); bool preprocess_command(MonOpRequestRef op); + + int get_cipher_type(const cmdmap_t& cmdmap, std::ostream& ss) const; bool prepare_command(MonOpRequestRef op); void _encode_keyring(KeyRing& kr, const EntityName& entity, @@ -193,15 +196,15 @@ private: int _check_and_encode_caps(const std::map& caps, std::map& encoded_caps, std::stringstream& ss); - int _update_or_create_entity(const EntityName& entity, + int _update_or_create_entity(const EntityName& entity, int key_type, const std::map& caps, MonOpRequestRef op, std::stringstream& ss, std::stringstream& ds, bufferlist* rdata=nullptr, Formatter* fmtr=nullptr, bool create_entity=false); - int _create_entity(const EntityName& entity, + int _create_entity(const EntityName& entity, int key_type, const std::map& caps, MonOpRequestRef op, std::stringstream& ss, std::stringstream& ds, bufferlist* rdata, Formatter* fmtr); - int _update_caps(const EntityName& entity, + int _update_caps(const EntityName& entity, int key_type, const std::map& caps, MonOpRequestRef op, std::stringstream& ss, std::stringstream& ds, bufferlist* rdata, Formatter* fmtr); @@ -233,10 +236,8 @@ private: const EntityAuth& auth); public: - AuthMonitor(Monitor &mn, Paxos &p, const std::string& service_name) - : PaxosService(mn, p, service_name), - max_global_id(0), - last_allocated_id(0) + AuthMonitor(CephContext* cct, Monitor &mn, Paxos &p, const std::string& service_name) + : PaxosService(mn, p, service_name), cct(cct) {} void pre_auth(MAuth *m); diff --git a/src/mon/MonCommands.h b/src/mon/MonCommands.h index ca9907c51e6..17f12e4af7a 100644 --- a/src/mon/MonCommands.h +++ b/src/mon/MonCommands.h @@ -162,24 +162,36 @@ COMMAND_WITH_FLAG("auth list", "list authentication state", "auth", "rx", COMMAND("auth ls", "list authentication state", "auth", "rx") COMMAND("auth import", "auth import: read keyring file from -i ", "auth", "rwx") -COMMAND("auth add " - "name=entity,type=CephString " - "name=caps,type=CephString,n=N,req=false", +COMMAND("auth add" + " name=entity,type=CephString" + " name=caps,type=CephString,n=N,req=false" + " --" + " name=key_type,type=CephString,req=false" + , "add auth info for from input file, or random key if no " "input is given, and/or any caps specified in the command", "auth", "rwx") -COMMAND("auth rotate " - "name=entity,type=CephString", +COMMAND("auth rotate" + " name=entity,type=CephString" + " --" + " name=key_type,type=CephString,req=false" + , "rotate entity key", "auth", "rwx") -COMMAND("auth get-or-create-key " - "name=entity,type=CephString " - "name=caps,type=CephString,n=N,req=false", +COMMAND("auth get-or-create-key" + " name=entity,type=CephString" + " name=caps,type=CephString,n=N,req=false" + " --" + " name=key_type,type=CephString,req=false" + , "get, or add, key for from system/caps pairs specified in the command. If key already exists, any given caps must match the existing caps for that key.", "auth", "rwx") -COMMAND("auth get-or-create " - "name=entity,type=CephString " - "name=caps,type=CephString,n=N,req=false", +COMMAND("auth get-or-create" + " name=entity,type=CephString" + " name=caps,type=CephString,n=N,req=false" + " --" + " name=key_type,type=CephString,req=false" + , "add auth info for from input file, or random key if no input given, and/or any caps specified in the command", "auth", "rwx") COMMAND("auth get-or-create-pending " @@ -194,10 +206,13 @@ COMMAND("auth commit-pending " "name=entity,type=CephString", "rotate pending key into active position", "auth", "rwx") -COMMAND("fs authorize " - "name=filesystem,type=CephString " - "name=entity,type=CephString " - "name=caps,type=CephString,n=N", +COMMAND("fs authorize" + " name=filesystem,type=CephString" + " name=entity,type=CephString" + " name=caps,type=CephString,n=N" + " --" + " name=key_type,type=CephString,req=false" + , "add auth for to access file system based on following directory and permissions pairs", "auth", "rwx") COMMAND("auth caps " diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index fc543700151..9fc59b50e0f 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -251,7 +251,7 @@ Monitor::Monitor(CephContext* cct_, string nm, MonitorDBStore *s, paxos_service[PAXOS_MONMAP].reset(new MonmapMonitor(*this, *paxos, "monmap")); paxos_service[PAXOS_OSDMAP].reset(new OSDMonitor(cct, *this, *paxos, "osdmap")); paxos_service[PAXOS_LOG].reset(new LogMonitor(*this, *paxos, "logm")); - paxos_service[PAXOS_AUTH].reset(new AuthMonitor(*this, *paxos, "auth")); + paxos_service[PAXOS_AUTH].reset(new AuthMonitor(cct, *this, *paxos, "auth")); paxos_service[PAXOS_MGR].reset(new MgrMonitor(*this, *paxos, "mgr")); paxos_service[PAXOS_MGRSTAT].reset(new MgrStatMonitor(*this, *paxos, "mgrstat")); paxos_service[PAXOS_HEALTH].reset(new HealthMonitor(*this, *paxos, "health")); diff --git a/src/tools/ceph_authtool.cc b/src/tools/ceph_authtool.cc index bd25bad1d46..a0e311c1ec2 100644 --- a/src/tools/ceph_authtool.cc +++ b/src/tools/ceph_authtool.cc @@ -68,7 +68,7 @@ int main(int argc, const char **argv) map caps; std::string fn; - int key_type = CEPH_CRYPTO_AES256KRB5; + int key_type = CryptoManager::get_key_type("recommended"); if (args.empty()) { cerr << argv[0] << ": -h or --help for usage" << std::endl;