From: Sage Weil <sage@newdream.net>
Date: Mon, 25 Oct 2021 18:26:05 +0000 (-0400)
Subject: mon/MonClient: add 'rotate-key' asok command
X-Git-Tag: v18.0.0~39^2~18
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5cf7944d36190a45ab27aec779593bf47a71be1b;p=ceph.git

mon/MonClient: add 'rotate-key' asok command

Rotate the live auth key for a running daemon without restarting.

Signed-off-by: Sage Weil <sage@newdream.net>
---

diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc
index 53c2e16174db..39fbf44883c4 100644
--- a/src/mon/MonClient.cc
+++ b/src/mon/MonClient.cc
@@ -517,12 +517,20 @@ int MonClient::init()
   timer.init();
   schedule_tick();
 
+  cct->get_admin_socket()->register_command(
+    "rotate-key",
+    this,
+    "rotate live authentication key");
+
   return 0;
 }
 
 void MonClient::shutdown()
 {
   ldout(cct, 10) << __func__ << dendl;
+
+  cct->get_admin_socket()->unregister_commands(this);
+  
   monc_lock.lock();
   stopping = true;
   while (!version_requests.empty()) {
@@ -603,6 +611,33 @@ int MonClient::authenticate(double timeout)
   return authenticate_err;
 }
 
+int MonClient::call(
+    std::string_view command,
+    const cmdmap_t& cmdmap,
+    const ceph::buffer::list &inbl,
+    ceph::Formatter *f,
+    std::ostream& errss,
+    ceph::buffer::list& out)
+{
+  if (command == "rotate-key") {
+    CryptoKey key;
+    try {
+      key.decode_base64(inbl.to_str());
+    } catch (buffer::error& e) {
+      errss << "error decoding key: " << e.what();
+      return -EINVAL;
+    }
+    if (keyring) {
+      ldout(cct, 1) << "rotate live key for " << entity_name << dendl;
+      keyring->add(entity_name, key);
+    } else {
+      errss << "cephx not enabled; no key to rotate";
+      return -EINVAL;
+    }
+  }
+  return 0;
+}
+
 void MonClient::handle_auth(MAuthReply *m)
 {
   ceph_assert(ceph_mutex_is_locked(monc_lock));
diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h
index de6bba574ff1..b72bf1f65749 100644
--- a/src/mon/MonClient.h
+++ b/src/mon/MonClient.h
@@ -27,6 +27,7 @@
 #include "MonMap.h"
 #include "MonSub.h"
 
+#include "common/admin_socket.h"
 #include "common/async/completion.h"
 #include "common/Timer.h"
 #include "common/config.h"
@@ -269,7 +270,8 @@ const boost::system::error_category& monc_category() noexcept;
 
 class MonClient : public Dispatcher,
 		  public AuthClient,
-		  public AuthServer /* for mgr, osd, mds */ {
+		  public AuthServer, /* for mgr, osd, mds */
+		  public AdminSocketHook {
   static constexpr auto dout_subsys = ceph_subsys_monc;
 public:
   // Error, Newest, Oldest
@@ -315,6 +317,14 @@ private:
 
   void handle_auth(MAuthReply *m);
 
+  int call(
+    std::string_view command,
+    const cmdmap_t& cmdmap,
+    const ceph::buffer::list &inbl,
+    ceph::Formatter *f,
+    std::ostream& errss,
+    ceph::buffer::list& out) override;
+  
   // monitor session
   utime_t last_keepalive;
   utime_t last_send_log;