From: Sage Weil <sage@inktank.com>
Date: Tue, 15 May 2012 03:13:40 +0000 (-0700)
Subject: mon: keep mon. secret in an external keyring
X-Git-Tag: v0.48argonaut~137^2~38^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=7be78101da85d8db9d2cd319beee7dbef2ecd7a7;p=ceph.git

mon: keep mon. secret in an external keyring

- Keep the mon. key in a separate keyring files, "keyring", in the mon
  data dir.
- During init, if we don't find that file, copy the key from the keyserver
  database.
- During mkfs, put the mon. key in that file, and remove it from the seed
  file that primes the auth database.

This will allow admins to change the mon. key without bringing the cluster
online and doing something wonky.

Signed-off-by: Sage Weil <sage@newdream.net>
---

diff --git a/src/auth/KeyRing.h b/src/auth/KeyRing.h
index 4771ff22f634..6bf269150610 100644
--- a/src/auth/KeyRing.h
+++ b/src/auth/KeyRing.h
@@ -63,6 +63,9 @@ public:
   void add(const EntityName& name, EntityAuth &a) {
     keys[name] = a;
   }
+  void remove(const EntityName& name) {
+    keys.erase(name);
+  }
   void set_caps(EntityName& name, map<string, bufferlist>& caps) {
     keys[name].caps = caps;
   }
diff --git a/src/auth/cephx/CephxKeyServer.h b/src/auth/cephx/CephxKeyServer.h
index fafeaa864875..2fc316d9f096 100644
--- a/src/auth/cephx/CephxKeyServer.h
+++ b/src/auth/cephx/CephxKeyServer.h
@@ -153,10 +153,6 @@ struct KeyServerData {
     }
   };
 
-  void bootstrap_keyring(KeyRing& keyring) {
-    secrets = keyring.get_keys();
-  }
-
   void apply_incremental(Incremental& inc) {
     switch (inc.op) {
     case AUTH_INC_ADD:
@@ -284,10 +280,6 @@ public:
   bool get_service_caps(const EntityName& name, uint32_t service_id,
 			AuthCapsInfo& caps) const;
 
-  void bootstrap_keyring(KeyRing& keyring) {
-    data.bootstrap_keyring(keyring);
-  }
-
 };
 WRITE_CLASS_ENCODER(KeyServer);
 
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 91f65dab3968..054b1ad98d29 100644
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -62,6 +62,7 @@
 #include "osd/OSDMap.h"
 
 #include "auth/AuthSupported.h"
+#include "auth/KeyRing.h"
 
 #include "common/config.h"
 
@@ -222,7 +223,7 @@ void Monitor::handle_signal(int signum)
   shutdown();
 }
 
-void Monitor::init()
+int Monitor::init()
 {
   lock.Lock();
 
@@ -296,13 +297,32 @@ void Monitor::init()
     KeyRing keyring;
     bufferlist::iterator p = bl.begin();
     ::decode(keyring, p);
-    key_server.bootstrap_keyring(keyring);
+    extract_save_mon_key(keyring);
+  }
+
+  ostringstream os;
+  os << g_conf->mon_data << "/keyring";
+  int r = keyring.load(cct, os.str());
+  if (r < 0) {
+    EntityName mon_name;
+    mon_name.set_type(CEPH_ENTITY_TYPE_MON);
+    EntityAuth mon_key;
+    if (key_server.get_auth(mon_name, mon_key)) {
+      dout(1) << "copying mon. key from old db to external keyring" << dendl;
+      keyring.add(mon_name, mon_key);
+      bufferlist bl;
+      keyring.encode_plaintext(bl);
+      store->put_bl_ss(bl, "keyring", NULL);
+    } else {
+      derr << "unable to load initial keyring " << g_conf->keyring << dendl;
+      return r;
+    }
   }
 
   admin_hook = new AdminHook(this);
   AdminSocket* admin_socket = cct->get_admin_socket();
-  int r = admin_socket->register_command("mon_status", admin_hook,
-					 "show current monitor status");
+  r = admin_socket->register_command("mon_status", admin_hook,
+				     "show current monitor status");
   assert(r == 0);
   r = admin_socket->register_command("quorum_status", admin_hook,
 					 "show current quorum status");
@@ -319,6 +339,7 @@ void Monitor::init()
   bootstrap();
   
   lock.Unlock();
+  return 0;
 }
 
 void Monitor::register_cluster_logger()
@@ -1851,13 +1872,33 @@ int Monitor::mkfs(bufferlist& osdmapbl)
     derr << "unable to load initial keyring " << g_conf->keyring << dendl;
     return r;
   }
+
+  // put mon. key in external keyring; seed with everything else.
+  extract_save_mon_key(keyring);
+
   bufferlist keyringbl;
-  ::encode(keyring, keyringbl);
+  keyring.encode_plaintext(keyringbl);
   store->put_bl_ss(keyringbl, "mkfs", "keyring");
 
   return 0;
 }
 
+void Monitor::extract_save_mon_key(KeyRing& keyring)
+{
+  EntityName mon_name;
+  mon_name.set_type(CEPH_ENTITY_TYPE_MON);
+  EntityAuth mon_key;
+  if (keyring.get_auth(mon_name, mon_key)) {
+    dout(10) << "extract_save_mon_key moving mon. key to separate keyring" << dendl;
+    KeyRing pkey;
+    pkey.add(mon_name, mon_key);
+    bufferlist bl;
+    pkey.encode_plaintext(bl);
+    store->put_bl_ss(bl, "keyring", NULL);
+    keyring.remove(mon_name);
+  }
+}
+
 bool Monitor::ms_get_authorizer(int service_id, AuthAuthorizer **authorizer, bool force_new)
 {
   dout(10) << "ms_get_authorizer for " << ceph_entity_type_name(service_id) << dendl;
diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h
index 55fc24241d98..888ff0dd290b 100644
--- a/src/mon/Monitor.h
+++ b/src/mon/Monitor.h
@@ -39,6 +39,7 @@
 
 #include "auth/cephx/CephxKeyServer.h"
 #include "auth/AuthSupported.h"
+#include "auth/KeyRing.h"
 
 #include "perfglue/heap_profiler.h"
 
@@ -111,6 +112,7 @@ public:
   MonMap *monmap;
 
   LogClient clog;
+  KeyRing keyring;
   KeyServer key_server;
 
   AuthSupported auth_supported;
@@ -339,11 +341,13 @@ public:
   bool ms_handle_reset(Connection *con);
   void ms_handle_remote_reset(Connection *con) {}
 
+  void extract_save_mon_key(KeyRing& keyring);
+
  public:
   Monitor(CephContext *cct_, string nm, MonitorStore *s, Messenger *m, MonMap *map);
   ~Monitor();
 
-  void init();
+  int init();
   void shutdown();
   void tick();