From: Zac Dover Date: Sat, 23 Sep 2023 02:26:18 +0000 (+1000) Subject: doc/architecture: "Edit HA Auth" X-Git-Tag: v17.2.7~125^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=7f253f969d01aff911285aeebe70e753c90df3c9;p=ceph.git doc/architecture: "Edit HA Auth" Rewrite the explanation of how a client authenticates against a monitor. This is a rewrite of a single paragraph, and has been set apart in its own PR so that it can receive the maximum amount of scrutiny that the upstream Ceph community can muster. Co-authored-by: Anthony D'Atri Signed-off-by: Zac Dover (cherry picked from commit c71cd84ec9e579ba0913c4952570bba6082e03b5) --- diff --git a/doc/architecture.rst b/doc/architecture.rst index e5c3b23568feb..a9253d669788c 100644 --- a/doc/architecture.rst +++ b/doc/architecture.rst @@ -278,16 +278,16 @@ the client and the monitor share a secret key. | transmit key | | | -To authenticate with the monitor, the client passes in the user name to the -monitor, and the monitor generates a session key and encrypts it with the secret -key associated to the user name. Then, the monitor transmits the encrypted -ticket back to the client. The client then decrypts the payload with the shared -secret key to retrieve the session key. The session key identifies the user for -the current session. The client then requests a ticket on behalf of the user -signed by the session key. The monitor generates a ticket, encrypts it with the -user's secret key and transmits it back to the client. The client decrypts the -ticket and uses it to sign requests to OSDs and metadata servers throughout the -cluster. +Here is how a client authenticates with a monitor. The client passes the user +name to the monitor. The monitor generates a session key that is encrypted with +the secret key associated with the ``username``. The monitor transmits the +encrypted ticket to the client. The client uses the shared secret key to +decrypt the payload. The session key identifies the user, and this act of +identification will last for the duration of the session. The client requests +a ticket for the user, and the ticket is signed with the session key. The +monitor generates a ticket and uses the user's secret key to encrypt it. The +encrypted ticket is transmitted to the client. The client decrypts the ticket +and uses it to sign requests to OSDs and to metadata servers in the cluster. .. ditaa::