From: Patrick Donnelly <pdonnell@ibm.com>
Date: Fri, 9 May 2025 18:52:52 +0000 (-0400)
Subject: auth: add API to invalidate all tickets
X-Git-Tag: testing/wip-pdonnell-testing-20260126.152838~95
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a238bb11a07b00bce7e63b1f4fbd1ce3d44fdd29;p=ceph-ci.git

auth: add API to invalidate all tickets

This will prompt the client to request new ones from the auth server.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h
index 60657cece7a..a02cf72bee9 100644
--- a/src/auth/AuthClientHandler.h
+++ b/src/auth/AuthClientHandler.h
@@ -63,6 +63,8 @@ public:
 
   virtual bool need_tickets() = 0;
 
+  virtual void invalidate_all_tickets() {} // FIXME = 0
+
   virtual void set_global_id(uint64_t id) = 0;
 
   static AuthClientHandler* create(CephContext* cct, int proto, RotatingKeyRing* rkeys);
diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc
index 968258502ab..73486bdebc7 100644
--- a/src/auth/cephx/CephxClientHandler.cc
+++ b/src/auth/cephx/CephxClientHandler.cc
@@ -332,3 +332,8 @@ bool CephxClientHandler::need_tickets()
 
   return _need_tickets();
 }
+
+void CephxClientHandler::invalidate_all_tickets()
+{
+  tickets.invalidate_all_tickets();
+}
diff --git a/src/auth/cephx/CephxClientHandler.h b/src/auth/cephx/CephxClientHandler.h
index 02539fbadae..c71d403837a 100644
--- a/src/auth/cephx/CephxClientHandler.h
+++ b/src/auth/cephx/CephxClientHandler.h
@@ -67,6 +67,8 @@ public:
 
   bool need_tickets() override;
 
+  void invalidate_all_tickets() override;
+
   void set_global_id(uint64_t id) override {
     global_id = id;
     tickets.global_id = id;
diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index 797ff4dadcd..683a9a71613 100644
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -292,6 +292,15 @@ void CephXTicketManager::invalidate_ticket(uint32_t service_id)
     iter->second.invalidate_ticket();
 }
 
+void CephXTicketManager::invalidate_all_tickets()
+{
+  ldout(cct, 10) << __func__ << dendl;
+  for ([[maybe_unused]] auto &[service_id, ticket] : tickets_map) {
+    ticket.invalidate_ticket();
+  }
+}
+
+
 /*
  * PRINCIPAL: verify our attempt to authenticate succeeded.  fill out
  * this ServiceTicket with the result.
diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h
index 914ed3aa336..500d93c90cb 100644
--- a/src/auth/cephx/CephxProtocol.h
+++ b/src/auth/cephx/CephxProtocol.h
@@ -427,6 +427,7 @@ struct CephXTicketManager {
   void set_have_need_key(uint32_t service_id, uint32_t& have, uint32_t& need);
   void validate_tickets(uint32_t mask, uint32_t& have, uint32_t& need);
   void invalidate_ticket(uint32_t service_id);
+  void invalidate_all_tickets();
 
 private:
   CephContext *cct;