From: Patrick Donnelly <pdonnell@redhat.com>
Date: Tue, 18 Jun 2024 17:31:14 +0000 (-0400)
Subject: mon/AuthMonitor: add `ceph auth rotate` command
X-Git-Tag: testing/wip-vshankar-testing-20250618.062526-reef-debug~30^2~3
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=c642834e0194867f89e61d177e1ccd06ce6d1018;p=ceph-ci.git

mon/AuthMonitor: add `ceph auth rotate` command

Add command to rotate the permanent key of an entity. This avoids the need to
delete / recreate the key when it is compromised, lost, or just scheduled for
rotation.

Fixes: https://tracker.ceph.com/issues/66509
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
(cherry picked from commit d57326fce6d78e4b92e318ce933ca39bf8e8fcc4)

Conflicts:
    src/mon/AuthMonitor.cc: _encode_auth not in reef
---

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 88627a81715..4a0a1e44640 100644
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -869,6 +869,7 @@ bool AuthMonitor::preprocess_command(MonOpRequestRef op)
   string prefix;
   cmd_getval(cmdmap, "prefix", prefix);
   if (prefix == "auth add" ||
+      prefix == "auth rotate" ||
       prefix == "auth del" ||
       prefix == "auth rm" ||
       prefix == "auth get-or-create" ||
@@ -1916,6 +1917,40 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     wait_for_commit(op, new Monitor::C_Command(mon, op, 0, rs,
 					      get_last_committed() + 1));
     return true;
+  } else if (prefix == "auth rotate") {
+    if (entity_name.empty()) {
+      ss << "bad entity name";
+      err = -EINVAL;
+      goto done;
+    }
+
+    EntityAuth entity_auth;
+    if (!mon.key_server.get_auth(entity, entity_auth)) {
+      ss << "entity does not exist";
+      err = -ENOENT;
+      goto done;
+    }
+
+    entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+
+    KeyServerData::Incremental auth_inc;
+    auth_inc.op = KeyServerData::AUTH_INC_ADD;
+    auth_inc.name = entity;
+    auth_inc.auth = entity_auth;
+    push_cephx_inc(auth_inc);
+
+    {
+      KeyRing kr;
+      kr.add(entity, entity_auth);
+      if (f) {
+        kr.encode_formatted("auth", f.get(), rdata);
+      } else {
+        kr.encode_plaintext(rdata);
+      }
+    }
+    wait_for_commit(op, new Monitor::C_Command(mon, op, 0, rs, rdata,
+                                              get_last_committed() + 1));
+    return true;
   }
 done:
   rdata.append(ds);
diff --git a/src/mon/MonCommands.h b/src/mon/MonCommands.h
index 662527de104..527607ed2bd 100644
--- a/src/mon/MonCommands.h
+++ b/src/mon/MonCommands.h
@@ -163,6 +163,10 @@ COMMAND("auth add "
 	"add auth info for <entity> from input file, or random key if no "
         "input is given, and/or any caps specified in the command",
 	"auth", "rwx")
+COMMAND("auth rotate "
+	"name=entity,type=CephString",
+	"rotate entity key",
+	"auth", "rwx")
 COMMAND("auth get-or-create-key "
 	"name=entity,type=CephString "
 	"name=caps,type=CephString,n=N,req=false",