From: Patrick Donnelly <pdonnell@ibm.com>
Date: Wed, 26 Mar 2025 02:05:09 +0000 (-0400)
Subject: tools/ceph_authtool: allow configuring a preferred cipher
X-Git-Tag: testing/wip-pdonnell-testing-20260126.152838~69
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=c84e142a5ee7d10506cf2d787f7d0349fd02ecf6;p=ceph-ci.git

tools/ceph_authtool: allow configuring a preferred cipher

This makes testing easier as we can configure all keys in the cluster to be the
given "old" type without modifying each location that ceph-authtool is used.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in
index 454b3d95f66..24784139a3a 100644
--- a/src/common/options/global.yaml.in
+++ b/src/common/options/global.yaml.in
@@ -2267,6 +2267,13 @@ options:
   fmt_desc: If the Ceph version supports message signing, Ceph will sign
    all messages so they are more difficult to spoof.
   with_legacy: true
+- name: cephx_preferred_cipher
+  type: str
+  level: dev
+  desc: preferred cipher to use for new authentication keys
+  default: recommended
+  flags:
+  - runtime
 - name: cephx_allowed_ciphers
   type: str
   level: advanced
diff --git a/src/tools/ceph_authtool.cc b/src/tools/ceph_authtool.cc
index a0e311c1ec2..e6be4f85e43 100644
--- a/src/tools/ceph_authtool.cc
+++ b/src/tools/ceph_authtool.cc
@@ -68,7 +68,7 @@ int main(int argc, const char **argv)
   map<string,bufferlist> caps;
   std::string fn;
 
-  int key_type = CryptoManager::get_key_type("recommended");
+  int key_type = -1;
 
   if (args.empty()) {
     cerr << argv[0] << ": -h or --help for usage" << std::endl;
@@ -177,6 +177,12 @@ int main(int argc, const char **argv)
   common_init_finish(g_ceph_context);
   EntityName ename(g_conf()->name);
 
+  if (key_type < 0) {
+    auto cephx_preferred_cipher = g_conf().get_val<std::string>("cephx_preferred_cipher");
+    cerr << "using key type: " << cephx_preferred_cipher << std::endl;
+    key_type = CryptoManager::get_key_type(cephx_preferred_cipher);
+  }
+
   // Enforce the use of gen-key or add-key when creating to avoid ending up
   // with an "empty" key (key = AAAAAAAAAAAAAAAA)
   if (create_keyring && !gen_key && add_key.empty() && !caps.empty()) {