From: Yehuda Sadeh Date: Fri, 7 Mar 2025 21:35:36 +0000 (-0500) Subject: cephx: add configurable to set allowed ciphers X-Git-Tag: testing/wip-pdonnell-testing-20260126.152838~112 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ec3383de363907c88e2212ebb7ef10486ad92d68;p=ceph-ci.git cephx: add configurable to set allowed ciphers cephx allowed ciphers: a list of ciphers that sets what type of keys are allowed to be used to authenticate Signed-off-by: Yehuda Sadeh --- diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index 8c349c89e6c..0a4aba5f3f7 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -18,6 +18,8 @@ #include "CephxProtocol.h" #include "CephxKeyServer.h" #include +#include +#include #include "include/random.h" #include "common/Clock.h" // for ceph_clock_now() @@ -31,11 +33,46 @@ using std::dec; using std::hex; using std::vector; +using namespace std::literals; using ceph::bufferlist; using ceph::decode; using ceph::encode; +CephxServiceHandler::CephxServiceHandler(CephContext *cct_, KeyServer *ks) + : AuthServiceHandler(cct_), key_server(ks), server_challenge(0) { + cct->_conf.add_observer(this); + init_conf(cct->_conf); +} + +std::vector CephxServiceHandler::get_tracked_keys() const noexcept +{ + return { + "cephx_allowed_ciphers"s + }; +} + +void CephxServiceHandler::init_conf(const ConfigProxy& conf) { + std::unique_lock wl(lock); + auto s = conf.get_val("cephx_allowed_ciphers"); + + std::vector v; + get_str_vec(s, ", ", v); + + for (auto& cipher : v) { + int cipher_type = CryptoManager::get_key_type(cipher); + if (cipher_type > 0) { + allowed_ciphers.insert(cipher_type); + } + } +} + +bool CephxServiceHandler::cipher_is_allowed(int cipher) +{ + std::shared_lock rl(lock); + return (allowed_ciphers.find(cipher) != allowed_ciphers.end()); +} + int CephxServiceHandler::do_start_session( bool is_new_global_id, bufferlist *result_bl, @@ -178,6 +215,12 @@ int CephxServiceHandler::handle_request( break; } + if (!cipher_is_allowed(eauth.key.get_type())) { + ldout(cct, 20) << __func__ << " authentication failed due to unallowed cipher type: " << eauth.key.get_type() << dendl; + ret = -EACCES; + break; + } + if (!server_challenge) { ret = -EACCES; break; diff --git a/src/auth/cephx/CephxServiceHandler.h b/src/auth/cephx/CephxServiceHandler.h index 6018e7ef77e..2857130c163 100644 --- a/src/auth/cephx/CephxServiceHandler.h +++ b/src/auth/cephx/CephxServiceHandler.h @@ -19,17 +19,22 @@ #include "auth/AuthServiceHandler.h" #include "auth/Auth.h" +#include "common/ceph_mutex.h" +#include "common/config_obs.h" + class KeyServer; struct CephXAuthenticate; struct CephXServiceTicketInfo; -class CephxServiceHandler : public AuthServiceHandler { +class CephxServiceHandler : public AuthServiceHandler, md_config_obs_t { KeyServer *key_server; uint64_t server_challenge; + std::set allowed_ciphers; + ceph::shared_mutex lock = ceph::make_shared_mutex("CephxServiceHandler::lock"); + public: - CephxServiceHandler(CephContext *cct_, KeyServer *ks) - : AuthServiceHandler(cct_), key_server(ks), server_challenge(0) {} + CephxServiceHandler(CephContext *cct_, KeyServer *ks); ~CephxServiceHandler() override {} int handle_request( @@ -50,6 +55,16 @@ private: bool& should_enc_ticket); void build_cephx_response_header(int request_type, int status, ceph::buffer::list& bl); + + std::vector get_tracked_keys() const noexcept override; + + void init_conf(const ConfigProxy& conf); + void handle_conf_change(const ConfigProxy& conf, + const std::set &changed) override { + init_conf(conf); + } + + bool cipher_is_allowed(int type); }; #endif diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in index 1ba5ae783ac..c84c568206e 100644 --- a/src/common/options/global.yaml.in +++ b/src/common/options/global.yaml.in @@ -2277,6 +2277,17 @@ options: fmt_desc: If the Ceph version supports message signing, Ceph will sign all messages so they are more difficult to spoof. with_legacy: true +- name: cephx_allowed_ciphers + type: str + level: advanced + desc: list of allowed ciphers in cephx authentication + fmt_desc: This can be used to enable/disable specific key types + that are being used for connecting different entities to the + cluster. + default: aes, aes256k + with_legacy: false + flags: + - runtime - name: auth_mon_ticket_ttl type: float level: advanced