From 0fd0a28dec1e4c63f8c00ca222916dac90d12cd1 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Sun, 26 Jun 2022 23:12:42 +0000 Subject: [PATCH] rgw/auth: Cache service tokens separately This changes so that the service tokens is cached separately in it's own map and LRU list so that the cache cannot be poisioned and used to lookup an expired token. Signed-off-by: Tobias Urdin --- src/rgw/rgw_auth_keystone.cc | 4 ++-- src/rgw/rgw_keystone.cc | 34 ++++++++++++++++++++++++---------- src/rgw/rgw_keystone.h | 18 +++++++++++++++--- 3 files changed, 41 insertions(+), 15 deletions(-) diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc index d247ffabd91..b818325db9f 100644 --- a/src/rgw/rgw_auth_keystone.cc +++ b/src/rgw/rgw_auth_keystone.cc @@ -254,7 +254,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp, ldpp_dout(dpp, 20) << "service_token_id=" << service_token_id << dendl; /* Check cache for service token first. */ - st = token_cache.find(service_token_id); + st = token_cache.find_service(service_token_id); if (st) { ldpp_dout(dpp, 20) << "cached service_token.project.id=" << st->get_project_id() << dendl; @@ -293,7 +293,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp, << " is valid, role: " << role << dendl; allow_expired = true; - token_cache.add(service_token_id, *st); + token_cache.add_service(service_token_id, *st); break; } } diff --git a/src/rgw/rgw_keystone.cc b/src/rgw/rgw_keystone.cc index 15033aee261..2df417bd0e7 100644 --- a/src/rgw/rgw_keystone.cc +++ b/src/rgw/rgw_keystone.cc @@ -379,11 +379,18 @@ bool TokenCache::find(const std::string& token_id, rgw::keystone::TokenEnvelope& token) { std::lock_guard l{lock}; - return find_locked(token_id, token); + return find_locked(token_id, token, tokens, tokens_lru); } -bool TokenCache::find_locked(const std::string& token_id, - rgw::keystone::TokenEnvelope& token) +bool TokenCache::find_service(const std::string& token_id, + rgw::keystone::TokenEnvelope& token) +{ + std::lock_guard l{lock}; + return find_locked(token_id, token, service_tokens, service_tokens_lru); +} + +bool TokenCache::find_locked(const std::string& token_id, rgw::keystone::TokenEnvelope& token, + std::map& tokens, std::list& tokens_lru) { ceph_assert(ceph_mutex_is_locked_by_me(lock)); map::iterator iter = tokens.find(token_id); @@ -414,25 +421,32 @@ bool TokenCache::find_admin(rgw::keystone::TokenEnvelope& token) { std::lock_guard l{lock}; - return find_locked(admin_token_id, token); + return find_locked(admin_token_id, token, tokens, tokens_lru); } bool TokenCache::find_barbican(rgw::keystone::TokenEnvelope& token) { std::lock_guard l{lock}; - return find_locked(barbican_token_id, token); + return find_locked(barbican_token_id, token, tokens, tokens_lru); } void TokenCache::add(const std::string& token_id, const rgw::keystone::TokenEnvelope& token) { std::lock_guard l{lock}; - add_locked(token_id, token); + add_locked(token_id, token, tokens, tokens_lru); +} + +void TokenCache::add_service(const std::string& token_id, + const rgw::keystone::TokenEnvelope& token) +{ + std::lock_guard l{lock}; + add_locked(token_id, token, service_tokens, service_tokens_lru); } -void TokenCache::add_locked(const std::string& token_id, - const rgw::keystone::TokenEnvelope& token) +void TokenCache::add_locked(const std::string& token_id, const rgw::keystone::TokenEnvelope& token, + std::map& tokens, std::list& tokens_lru) { ceph_assert(ceph_mutex_is_locked_by_me(lock)); map::iterator iter = tokens.find(token_id); @@ -460,7 +474,7 @@ void TokenCache::add_admin(const rgw::keystone::TokenEnvelope& token) std::lock_guard l{lock}; rgw_get_token_id(token.token.id, admin_token_id); - add_locked(admin_token_id, token); + add_locked(admin_token_id, token, tokens, tokens_lru); } void TokenCache::add_barbican(const rgw::keystone::TokenEnvelope& token) @@ -468,7 +482,7 @@ void TokenCache::add_barbican(const rgw::keystone::TokenEnvelope& token) std::lock_guard l{lock}; rgw_get_token_id(token.token.id, barbican_token_id); - add_locked(barbican_token_id, token); + add_locked(barbican_token_id, token, tokens, tokens_lru); } void TokenCache::invalidate(const DoutPrefixProvider *dpp, const std::string& token_id) diff --git a/src/rgw/rgw_keystone.h b/src/rgw/rgw_keystone.h index ff79c07f9f0..9a18d8de8c0 100644 --- a/src/rgw/rgw_keystone.h +++ b/src/rgw/rgw_keystone.h @@ -219,7 +219,9 @@ class TokenCache { std::string admin_token_id; std::string barbican_token_id; std::map tokens; + std::map service_tokens; std::list tokens_lru; + std::list service_tokens_lru; ceph::mutex lock = ceph::make_mutex("rgw::keystone::TokenCache"); @@ -249,6 +251,7 @@ public: } bool find(const std::string& token_id, TokenEnvelope& token); + bool find_service(const std::string& token_id, TokenEnvelope& token); boost::optional find(const std::string& token_id) { TokenEnvelope token_envlp; if (find(token_id, token_envlp)) { @@ -256,17 +259,26 @@ public: } return boost::none; } + boost::optional find_service(const std::string& token_id) { + TokenEnvelope token_envlp; + if (find_service(token_id, token_envlp)) { + return token_envlp; + } + return boost::none; + } bool find_admin(TokenEnvelope& token); bool find_barbican(TokenEnvelope& token); void add(const std::string& token_id, const TokenEnvelope& token); + void add_service(const std::string& token_id, const TokenEnvelope& token); void add_admin(const TokenEnvelope& token); void add_barbican(const TokenEnvelope& token); void invalidate(const DoutPrefixProvider *dpp, const std::string& token_id); bool going_down() const; private: - void add_locked(const std::string& token_id, const TokenEnvelope& token); - bool find_locked(const std::string& token_id, TokenEnvelope& token); - + void add_locked(const std::string& token_id, const TokenEnvelope& token, + std::map& tokens, std::list& tokens_lru); + bool find_locked(const std::string& token_id, TokenEnvelope& token, + std::map& tokens, std::list& tokens_lru); }; -- 2.47.3