From 27281f9792b88086ed641943418b75a3e4136032 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Wed, 7 Oct 2009 15:00:55 -0700 Subject: [PATCH] auth: fix several issues with system init --- src/auth/AuthClientHandler.cc | 6 ++---- src/auth/AuthClientHandler.h | 18 +++++++++++------- src/auth/AuthServiceManager.cc | 6 +++++- src/auth/KeysServer.cc | 23 ++++++++++++----------- src/auth/KeysServer.h | 20 ++++---------------- src/librados.cc | 12 ++++++++---- src/mon/AuthMonitor.cc | 7 ++++++- src/mon/MonClient.cc | 3 +++ src/mon/MonClient.h | 4 ++++ src/mon/Paxos.h | 1 - src/msg/SimpleMessenger.cc | 7 ++++++- src/osd/OSD.cc | 8 +++++++- 12 files changed, 68 insertions(+), 47 deletions(-) diff --git a/src/auth/AuthClientHandler.cc b/src/auth/AuthClientHandler.cc index 777c216013fab..405855fc314ac 100644 --- a/src/auth/AuthClientHandler.cc +++ b/src/auth/AuthClientHandler.cc @@ -508,13 +508,11 @@ void AuthClientHandler::tick() } -int AuthClientHandler::build_authorizer(int peer_id, bufferlist& bl) +int AuthClientHandler::build_authorizer(uint32_t service_id, bufferlist& bl) { - uint32_t service_id = peer_id_to_entity_type(peer_id); - AuthContext ctx; - dout(0) << "going to build authorizer for peer_id=" << peer_id << " service_id=" << service_id << dendl; + dout(0) << "going to build authorizer for peer_id=" << service_id << " service_id=" << service_id << dendl; if (!tickets.build_authorizer(service_id, bl, ctx)) return -EINVAL; diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h index 9c874be135c7f..93d9a778aeeff 100644 --- a/src/auth/AuthClientHandler.h +++ b/src/auth/AuthClientHandler.h @@ -58,11 +58,6 @@ protected: virtual void _reset() {} - void reset() { - status = 0; - _reset(); - } - Cond cond; virtual int _handle_response(int ret, bufferlist::iterator& iter) = 0; @@ -78,7 +73,13 @@ public: int handle_response(int ret, bufferlist::iterator& iter); int do_request(double timeout); - int do_async_request(double timeout); + + void reset() { + status = 0; + _reset(); + } + + int do_async_request(double timeout); }; class AuthClientAuthenticateHandler : public AuthClientProtocolHandler { @@ -121,6 +122,9 @@ public: void set_want_keys(__u32 keys) { want = keys; } + void add_want_keys(__u32 keys) { + want |= keys; + } }; class AuthClientAuthorizeHandler : public AuthClientProtocolHandler { @@ -200,7 +204,7 @@ public: int authorize(uint32_t service_id, double timeout); void tick(); - int build_authorizer(int peer_id, bufferlist& bl); + int build_authorizer(uint32_t service_id, bufferlist& bl); }; diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc index 187ccd7c4519b..4932c039a2132 100644 --- a/src/auth/AuthServiceManager.cc +++ b/src/auth/AuthServiceManager.cc @@ -105,11 +105,15 @@ int CephAuthService_X::handle_request(bufferlist::iterator& indata, bufferlist& default: return -EINVAL; } - state++; if (!ret && piggyback) { ret = handle_cephx_protocol(indata, result_bl); } + + if (!ret || (ret == -EAGAIN)) { + state++; + } + dout(0) << "returning with state=" << state << dendl; return ret; } diff --git a/src/auth/KeysServer.cc b/src/auth/KeysServer.cc index b01d4d05e4df4..ab066255bb5d4 100644 --- a/src/auth/KeysServer.cc +++ b/src/auth/KeysServer.cc @@ -92,7 +92,7 @@ bool KeysServerData::get_secret(EntityName& name, CryptoKey& secret, map data.next_rotating_time) { + dout(0) << "KeysServer::check_rotate: need to rotate keys" << dendl; + _generate_all_rotating_secrets(false); + return true; + } + return false; } bool KeysServer::get_secret(EntityName& name, CryptoKey& secret, map& caps) @@ -249,6 +248,8 @@ bool KeysServer::updated_rotating(bufferlist& rotating_bl, version_t& rotating_v { Mutex::Locker l(lock); + _check_rotate(); + if (data.rotating_ver <= rotating_ver) return false; diff --git a/src/auth/KeysServer.h b/src/auth/KeysServer.h index 62e9d47bc366d..de5ba89ee2030 100644 --- a/src/auth/KeysServer.h +++ b/src/auth/KeysServer.h @@ -28,6 +28,7 @@ struct KeysServerData { version_t version; version_t rotating_ver; + utime_t next_rotating_time; /* for each entity */ map secrets; @@ -40,12 +41,14 @@ struct KeysServerData { void encode(bufferlist& bl) const { ::encode(version, bl); ::encode(rotating_ver, bl); + ::encode(next_rotating_time, bl); ::encode(secrets, bl); ::encode(rotating_secrets, bl); } void decode(bufferlist::iterator& bl) { ::decode(version, bl); ::decode(rotating_ver, bl); + ::decode(next_rotating_time, bl); ::decode(secrets, bl); ::decode(rotating_secrets, bl); } @@ -81,28 +84,13 @@ struct KeysServerData { WRITE_CLASS_ENCODER(KeysServerData); class KeysServer : public KeysKeeper { - class C_RotateTimeout : public Context { - protected: - KeysServer *server; - double timeout; - public: - C_RotateTimeout(KeysServer *s, double to) : - server(s), timeout(to) { - } - void finish(int r) { - if (r >= 0) server->rotate_timeout(timeout); - } - }; - KeysServerData data; Mutex lock; - SafeTimer timer; - Context *rotate_event; - void _rotate_secret(uint32_t service_id, int factor); void _generate_all_rotating_secrets(bool init); + bool _check_rotate(); public: KeysServer(); diff --git a/src/librados.cc b/src/librados.cc index 2e0a3e09b53c7..f47a62dfb42bb 100644 --- a/src/librados.cc +++ b/src/librados.cc @@ -66,8 +66,8 @@ class RadosClient : public Dispatcher void ms_handle_remote_reset(Connection *con, const entity_addr_t& peer); bool ms_get_authorizer(int dest_type, bufferlist& authorizer, bool force_new) { dout(0) << "RadosClient::ms_get_authorizer type=" << dest_type << dendl; - - if (monclient.auth.build_authorizer(dest_type, authorizer) < 0) + uint32_t want = peer_id_to_entity_type(dest_type); + if (monclient.auth.build_authorizer(want, authorizer) < 0) return false; return true; @@ -372,14 +372,18 @@ bool RadosClient::ms_dispatch(Message *m) bool RadosClient::ms_handle_reset(Connection *con, const entity_addr_t& addr) { Mutex::Locker l(lock); - objecter->ms_handle_reset(addr); + if (objecter) { + objecter->ms_handle_reset(addr); + } return false; } void RadosClient::ms_handle_remote_reset(Connection *con, const entity_addr_t& addr) { Mutex::Locker l(lock); - objecter->ms_handle_remote_reset(addr); + if (objecter) { + objecter->ms_handle_remote_reset(addr); + } } diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index c47eced5eb23c..55750924a8d66 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -88,8 +88,9 @@ void AuthMonitor::on_active() if (!mon->is_leader()) return; mon->keys_server.start_server(true); - +/* check_rotate(); +*/ } void AuthMonitor::create_initial(bufferlist& bl) @@ -321,6 +322,10 @@ bool AuthMonitor::preprocess_auth(MAuth *m) ret = -EINVAL; dout(0) << "caught error when trying to handle auth request, probably malformed request" << dendl; } + if (ret == -EIO) { + paxos->wait_for_active(new C_RetryMessage(this, m)); + return true; + } } MAuthReply *reply = new MAuthReply(&response_bl, ret); mon->messenger->send_message(reply, m->get_orig_source_inst()); diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index 4ff347c396361..cb913d9a77da2 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -394,6 +394,9 @@ void MonClient::_open_session() void MonClient::_reopen_session() { dout(10) << "_reopen_session" << dendl; + state = MC_STATE_NONE; + auth_handler.reset(); + authorize_handler.reset(); _pick_new_mon(); _open_session(); } diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h index 01e7d409c9899..28b035af5b153 100644 --- a/src/mon/MonClient.h +++ b/src/mon/MonClient.h @@ -234,6 +234,10 @@ public: void set_want_keys(uint32_t want) { auth_handler.set_want_keys(want | CEPHX_PRINCIPAL_MON); } + + void add_want_keys(uint32_t want) { + auth_handler.add_want_keys(want); + } }; #endif diff --git a/src/mon/Paxos.h b/src/mon/Paxos.h index 70b6c397091ab..3ca31c5f30dff 100644 --- a/src/mon/Paxos.h +++ b/src/mon/Paxos.h @@ -250,7 +250,6 @@ public: // -- service interface -- void wait_for_active(Context *c) { - assert(!is_active()); waiting_for_active.push_back(c); } diff --git a/src/msg/SimpleMessenger.cc b/src/msg/SimpleMessenger.cc index b962a7974fa84..6d697406e472e 100644 --- a/src/msg/SimpleMessenger.cc +++ b/src/msg/SimpleMessenger.cc @@ -604,7 +604,7 @@ int SimpleMessenger::Pipe::accept() } - dout(0) << "accepting: connect.authorize_len=" << connect.authorizer_len << " rc=" << rc << " " << connect.protocol_version << "sizeof=" << sizeof(connect) << " " << connect.flags << dendl; + dout(0) << "accepting: connect.authorize_len=" << connect.authorizer_len << dendl; authorizer.clear(); if (connect.authorizer_len) { bp = buffer::create(connect.authorizer_len); @@ -840,6 +840,8 @@ int SimpleMessenger::Pipe::accept() int SimpleMessenger::Pipe::connect() { + bool got_bad_auth = false; + dout(10) << "connect " << connect_seq << dendl; assert(lock.is_locked()); @@ -1037,6 +1039,9 @@ int SimpleMessenger::Pipe::connect() if (reply.tag == CEPH_MSGR_TAG_BADAUTHORIZER) { dout(0) << "connect got BADAUTHORIZER" << dendl; + if (got_bad_auth) + goto stop_locked; + got_bad_auth = true; authorizer.clear(); lock.Unlock(); rank->get_authorizer(peer_type, authorizer, true); // try harder diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc index 1517940376d50..01939f495fa27 100644 --- a/src/osd/OSD.cc +++ b/src/osd/OSD.cc @@ -1515,8 +1515,14 @@ bool OSD::ms_dispatch(Message *m) bool OSD::ms_get_authorizer(int dest_type, bufferlist& authorizer, bool force_new) { dout(0) << "OSD::ms_get_authorizer type=" << dest_type << dendl; + uint32_t want = peer_id_to_entity_type(dest_type); - if (monc->auth.build_authorizer(dest_type, authorizer) < 0) + if (force_new) { + if (monc->wait_auth_rotating(10) < 0) + return false; + } + + if (monc->auth.build_authorizer(want, authorizer) < 0) return false; return true; -- 2.39.5