From 2d0a8b2fab9b68cc5625184bc9910f176f47ebbc Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Mon, 19 Oct 2009 12:51:21 -0700 Subject: [PATCH] auth: send caps to principals with the ticket --- src/auth/Auth.cc | 8 ++--- src/auth/Auth.h | 25 +++++++++---- src/auth/AuthProtocol.h | 48 ++++++++++++++----------- src/auth/AuthServiceManager.cc | 8 ++--- src/auth/AuthorizeServer.cc | 16 +++++---- src/auth/Crypto.cc | 2 +- src/auth/KeyRing.cc | 6 ++-- src/auth/KeyRing.h | 2 +- src/auth/KeysServer.cc | 65 +++++++++++++++++++++++++++------- src/auth/KeysServer.h | 24 +++++++------ src/authtool.cc | 49 ++++++++++++++++++++++--- src/common/ConfUtils.h | 1 + src/include/AuthLibrary.h | 43 ++-------------------- src/mon/AuthMonitor.cc | 14 ++++---- src/mon/Monitor.cc | 3 +- src/vstart.sh | 26 ++++++++++++-- 16 files changed, 214 insertions(+), 126 deletions(-) diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc index c3aa720312eed..dd270fb0e2250 100644 --- a/src/auth/Auth.cc +++ b/src/auth/Auth.cc @@ -33,14 +33,14 @@ void build_service_ticket_request(uint32_t keys, ::encode(ticket_req, request); } - bool build_service_ticket(SessionAuthInfo& info, bufferlist& reply) { AuthServiceTicketInfo ticket_info; ticket_info.session_key = info.session_key; ticket_info.ticket = info.ticket; + ticket_info.ticket.caps = info.ticket.caps; ::encode(info.secret_id, reply); - dout(0) << "encoded info.secret_id=" << info.secret_id << dendl; + dout(0) << "encoded info.secret_id=" << info.secret_id << " ticket_info.ticket.name=" << ticket_info.ticket.name.to_str() << dendl; if (info.service_secret.get_secret().length()) hexdump("service_secret", info.service_secret.get_secret().c_str(), info.service_secret.get_secret().length()); if (encode_encrypt(ticket_info, info.service_secret, reply) < 0) @@ -220,8 +220,7 @@ bool verify_authorizer(KeysKeeper& keys, bufferlist::iterator& indata, if (secret_id == (uint64_t)-1) { EntityName name; name.entity_type = service_id; - map caps; - if (!keys.get_secret(name, service_secret, caps)) { + if (!keys.get_secret(name, service_secret)) { dout(0) << "could not get general service secret for service_id=" << service_id << " secret_id=" << secret_id << dendl; return false; } @@ -237,6 +236,7 @@ bool verify_authorizer(KeysKeeper& keys, bufferlist::iterator& indata, dout(0) << "could not decrypt ticket info" << dendl; return false; } + dout(0) << "decoded ticket_info.ticket.name=" << ticket_info.ticket.name.to_str() << dendl; AuthAuthorize auth_msg; if (decode_decrypt(auth_msg, ticket_info.session_key, indata) < 0) { diff --git a/src/auth/Auth.h b/src/auth/Auth.h index 6204206992cd3..237ec8771571e 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -25,6 +25,21 @@ class Cond; #define AUTH_ENC_MAGIC 0xff009cad8826aa55 +struct EntityAuth { + CryptoKey key; + map caps; + + void encode(bufferlist& bl) const { + ::encode(key, bl); + ::encode(caps, bl); + } + void decode(bufferlist::iterator& bl) { + ::decode(key, bl); + ::decode(caps, bl); + } +}; +WRITE_CLASS_ENCODER(EntityAuth) + struct AuthContext { int status; // int id; @@ -41,7 +56,7 @@ struct AuthTicket { EntityName name; entity_addr_t addr; utime_t created, renew_after, expires; - map caps; + bufferlist caps; __u32 flags; AuthTicket() : flags(0) {} @@ -233,13 +248,11 @@ struct AuthServiceTicketInfo { CryptoKey session_key; void encode(bufferlist& bl) const { - ::encode(ticket.renew_after, bl); - ::encode(ticket.expires, bl); + ::encode(ticket, bl); ::encode(session_key, bl); } void decode(bufferlist::iterator& bl) { - ::decode(ticket.renew_after, bl); - ::decode(ticket.expires, bl); + ::decode(ticket, bl); ::decode(session_key, bl); } }; @@ -293,7 +306,7 @@ WRITE_CLASS_ENCODER(RotatingSecrets); class KeysKeeper { public: - virtual bool get_secret(EntityName& name, CryptoKey& secret, map& caps) = 0; + virtual bool get_secret(EntityName& name, CryptoKey& secret) = 0; virtual bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret) = 0; }; diff --git a/src/auth/AuthProtocol.h b/src/auth/AuthProtocol.h index 87bfd9337f675..48768404b6778 100644 --- a/src/auth/AuthProtocol.h +++ b/src/auth/AuthProtocol.h @@ -102,6 +102,29 @@ using namespace std; class Monitor; +static inline void get_entity_type_str(uint32_t entity_type,string& s) { + switch (entity_type) { + case CEPHX_PRINCIPAL_AUTH: + s = "auth"; + break; + case CEPHX_PRINCIPAL_MON: + s = "mon"; + break; + case CEPHX_PRINCIPAL_OSD: + s = "osd"; + break; + case CEPHX_PRINCIPAL_MDS: + s = "mds"; + break; + case CEPHX_PRINCIPAL_CLIENT: + s = "client"; + break; + default: + s = "???"; + break; + } +} + static inline uint32_t peer_id_to_entity_type(int peer_id) { switch (peer_id) { @@ -133,26 +156,7 @@ struct EntityName { } void to_str(string& str) const { - switch (entity_type) { - case CEPHX_PRINCIPAL_AUTH: - str = "auth"; - break; - case CEPHX_PRINCIPAL_MON: - str = "mon"; - break; - case CEPHX_PRINCIPAL_OSD: - str = "osd"; - break; - case CEPHX_PRINCIPAL_MDS: - str = "mds"; - break; - case CEPHX_PRINCIPAL_CLIENT: - str = "client"; - break; - default: - str = "???"; - break; - } + get_entity_type_str(entity_type, str); str.append("."); str.append(name); } @@ -195,6 +199,10 @@ struct EntityName { set_type(type); name = id; } + + void get_type_str(string& s) { + get_entity_type_str(entity_type, s); + } }; WRITE_CLASS_ENCODER(EntityName); diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc index 05a93f1117512..5d79ca7a4e14a 100644 --- a/src/auth/AuthServiceManager.cc +++ b/src/auth/AuthServiceManager.cc @@ -70,9 +70,8 @@ int CephAuthService_X::handle_request(bufferlist::iterator& indata, bufferlist& ::decode(req, indata); CryptoKey secret; - map caps; dout(0) << "entity_name=" << entity_name.to_str() << dendl; - if (!mon->keys_server.get_secret(entity_name, secret, caps)) { + if (!mon->keys_server.get_secret(entity_name, secret)) { dout(0) << "couldn't find entity name: " << entity_name.to_str() << dendl; ret = -EPERM; break; @@ -140,7 +139,7 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe SessionAuthInfo info; CryptoKey principal_secret; - if (mon->keys_server.get_secret(req.name, principal_secret, info.ticket.caps) < 0) { + if (mon->keys_server.get_secret(req.name, principal_secret) < 0) { ret = -EPERM; break; } @@ -185,6 +184,7 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe break; } + ret = 0; vector info_vec; for (uint32_t service_id = 1; service_id != (CEPHX_PRINCIPAL_TYPE_MASK + 1); service_id <<= 1) { if (ticket_req.keys & service_id) { @@ -198,10 +198,8 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe info_vec.push_back(info); } } - build_cephx_response_header(request_type, ret, result_bl); build_service_ticket_reply(auth_ticket_info.session_key, info_vec, result_bl); - ret = 0; } break; default: diff --git a/src/auth/AuthorizeServer.cc b/src/auth/AuthorizeServer.cc index 1d7043bb43da0..51d92a8c7a39f 100644 --- a/src/auth/AuthorizeServer.cc +++ b/src/auth/AuthorizeServer.cc @@ -96,15 +96,10 @@ int AuthorizeServer::do_authorize(bufferlist::iterator& indata, bufferlist& resu switch (request_type) { case CEPHX_OPEN_SESSION: { - dout(0) << "CEPHX_OPEN_SESSION " << cephx_header.request_type << dendl; + dout(0) << "CEPHX_OPEN_SESSION " << cephx_header.request_type << dendl; - ret = 0; bufferlist tmp_bl; - AuthServiceTicketInfo auth_ticket_info; - if (!::verify_authorizer(*keys, indata, auth_ticket_info, tmp_bl)) { - dout(0) << "could not verify authorizer" << dendl; - ret = -EPERM; - } + ret = verify_authorizer(0, indata, tmp_bl); result_bl.claim_append(tmp_bl); } break; @@ -126,6 +121,13 @@ int AuthorizeServer::verify_authorizer(int peer_type, bufferlist::iterator& inda dout(0) << "could not verify authorizer" << dendl; ret = -EPERM; } + dout(0) << "caps len=" << auth_ticket_info.ticket.caps.length() << dendl; + if (auth_ticket_info.ticket.caps.length()) { + string caps; + bufferlist::iterator iter = auth_ticket_info.ticket.caps.begin(); + ::decode(caps, iter); + dout(0) << "got caps: " << caps << dendl; + } } catch (buffer::error *err) { ret = -EINVAL; } diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc index f76b4b54c1b42..bd5a7fc27ea3a 100644 --- a/src/auth/Crypto.cc +++ b/src/auth/Crypto.cc @@ -137,7 +137,7 @@ int CryptoAES::encrypt(bufferptr& secret, const bufferlist& in, bufferlist& out) int total_out = 0; int outlen; #define OUT_BUF_EXTRA 128 - unsigned char outbuf[outlen + OUT_BUF_EXTRA]; + unsigned char outbuf[max_out + OUT_BUF_EXTRA]; dout(0) << "secret.length=" << secret.length() << dendl; diff --git a/src/auth/KeyRing.cc b/src/auth/KeyRing.cc index fcb2357986828..6090ea597278c 100644 --- a/src/auth/KeyRing.cc +++ b/src/auth/KeyRing.cc @@ -59,8 +59,8 @@ bool KeyRing::load_master(const char *filename) bufferlist::iterator iter = bl.begin(); - map m; - map::iterator miter; + map m; + map::iterator miter; ::decode(m, iter); @@ -74,7 +74,7 @@ bool KeyRing::load_master(const char *filename) if (miter == m.end()) return false; } - master = miter->second; + master = miter->second.key; return true; } diff --git a/src/auth/KeyRing.h b/src/auth/KeyRing.h index 3e42830eebfd7..38517b671cd80 100644 --- a/src/auth/KeyRing.h +++ b/src/auth/KeyRing.h @@ -39,7 +39,7 @@ public: bool need_rotating_secrets(); - bool get_secret(EntityName& name, CryptoKey& secret, map& caps) { + bool get_secret(EntityName& name, CryptoKey& secret) { get_master(secret); return true; } diff --git a/src/auth/KeysServer.cc b/src/auth/KeysServer.cc index f6a36bb5cd3f1..e2227e68118ae 100644 --- a/src/auth/KeysServer.cc +++ b/src/auth/KeysServer.cc @@ -81,13 +81,29 @@ bool KeysServerData::get_service_secret(uint32_t service_id, uint64_t secret_id, return true; } -bool KeysServerData::get_secret(EntityName& name, CryptoKey& secret, map& caps) +bool KeysServerData::get_secret(EntityName& name, CryptoKey& secret) { - map::iterator iter = secrets.find(name); + map::iterator iter = secrets.find(name); if (iter == secrets.end()) return false; - secret = iter->second; + secret = iter->second.key; + + return true; +} + +bool KeysServerData::get_caps(EntityName& name, string& type, bufferlist& caps) +{ + dout(0) << "get_caps: name=" << name.to_str() << dendl; + map::iterator iter = secrets.find(name); + if (iter == secrets.end()) + return false; + + dout(0) << "get_secret: num of caps=" << iter->second.caps.size() << dendl; + map::iterator capsiter = iter->second.caps.find(type); + if (capsiter != iter->second.caps.end()) { + caps = capsiter->second; + } return true; } @@ -163,11 +179,18 @@ bool KeysServer::_check_rotate() return false; } -bool KeysServer::get_secret(EntityName& name, CryptoKey& secret, map& caps) +bool KeysServer::get_secret(EntityName& name, CryptoKey& secret) { Mutex::Locker l(lock); - return data.get_secret(name, secret, caps); + return data.get_secret(name, secret); +} + +bool KeysServer::get_caps(EntityName& name, string& type, bufferlist& caps) +{ + Mutex::Locker l(lock); + + return data.get_caps(name, type, caps); } bool KeysServer::get_service_secret(uint32_t service_id, ExpiringCryptoKey& secret, uint64_t& secret_id) @@ -213,7 +236,10 @@ bool KeysServer::generate_secret(EntityName& name, CryptoKey& secret) Mutex::Locker l(lock); - data.add_secret(name, secret); + EntityAuth auth; + auth.key = secret; + + data.add_auth(name, auth); return true; } @@ -229,14 +255,22 @@ void KeysServer::list_secrets(stringstream& ss) { Mutex::Locker l(lock); - map::iterator mapiter = data.secrets_begin(); + map::iterator mapiter = data.secrets_begin(); if (mapiter != data.secrets_end()) { ss << "installed auth entries: " << std::endl; while (mapiter != data.secrets_end()) { const EntityName& name = mapiter->first; ss << name.to_str() << std::endl; - + + map::iterator capsiter = mapiter->second.caps.begin(); + for (; capsiter != mapiter->second.caps.end(); ++capsiter) { + bufferlist::iterator dataiter = capsiter->second.begin(); + string caps; + ::decode(caps, dataiter); + ss << "\tcaps: [" << capsiter->first << "] " << caps << std::endl; + } + ++mapiter; } } else { @@ -275,11 +309,11 @@ bool KeysServer::get_rotating_encrypted(EntityName& name, bufferlist& enc_bl) { Mutex::Locker l(lock); - map::iterator mapiter = data.find_name(name); + map::iterator mapiter = data.find_name(name); if (mapiter == data.secrets_end()) return false; - CryptoKey& specific_key = mapiter->second; + CryptoKey& specific_key = mapiter->second.key; map::iterator rotate_iter = data.rotating_secrets.find(name.entity_type); if (rotate_iter == data.rotating_secrets.end()) @@ -301,8 +335,13 @@ int KeysServer::_build_session_auth_info(uint32_t service_id, AuthServiceTicketI generate_secret(info.session_key); info.service_id = service_id; - - info.ticket.caps = auth_ticket_info.ticket.caps; + + string s; + get_entity_type_str(service_id, s); + + if (!data.get_caps(info.ticket.name, s, info.ticket.caps)) { + return -EINVAL; + } return 0; } @@ -313,6 +352,8 @@ int KeysServer::build_session_auth_info(uint32_t service_id, AuthServiceTicketIn return -EPERM; } + Mutex::Locker l(lock); + return _build_session_auth_info(service_id, auth_ticket_info, info); } diff --git a/src/auth/KeysServer.h b/src/auth/KeysServer.h index 11dcb4f0f3da8..5ff002c91e14b 100644 --- a/src/auth/KeysServer.h +++ b/src/auth/KeysServer.h @@ -31,7 +31,7 @@ struct KeysServerData { utime_t next_rotating_time; /* for each entity */ - map secrets; + map secrets; /* for each service type */ map rotating_secrets; @@ -57,12 +57,12 @@ struct KeysServerData { return (secrets.find(name) != secrets.end()); } - void add_secret(const EntityName& name, CryptoKey& secret) { - secrets[name] = secret; + void add_auth(const EntityName& name, EntityAuth& auth) { + secrets[name] = auth; } void remove_secret(const EntityName& name) { - map::iterator iter = secrets.find(name); + map::iterator iter = secrets.find(name); if (iter == secrets.end()) return; secrets.erase(iter); @@ -75,11 +75,12 @@ struct KeysServerData { bool get_service_secret(uint32_t service_id, ExpiringCryptoKey& secret, uint64_t& secret_id); bool get_service_secret(uint32_t service_id, CryptoKey& secret, uint64_t& secret_id); bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret); - bool get_secret(EntityName& name, CryptoKey& secret, map& caps); + bool get_secret(EntityName& name, CryptoKey& secret); + bool get_caps(EntityName& name, string& type, bufferlist& caps); - map::iterator secrets_begin() { return secrets.begin(); } - map::iterator secrets_end() { return secrets.end(); } - map::iterator find_name(EntityName& name) { return secrets.find(name); } + map::iterator secrets_begin() { return secrets.begin(); } + map::iterator secrets_end() { return secrets.end(); } + map::iterator find_name(EntityName& name) { return secrets.find(name); } }; WRITE_CLASS_ENCODER(KeysServerData); @@ -97,7 +98,8 @@ public: bool generate_secret(CryptoKey& secret); - bool get_secret(EntityName& name, CryptoKey& secret, map& caps); + bool get_secret(EntityName& name, CryptoKey& secret); + bool get_caps(EntityName& name, string& type, bufferlist& caps); bool get_active_rotating_secret(EntityName& name, CryptoKey& secret); int start_server(bool init); void rotate_timeout(double timeout); @@ -132,9 +134,9 @@ public: data.version = ver; } - void add_secret(const EntityName& name, CryptoKey& secret) { + void add_auth(const EntityName& name, EntityAuth& auth) { Mutex::Locker l(lock); - data.add_secret(name, secret); + data.add_auth(name, auth); } void remove_secret(const EntityName& name) { diff --git a/src/authtool.cc b/src/authtool.cc index 67b7b5cae26ae..5c565e4861432 100644 --- a/src/authtool.cc +++ b/src/authtool.cc @@ -16,13 +16,15 @@ using namespace std; #include "config.h" +#include "common/ConfUtils.h" #include "common/common_init.h" #include "auth/Crypto.h" #include "auth/KeysServer.h" +#include "auth/Auth.h" void usage() { - cout << " usage: [--gen-key] [--name] [--list] " << std::endl; + cout << " usage: [--gen-key] [--name=] [--caps=] [--list] " << std::endl; exit(1); } @@ -40,6 +42,7 @@ int main(int argc, const char **argv) bool gen_key = false; bool list = false; const char *name = ""; + const char *caps_fn = NULL; FOR_EACH_ARG(args) { if (CONF_ARG_EQ("gen-key", 'g')) { @@ -48,6 +51,8 @@ int main(int argc, const char **argv) CONF_SAFE_SET_ARG_VAL(&name, OPT_STR); } else if (CONF_ARG_EQ("list", 'l')) { CONF_SAFE_SET_ARG_VAL(&list, OPT_BOOL); + } else if (CONF_ARG_EQ("caps", '\0')) { + CONF_SAFE_SET_ARG_VAL(&caps_fn, OPT_STR); } else if (!fn) { fn = args[i]; } else @@ -58,9 +63,17 @@ int main(int argc, const char **argv) usage(); } - map keys_map; + map keys_map; string s = name; + + if (caps_fn) { + if (!name || !(*name)) { + cerr << "can't specify caps without name" << std::endl; + exit(1); + } + } + CryptoKey key; key.create(CEPH_SECRET_AES); @@ -77,11 +90,11 @@ int main(int argc, const char **argv) } if (gen_key) { - keys_map[s] = key; + keys_map[s].key = key; } if (list) { - map::iterator iter = keys_map.begin(); + map::iterator iter = keys_map.begin(); for (; iter != keys_map.end(); ++iter) { string n = iter->first; if (n.empty()) { @@ -89,6 +102,34 @@ int main(int argc, const char **argv) } else { cout << n << std::endl; } + map::iterator capsiter = iter->second.caps.begin(); + for (; capsiter != iter->second.caps.end(); ++capsiter) { + bufferlist::iterator dataiter = capsiter->second.begin(); + string caps; + ::decode(caps, dataiter); + cout << "\tcaps: [" << capsiter->first << "] " << caps << std::endl; + } + } + } + + if (caps_fn) { + map& caps = keys_map[s].caps; + ConfFile *cf = new ConfFile(caps_fn); + if (!cf->parse()) { + cerr << "could not parse caps file " << caps_fn << std::endl; + exit(1); + } + const char *key_names[] = { "mon", "osd", "mds", NULL }; + for (int i=0; key_names[i]; i++) { + char *val; + cf->read("global", key_names[i], &val, NULL); + if (val) { + bufferlist bl; + ::encode(val, bl); + string s(key_names[i]); + caps[s] = bl; + free(val); + } } } diff --git a/src/common/ConfUtils.h b/src/common/ConfUtils.h index 12dbfd3d1c65f..f3a17aafd4136 100644 --- a/src/common/ConfUtils.h +++ b/src/common/ConfUtils.h @@ -57,6 +57,7 @@ public: ConfSection(std::string sec_name) : name(sec_name) { } const std::string& get_name() { return name; } + ConfList& get_list() { return conf_list; } }; typedef std::map SectionMap; diff --git a/src/include/AuthLibrary.h b/src/include/AuthLibrary.h index 455dcc0b0e8ad..d5dcc30bf5dbe 100644 --- a/src/include/AuthLibrary.h +++ b/src/include/AuthLibrary.h @@ -24,7 +24,7 @@ struct AuthLibEntry { bool rotating; EntityName name; - CryptoKey secret; + EntityAuth auth; bufferlist rotating_bl; @@ -33,7 +33,7 @@ struct AuthLibEntry { ::encode(r, bl); if (!rotating) { ::encode(name, bl); - ::encode(secret, bl); + ::encode(auth, bl); } else { ::encode(rotating_bl, bl); } @@ -44,7 +44,7 @@ struct AuthLibEntry { rotating = (bool)r; if (!rotating) { ::decode(name, bl); - ::decode(secret, bl); + ::decode(auth, bl); } else { ::decode(rotating_bl, bl); } @@ -84,43 +84,6 @@ struct AuthLibIncremental { } }; WRITE_CLASS_ENCODER(AuthLibIncremental) -#if 0 -struct AuthLibrary { - version_t version; - KeysServerData keys; - - AuthLibrary() : version(0) {} - - void add_secret(const EntityName& name, CryptoKey& secret) { - keys.add_secret(name, secret); - } - - void add(AuthLibEntry& entry) { - if (entry.rotating) { - keys.add_rotating_secret(entry.service_id, entry.rotating_secret); - } else { - add_secret(entry.name, entry.secret); - } - } - - void remove(const EntityName& name) { - keys.remove_secret(name); - } - - bool contains(EntityName& name) { - return keys.contains(name); - } - void encode(bufferlist& bl) const { - ::encode(version, bl); - ::encode(keys, bl); - } - void decode(bufferlist::iterator& bl) { - ::decode(version, bl); - ::decode(keys, bl); - } -}; -WRITE_CLASS_ENCODER(AuthLibrary) -#endif inline ostream& operator<<(ostream& out, const AuthLibEntry& e) { diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index 5c807b2c9ce5a..c91cbe4d32a78 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -97,7 +97,7 @@ void AuthMonitor::create_initial(bufferlist& bl) { dout(0) << "create_initial -- creating initial map" << dendl; if (g_conf.keys_file) { - map keys_map; + map keys_map; dout(0) << "reading initial keys file " << dendl; bufferlist bl; int r = bl.read_file(g_conf.keys_file); @@ -111,7 +111,7 @@ void AuthMonitor::create_initial(bufferlist& bl) cerr << "error reading file " << g_conf.keys_file << std::endl; } if (read_ok) { - map::iterator iter = keys_map.begin(); + map::iterator iter = keys_map.begin(); for (; iter != keys_map.end(); ++iter) { string n = iter->first; if (!n.empty()) { @@ -121,7 +121,7 @@ void AuthMonitor::create_initial(bufferlist& bl) dout(0) << "bad entity name " << n << dendl; continue; } - entry.secret = iter->second; + entry.auth = iter->second; AuthLibIncremental inc; ::encode(entry, inc.info); @@ -191,7 +191,7 @@ bool AuthMonitor::update_from_paxos() case AUTH_INC_ADD: if (!entry.rotating) { derr(0) << "got entry name=" << entry.name.to_str() << dendl; - mon->keys_server.add_secret(entry.name, entry.secret); + mon->keys_server.add_auth(entry.name, entry.auth); } else { derr(0) << "got AUTH_INC_ADD with entry.rotating" << dendl; } @@ -482,8 +482,8 @@ bool AuthMonitor::prepare_command(MMonCommand *m) bufferlist bl = m->get_data(); dout(0) << "AuthMonitor::prepare_command bl.length()=" << bl.length() << dendl; bufferlist::iterator iter = bl.begin(); - map crypto_map; - map::iterator miter; + map crypto_map; + map::iterator miter; try { ::decode(crypto_map, iter); } catch (buffer::error *err) { @@ -503,7 +503,7 @@ bool AuthMonitor::prepare_command(MMonCommand *m) string s = miter->first; entry.name.from_str(s); } - entry.secret = miter->second; + entry.auth = miter->second; ::encode(entry, inc.info); inc.op = AUTH_INC_ADD; pending_auth.push_back(inc); diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index af975baa4de2f..10853059290ac 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -783,8 +783,7 @@ bool Monitor::ms_get_authorizer(int dest_type, bufferlist& authorizer, bool forc name.entity_type = CEPHX_PRINCIPAL_MON; CryptoKey secret; - map caps; - if (!keys_server.get_secret(name, secret, caps)) { + if (!keys_server.get_secret(name, secret)) { dout(0) << "couldn't get secret for mon service!" << dendl; stringstream ss; keys_server.list_secrets(ss); diff --git a/src/vstart.sh b/src/vstart.sh index 777777ab0b233..b8818eaed04fe 100755 --- a/src/vstart.sh +++ b/src/vstart.sh @@ -15,6 +15,9 @@ nodaemon=0 MON_ADDR="" conf="ceph.conf" +admin_caps="admin.caps.conf" +osd_caps="osd.caps.conf" +mds_caps="mds.caps.conf" usage="usage: $0 [option]... [mon] [mds] [osd]\n" usage=$usage"options:\n" @@ -220,8 +223,14 @@ EOF echo fi +cat < $admin_caps +; generated by vstart.sh on `date` + mon = "allow" + osd = "allow" + mds = "allow" +EOF $SUDO $CEPH_BIN/authtool --gen-key --name=mon. $monkeys_fn - $SUDO $CEPH_BIN/authtool --gen-key --name=client.admin $monkeys_fn + $SUDO $CEPH_BIN/authtool --gen-key --name=client.admin --caps=$admin_caps $monkeys_fn # build a fresh fs monmap, mon fs # $CEPH_BIN/monmaptool --create --clobber --print .ceph_monmap @@ -271,7 +280,12 @@ EOF echo $SUDO $CEPH_BIN/cosd -i $osd $ARGS --mkfs # --debug_journal 20 --debug_osd 20 --debug_filestore 20 --debug_ebofs 20 $SUDO $CEPH_BIN/cosd -i $osd $ARGS --mkfs # --debug_journal 20 --debug_osd 20 --debug_filestore 20 --debug_ebofs 20 key_fn=dev/osd$osd/osd$osd.keys.bin - $SUDO $CEPH_BIN/authtool --gen-key $key_fn + cat < $osd_caps +; generated by vstart.sh on `date` + mon = "allow" + osd = "allow" +EOF + $SUDO $CEPH_BIN/authtool --gen-key --name=osd.$osd --caps=$osd_caps $key_fn $SUDO $CEPH_ADM -i $key_fn auth add osd.$osd fi echo start osd$osd @@ -290,7 +304,13 @@ if [ "$start_mds" -eq 1 ]; then [mds.$name] keys file = $key_fn EOF - $SUDO $CEPH_BIN/authtool --gen-key $key_fn + cat < $osd_caps +; generated by vstart.sh on `date` + mon = "allow" + osd = "allow" + mds = "allow" +EOF + $SUDO $CEPH_BIN/authtool --gen-key --name=mds.$name --caps=$mds_caps $key_fn $SUDO $CEPH_ADM -i $key_fn auth add mds.$name fi -- 2.39.5