From 343a0499558353a2a94dd6ffa0d85cffa3e88e39 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Fri, 7 Mar 2025 13:20:58 -0500 Subject: [PATCH] auth: add a configurable to control rotating keys cipher type auth_service_cipher: a mon configurable that determines what type of cipher the rotating keys are using. The configurable can change at runtime. Note that the change does not invalidate existing keys, these would expire based on their ttl. Signed-off-by: Yehuda Sadeh (cherry picked from commit c37d1f44b64e0079c5c71232b6472a7841768d40) --- src/auth/cephx/CephxKeyServer.cc | 9 ++++++++- src/common/options/global.yaml.in | 27 +++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index 55df5c5d422..2a3e5364bf5 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -182,7 +182,14 @@ int KeyServer::_rotate_secret(uint32_t service_id, KeyServerData &pending_data) while (r.need_new_secrets(now)) { ExpiringCryptoKey ek; - generate_secret(ek.key); + auto s = cct->_conf.get_val("auth_service_cipher"); + + int key_type = CryptoManager::get_key_type(s); + if (key_type < 0 || key_type == CEPH_CRYPTO_NONE) { + key_type = CEPH_CRYPTO_AES256KRB5; + } + + generate_secret(ek.key, key_type); if (r.empty()) { ek.expiration = now; } else { diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in index ddbd12d1f5c..4f09f37ee87 100644 --- a/src/common/options/global.yaml.in +++ b/src/common/options/global.yaml.in @@ -2118,6 +2118,33 @@ options: Ceph services. Valid settings are ``cephx`` or ``none``. default: cephx with_legacy: true +- name: auth_service_cipher + type: str + level: advanced + desc: cipher type that is used to encrypt service tickets. + fmt_desc: When service tickets are being generaeted, this would + be the cipher that will be used to encrypt them. This requires + that all the services support the specific cipher. Valid settings + are ``aes` or ``aes256k``. + default: aes + services: + - mon + enum_values: + - aes + - aes256k + with_legacy: false + flags: + - runtime +- name: auth_cipher_allow + type: str + level: advanced + desc: cipher types that are allowed to be used for authentication + fmt_desc: This list of cipher types determines which ciphers are + allowed to be used for the clients and services to establish + a connection to the cluster via the cephx autentication protocol. + Valid options are ``aes` or ``aes256k``. + default: aes, aes256k + with_legacy: true # what clients require of daemons - name: auth_client_required type: str -- 2.39.5