From 3d1c0797d196bbec005af5fc73a7f673ad57ab70 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Thu, 11 Feb 2010 09:24:42 -0800 Subject: [PATCH] cephx: use 'next' key for ticketes when 'current' is expired When generating tickets for clients, use next key if the current is expired. That ensures they will renew before their ticket times out. --- src/auth/cephx/CephxKeyServer.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index b268f87c2153f..933168c4fc135 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -33,11 +33,14 @@ bool KeyServerData::get_service_secret(uint32_t service_id, ExpiringCryptoKey& s RotatingSecrets& secrets = iter->second; - // second to oldest + // second to oldest, unless it's expired map::iterator riter = secrets.secrets.begin(); if (secrets.secrets.size() > 1) ++riter; + if (riter->second.expiration < g_clock.now()) + ++riter; // "current" key has expired, use "next" key instead + secret_id = riter->first; secret = riter->second; dout(10) << "get_service_secret service " << ceph_entity_type_name(service_id) -- 2.39.5