From 4c2c3edc3b6bf15f4cbb4dfccdeff4dde293b12f Mon Sep 17 00:00:00 2001 From: Patrick Donnelly Date: Fri, 9 May 2025 14:52:52 -0400 Subject: [PATCH] auth: add API to invalidate all tickets This will prompt the client to request new ones from the auth server. Signed-off-by: Patrick Donnelly --- src/auth/AuthClientHandler.h | 2 ++ src/auth/cephx/CephxClientHandler.cc | 5 +++++ src/auth/cephx/CephxClientHandler.h | 2 ++ src/auth/cephx/CephxProtocol.cc | 9 +++++++++ src/auth/cephx/CephxProtocol.h | 1 + 5 files changed, 19 insertions(+) diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h index aba21b4155a..0fc53c1fbd6 100644 --- a/src/auth/AuthClientHandler.h +++ b/src/auth/AuthClientHandler.h @@ -62,6 +62,8 @@ public: virtual bool need_tickets() = 0; + virtual void invalidate_all_tickets() {} // FIXME = 0 + virtual void set_global_id(uint64_t id) = 0; static AuthClientHandler* create(CephContext* cct, int proto, RotatingKeyRing* rkeys); diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index 76ccca73580..9515cecc6d1 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -331,3 +331,8 @@ bool CephxClientHandler::need_tickets() return _need_tickets(); } + +void CephxClientHandler::invalidate_all_tickets() +{ + tickets.invalidate_all_tickets(); +} diff --git a/src/auth/cephx/CephxClientHandler.h b/src/auth/cephx/CephxClientHandler.h index 601a5c69f4b..e9dd1107114 100644 --- a/src/auth/cephx/CephxClientHandler.h +++ b/src/auth/cephx/CephxClientHandler.h @@ -66,6 +66,8 @@ public: bool need_tickets() override; + void invalidate_all_tickets() override; + void set_global_id(uint64_t id) override { global_id = id; tickets.global_id = id; diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index 73d20b2ba93..cd7949342de 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -291,6 +291,15 @@ void CephXTicketManager::invalidate_ticket(uint32_t service_id) iter->second.invalidate_ticket(); } +void CephXTicketManager::invalidate_all_tickets() +{ + ldout(cct, 10) << __func__ << dendl; + for ([[maybe_unused]] auto &[service_id, ticket] : tickets_map) { + ticket.invalidate_ticket(); + } +} + + /* * PRINCIPAL: verify our attempt to authenticate succeeded. fill out * this ServiceTicket with the result. diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 75341c8fd27..7c52faa1344 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -426,6 +426,7 @@ struct CephXTicketManager { void set_have_need_key(uint32_t service_id, uint32_t& have, uint32_t& need); void validate_tickets(uint32_t mask, uint32_t& have, uint32_t& need); void invalidate_ticket(uint32_t service_id); + void invalidate_all_tickets(); private: CephContext *cct; -- 2.39.5