From 5b9139bd366d029871d29ca90971c5ad058fcf01 Mon Sep 17 00:00:00 2001 From: Jiffin Tony Thottan Date: Mon, 22 Feb 2021 15:16:10 +0530 Subject: [PATCH] rgw: add support for client cert and key for vault Authenticate vault with help of user supplied client cert and keys. Signed-off-by: Jiffin Tony Thottan --- src/common/options/rgw.yaml.in | 14 ++++++++++++++ src/rgw/rgw_http_client.cc | 18 +++++++++++++++--- src/rgw/rgw_http_client.h | 12 ++++++++++++ src/rgw/rgw_kms.cc | 7 +++++++ 4 files changed, 48 insertions(+), 3 deletions(-) diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index 847e0fdacef97..6f7f769d5790b 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -2393,6 +2393,20 @@ options: services: - rgw with_legacy: true +- name: rgw_crypt_vault_ssl_clientcert + type: str + level: advanced + desc: Path for custom client certificate for accessing vault server + services: + - rgw + with_legacy: true +- name: rgw_crypt_vault_ssl_clientkey + type: str + level: advanced + desc: Path for private key required for client cert + services: + - rgw + with_legacy: true - name: rgw_crypt_kmip_addr type: str level: advanced diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc index dacf9fecadba6..059a2091bbde1 100644 --- a/src/rgw/rgw_http_client.cc +++ b/src/rgw/rgw_http_client.cc @@ -614,9 +614,21 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data) curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L); dout(20) << "ssl verification is set to off" << dendl; - } else if (!ca_path.empty()) { - curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str()); - dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl; + } else { + if (!ca_path.empty()) { + curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str()); + dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl; + } + if (!client_cert.empty()) { + if (!client_key.empty()) { + curl_easy_setopt(easy_handle, CURLOPT_SSLCERT, client_cert.c_str()); + curl_easy_setopt(easy_handle, CURLOPT_SSLKEY, client_key.c_str()); + dout(20) << "using custom client cert " << client_cert.c_str() + << " and private key " << client_key.c_str() << dendl; + } else { + dout(5) << "private key is missing for client certificate" << dendl; + } + } } curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data); curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout); diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h index 5782be6da5cc9..355e4181df93b 100644 --- a/src/rgw/rgw_http_client.h +++ b/src/rgw/rgw_http_client.h @@ -42,6 +42,10 @@ class RGWHTTPClient : public RGWIOProvider, string ca_path; + string client_cert; + + string client_key; + std::atomic stopped { 0 }; @@ -178,6 +182,14 @@ public: void set_ca_path(const string& _ca_path) { ca_path = _ca_path; } + + void set_client_cert(const string& _client_cert) { + client_cert = _client_cert; + } + + void set_client_key(const string& _client_key) { + client_key = _client_key; + } }; diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc index 687adb7700b8d..dcdcf875115db 100644 --- a/src/rgw/rgw_kms.cc +++ b/src/rgw/rgw_kms.cc @@ -258,6 +258,13 @@ protected: secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert); } + if (!cct->_conf->rgw_crypt_vault_ssl_clientcert.empty()) { + secret_req.set_client_cert(cct->_conf->rgw_crypt_vault_ssl_clientcert); + } + if (!cct->_conf->rgw_crypt_vault_ssl_clientkey.empty()) { + secret_req.set_client_key(cct->_conf->rgw_crypt_vault_ssl_clientkey); + } + res = secret_req.process(null_yield); if (res < 0) { ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl; -- 2.39.5