From 6e13ad281ea9a309ade89cea612e8f2d4f1603aa Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Thu, 24 Sep 2009 16:12:09 -0700 Subject: [PATCH] auth: protocol fixes, keys tool changes, keys init --- src/auth/AuthClientHandler.h | 1 + src/auth/AuthServiceManager.cc | 12 ++------ src/auth/AuthServiceManager.h | 2 +- src/auth/KeyRing.cc | 17 ++++++++++-- src/authtool.cc | 49 +++++++++++++++++++++++++++++---- src/config.cc | 6 +++- src/config.h | 2 +- src/mkmonfs.cc | 14 +++++----- src/mon/AuthMonitor.cc | 50 +++++++++++++++++++++++++++++++--- src/mon/MonClient.cc | 2 ++ src/mon/Monitor.cc | 23 ++++++++++------ src/osd/OSD.cc | 6 ++-- src/vstart.sh | 12 +++++--- 13 files changed, 150 insertions(+), 46 deletions(-) diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h index a87d81baeb847..c9e2d0b4f17a0 100644 --- a/src/auth/AuthClientHandler.h +++ b/src/auth/AuthClientHandler.h @@ -163,6 +163,7 @@ public: AuthClientHandler() : lock("AuthClientHandler::lock"), client(NULL), timer(lock), max_proto_handlers(0) { } + void init(EntityName& n) { name = n; } void set_want_keys(__u32 keys) { Mutex::Locker l(lock); diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc index 76d524e63b224..c38a21e67af69 100644 --- a/src/auth/AuthServiceManager.cc +++ b/src/auth/AuthServiceManager.cc @@ -59,26 +59,18 @@ public: CephAuthService_X(Monitor *m) : AuthServiceHandler(m), state(0) {} ~CephAuthService_X() {} - int handle_request(bufferlist& bl, bufferlist& result_bl); + int handle_request(bufferlist::iterator& indata, bufferlist& result_bl); int handle_cephx_protocol(bufferlist::iterator& indata, bufferlist& result_bl); void build_cephx_response_header(int request_type, int status, bufferlist& bl); }; -int CephAuthService_X::handle_request(bufferlist& bl, bufferlist& result_bl) +int CephAuthService_X::handle_request(bufferlist::iterator& indata, bufferlist& result_bl) { int ret = 0; bool piggyback = false; - bufferlist::iterator indata = bl.begin(); dout(0) << "CephAuthService_X: handle request" << dendl; - if (state != 0) { - CephXPremable pre; - ::decode(pre, indata); - dout(0) << "CephXPremable id=" << pre.trans_id << dendl; - ::encode(pre, result_bl); - } - dout(0) << "state=" << state << dendl; switch(state) { diff --git a/src/auth/AuthServiceManager.h b/src/auth/AuthServiceManager.h index 1d12c1e67499f..5f1692bdd4586 100644 --- a/src/auth/AuthServiceManager.h +++ b/src/auth/AuthServiceManager.h @@ -28,7 +28,7 @@ public: AuthServiceHandler(Monitor *m) : mon(m) { } virtual ~AuthServiceHandler() { } - virtual int handle_request(bufferlist& bl, bufferlist& result) = 0; + virtual int handle_request(bufferlist::iterator& indata, bufferlist& result) = 0; }; class AuthServiceManager diff --git a/src/auth/KeyRing.cc b/src/auth/KeyRing.cc index aa22ba75bd6b2..aa40cf3ea3809 100644 --- a/src/auth/KeyRing.cc +++ b/src/auth/KeyRing.cc @@ -74,8 +74,21 @@ bool KeyRing::load_master(const char *filename) bufferlist::iterator iter = bl.begin(); - ::decode(master, iter); - + map m; + map::iterator miter; + + ::decode(m, iter); + + string name = g_conf.entity_name->to_str(); + + miter = m.find(name); + if (miter == m.end()) { + miter = m.find(""); + if (miter == m.end()) + return false; + } + master = miter->second; + return true; } diff --git a/src/authtool.cc b/src/authtool.cc index 822f40a72d59b..36b37b1855db6 100644 --- a/src/authtool.cc +++ b/src/authtool.cc @@ -22,7 +22,7 @@ using namespace std; void usage() { - cout << " usage: [--gen-key] " << std::endl; + cout << " usage: [--gen-key] [--name] [--list] " << std::endl; exit(1); } @@ -38,10 +38,16 @@ int main(int argc, const char **argv) const char *fn = 0; bool gen_key = false; + bool list = false; + const char *name = ""; FOR_EACH_ARG(args) { if (CONF_ARG_EQ("gen-key", 'g')) { CONF_SAFE_SET_ARG_VAL(&gen_key, OPT_BOOL); + } else if (CONF_ARG_EQ("name", 'n')) { + CONF_SAFE_SET_ARG_VAL(&name, OPT_STR); + } else if (CONF_ARG_EQ("list", 'l')) { + CONF_SAFE_SET_ARG_VAL(&list, OPT_BOOL); } else if (!fn) { fn = args[i]; } else @@ -52,15 +58,48 @@ int main(int argc, const char **argv) usage(); } + map keys_map; + string s = name; + CryptoKey key; key.create(CEPH_SECRET_AES); bufferlist bl; - ::encode(key, bl); - int r = bl.write_file(fn); + int r = bl.read_file(fn); + if (r >= 0) { + try { + bufferlist::iterator iter = bl.begin(); + ::decode(keys_map, iter); + } catch (buffer::error *err) { + cerr << "error reading file " << fn << std::endl; + exit(1); + } + } + + if (gen_key) { + keys_map[s] = key; + } + + if (list) { + map::iterator iter = keys_map.begin(); + for (; iter != keys_map.end(); ++iter) { + string n = iter->first; + if (n.empty()) { + cout << "" << std::endl; + } else { + cout << n << std::endl; + } + } + } + + if (gen_key) { + bufferlist bl2; + ::encode(keys_map, bl2); + r = bl2.write_file(fn); - if (r < 0) { - cerr << "could not write " << fn << std::endl; + if (r < 0) { + cerr << "could not write " << fn << std::endl; + } } return 0; diff --git a/src/config.cc b/src/config.cc index b1450fb03fa69..7e965b22dd534 100644 --- a/src/config.cc +++ b/src/config.cc @@ -339,7 +339,7 @@ static struct config_option config_optionsp[] = { OPTION(debug_monc, 0, OPT_INT, 1), OPTION(debug_paxos, 0, OPT_INT, 0), OPTION(debug_tp, 0, OPT_INT, 0), - OPTION(key_file, 'k', OPT_STR, "key.bin"), + OPTION(keys_file, 'k', OPT_STR, "keys.bin"), OPTION(clock_lock, 0, OPT_BOOL, false), OPTION(clock_tare, 0, OPT_BOOL, false), OPTION(ms_tcp_nodelay, 0, OPT_BOOL, true), @@ -941,6 +941,8 @@ void parse_startup_config_options(std::vector& args, bool isdaemon, g_conf.log_to_stdout = false; } else if (isdaemon && CONF_ARG_EQ("id", 'i')) { CONF_SAFE_SET_ARG_VAL(&g_conf.id, OPT_STR); + } else if (!isdaemon && CONF_ARG_EQ("id", 'I')) { + CONF_SAFE_SET_ARG_VAL(&g_conf.id, OPT_STR); } else { nargs.push_back(args[i]); } @@ -964,6 +966,8 @@ void parse_startup_config_options(std::vector& args, bool isdaemon, assert(g_conf.entity_name); g_conf.entity_name->from_type_id(g_conf.type, g_conf.id); + dout(0) << "entity name: " << g_conf.entity_name->to_str() << dendl; + if (cf) delete cf; diff --git a/src/config.h b/src/config.h index 5cfbedb00569b..393bd465d4d27 100644 --- a/src/config.h +++ b/src/config.h @@ -108,7 +108,7 @@ struct md_config_t { bool clock_tare; // auth - const char *key_file; + const char *keys_file; // messenger diff --git a/src/mkmonfs.cc b/src/mkmonfs.cc index 2b805471ed26a..e366125b5715c 100644 --- a/src/mkmonfs.cc +++ b/src/mkmonfs.cc @@ -12,6 +12,7 @@ * */ +#include "common/common_init.h" #include "mon/MonitorStore.cc" #include "config.h" @@ -33,11 +34,12 @@ int main(int argc, const char **argv) vector args; argv_to_vec(argc, argv, args); DEFINE_CONF_VARS(usage); + common_init(args, "mon", false); bool clobber = false; - const char *fsdir = 0; + const char *fsdir = g_conf.mon_data; int whoami = -1; - const char *monmapfn = 0; + const char *monmapfn = g_conf.monmap; const char *osdmapfn = 0; FOR_EACH_ARG(args) { @@ -45,14 +47,12 @@ int main(int argc, const char **argv) CONF_SAFE_SET_ARG_VAL(&clobber, OPT_BOOL); } else if (CONF_ARG_EQ("mon", 'i')) { CONF_SAFE_SET_ARG_VAL(&whoami, OPT_INT); - } else if (CONF_ARG_EQ("monmap", '\0')) { - CONF_SAFE_SET_ARG_VAL(&monmapfn, OPT_STR); } else if (CONF_ARG_EQ("osdmap", '\0')) { CONF_SAFE_SET_ARG_VAL(&osdmapfn, OPT_STR); - } else if (CONF_ARG_EQ("mon_data", '\0')) { - CONF_SAFE_SET_ARG_VAL(&fsdir, OPT_STR); - } else + } else { + cerr << "2 " << args[i] << std::endl; usage(); + } } if (!fsdir || !monmapfn || whoami < 0) usage(); diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index c0295d479c6d4..5a4f3459a1a50 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -100,6 +100,42 @@ void AuthMonitor::create_initial(bufferlist& bl) ::encode(l, inc.info); inc.op = AUTH_INC_NOP; pending_auth.push_back(inc); + + if (g_conf.keys_file) { + map keys_map; + dout(0) << "reading initial keys file " << dendl; + bufferlist bl; + int r = bl.read_file(g_conf.keys_file); + if (r >= 0) { + bool read_ok = false; + try { + bufferlist::iterator iter = bl.begin(); + ::decode(keys_map, iter); + read_ok = true; + } catch (buffer::error *err) { + cerr << "error reading file " << g_conf.keys_file << std::endl; + } + if (read_ok) { + map::iterator iter = keys_map.begin(); + for (; iter != keys_map.end(); ++iter) { + string n = iter->first; + if (!n.empty()) { + dout(0) << "read key for entry: " << n << dendl; + AuthLibEntry entry; + if (!entry.name.from_str(n)) { + dout(0) << "bad entity name " << n << dendl; + continue; + } + entry.secret = iter->second; + ::encode(entry, inc.info); + inc.op = AUTH_INC_ADD; + pending_auth.push_back(inc); + } + } + } + + } + } } bool AuthMonitor::store_entry(AuthLibEntry& entry) @@ -249,13 +285,20 @@ bool AuthMonitor::preprocess_auth(MAuth *m) Session *s = (Session *)m->get_connection()->get_priv(); s->put(); + bufferlist response_bl; + bufferlist::iterator indata = m->auth_payload.begin(); + + CephXPremable pre; + ::decode(pre, indata); + dout(0) << "CephXPremable id=" << pre.trans_id << dendl; + ::encode(pre, response_bl); + // set up handler? if (!s->auth_handler) { set<__u32> supported; - bufferlist::iterator p = m->auth_payload.begin(); try { - ::decode(supported, p); + ::decode(supported, indata); } catch (buffer::error *e) { dout(0) << "failed to decode message auth message" << dendl; ret = -EINVAL; @@ -268,11 +311,10 @@ bool AuthMonitor::preprocess_auth(MAuth *m) } } - bufferlist response_bl; if (s->auth_handler && !ret) { // handle the request try { - ret = s->auth_handler->handle_request(m->get_auth_payload(), response_bl); + ret = s->auth_handler->handle_request(indata, response_bl); } catch (buffer::error *err) { ret = -EINVAL; dout(0) << "caught error when trying to handle auth request, probably malformed request" << dendl; diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index 53030d39f3dc3..068485f340386 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -247,6 +247,8 @@ void MonClient::init() dout(10) << "init" << dendl; messenger->add_dispatcher_head(this); + auth.init(*g_conf.entity_name); + Mutex::Locker l(monc_lock); timer.add_event_after(10.0, new C_Tick(this)); } diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index e7d1f950946a3..dde0a8aeafc7b 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -363,13 +363,18 @@ bool Monitor::ms_dispatch(Message *m) bool ret = true; lock.Lock(); - Session *s = (Session *)m->get_connection()->get_priv(); - if (!s) { - s = session_map.new_session(m->get_source_inst()); - m->get_connection()->set_priv(s->get()); - dout(10) << "ms_dispatch new session " << s << " for " << s->inst << dendl; - } else { - dout(20) << "ms_dispatch existing session " << s << " for " << s->inst << dendl; + Connection *connection = m->get_connection(); + Session *s = NULL; + + if (connection) { + s = (Session *)connection->get_priv(); + if (!s) { + s = session_map.new_session(m->get_source_inst()); + m->get_connection()->set_priv(s->get()); + dout(10) << "ms_dispatch new session " << s << " for " << s->inst << dendl; + } else { + dout(20) << "ms_dispatch existing session " << s << " for " << s->inst << dendl; + } } { @@ -484,7 +489,9 @@ bool Monitor::ms_dispatch(Message *m) ret = false; } } - s->put(); + if (s) { + s->put(); + } lock.Unlock(); return ret; diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc index 7b647891db358..ede276811cc97 100644 --- a/src/osd/OSD.cc +++ b/src/osd/OSD.cc @@ -432,10 +432,10 @@ int OSD::init() monc->set_keyring(&keyring); - if (keyring.load_master(g_conf.key_file)) { - dout(0) << "successfuly loaded secret key from " << g_conf.key_file << dendl; + if (keyring.load_master(g_conf.keys_file)) { + dout(0) << "successfuly loaded secret key from " << g_conf.keys_file << dendl; } else { - dout(0) << "failed to load secret key" << g_conf.key_file << dendl; + dout(0) << "failed to load secret key from" << g_conf.keys_file << dendl; } monc->set_entity_name(ename); diff --git a/src/vstart.sh b/src/vstart.sh index a38194e21af63..933a072acafd5 100755 --- a/src/vstart.sh +++ b/src/vstart.sh @@ -217,6 +217,8 @@ EOF echo fi + $SUDO $CEPH_BIN/authtool --gen-key --name=client.admin monkeys.bin + # build a fresh fs monmap, mon fs # $CEPH_BIN/monmaptool --create --clobber --print .ceph_monmap str="$CEPH_BIN/monmaptool --create --clobber" @@ -227,6 +229,7 @@ EOF [mon$f] mon data = "dev/mon$f" mon addr = $IP:$(($CEPH_PORT+$f)) + keys file = dev/mon$f/monkeys.bin EOF done str=$str" --print .ceph_monmap" @@ -236,7 +239,8 @@ EOF for f in `seq 0 $((CEPH_NUM_MON-1))` do echo $CEPH_BIN/mkmonfs --clobber --mon-data dev/mon$f -i $f --monmap .ceph_monmap --osdmap .ceph_osdmap - $CEPH_BIN/mkmonfs --clobber --mon-data dev/mon$f -i $f --monmap .ceph_monmap --osdmap .ceph_osdmap + cp monkeys.bin dev/mon$f/ + $CEPH_BIN/mkmonfs -c $conf --clobber --mon-data dev/mon$f -i $f --monmap .ceph_monmap --osdmap .ceph_osdmap done fi @@ -259,13 +263,13 @@ if [ "$start_osd" -eq 1 ]; then osd data = dev/osd$osd osd journal = dev/osd$osd/journal osd journal size = 100 - key file = dev/osd$osd/key.bin + keys file = dev/osd$osd/keys.bin EOF echo mkfs osd$osd echo $SUDO $CEPH_BIN/cosd -i $osd $ARGS --mkfs # --debug_journal 20 --debug_osd 20 --debug_filestore 20 --debug_ebofs 20 $SUDO $CEPH_BIN/cosd -i $osd $ARGS --mkfs # --debug_journal 20 --debug_osd 20 --debug_filestore 20 --debug_ebofs 20 - $SUDO $CEPH_BIN/authtool --gen-key dev/osd$osd/key.bin - $SUDO $CEPH_BIN/ceph -i dev/osd$osd/key.bin auth add osd.$osd + $SUDO $CEPH_BIN/authtool --gen-key dev/osd$osd/keys.bin + $SUDO $CEPH_BIN/ceph -i dev/osd$osd/keys.bin auth add osd.$osd fi echo start osd$osd run 'osd' $SUDO $CEPH_BIN/cosd -i $osd $ARGS $COSD_ARGS -- 2.39.5