From 7761ad97e620a06abbc3f786ea2a1d5c5d0f2a36 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Thu, 4 Feb 2010 10:45:42 -0800 Subject: [PATCH] cephx: separate KeyRing and RotatingKeyRing KeyRing stores keys (on disk). RotatingKeyRing mediates access to the in-memory pool of rotating secrets for a single service. --- src/Makefile.am | 2 + src/auth/Auth.h | 24 ++++++-- src/auth/AuthAuthorizeHandler.h | 6 +- src/auth/AuthClientHandler.cc | 6 +- src/auth/AuthClientHandler.h | 3 +- src/auth/KeyRing.cc | 74 ----------------------- src/auth/KeyRing.h | 22 ++----- src/auth/RotatingKeyRing.cc | 54 +++++++++++++++++ src/auth/RotatingKeyRing.h | 40 ++++++++++++ src/auth/cephx/CephxAuthorizeHandler.cc | 5 +- src/auth/cephx/CephxAuthorizeHandler.h | 3 +- src/auth/cephx/CephxClientHandler.cc | 16 ++--- src/auth/cephx/CephxClientHandler.h | 6 +- src/auth/cephx/CephxKeyServer.cc | 10 --- src/auth/cephx/CephxProtocol.cc | 25 ++++---- src/auth/cephx/CephxProtocol.h | 8 ++- src/auth/cephx/CephxServiceHandler.cc | 4 +- src/auth/none/AuthNoneAuthorizeHandler.cc | 5 +- src/auth/none/AuthNoneAuthorizeHandler.h | 3 +- src/auth/none/AuthNoneClientHandler.h | 2 +- src/cmds.cc | 3 +- src/cosd.cc | 3 +- src/mds/MDS.cc | 4 +- src/mon/MonClient.cc | 12 +++- src/mon/MonClient.h | 23 ++++--- src/mon/Monitor.cc | 2 +- src/osd/OSD.cc | 3 +- 27 files changed, 208 insertions(+), 160 deletions(-) create mode 100644 src/auth/RotatingKeyRing.cc create mode 100644 src/auth/RotatingKeyRing.h diff --git a/src/Makefile.am b/src/Makefile.am index e3eba743d85f0..c32220e1b68f9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -309,6 +309,7 @@ libcommon_files = \ auth/Crypto.cc \ auth/ExportControl.cc \ auth/KeyRing.cc \ + auth/RotatingKeyRing.cc \ common/LogClient.cc \ msg/Message.cc \ common/BackTrace.cc \ @@ -432,6 +433,7 @@ noinst_HEADERS = \ auth/AuthServiceHandler.h\ auth/AuthAuthorizeHandler.h\ auth/KeyRing.h\ + auth/RotatingKeyRing.h\ auth/Crypto.h\ auth/ExportControl.h\ ceph_ver.h \ diff --git a/src/auth/Auth.h b/src/auth/Auth.h index 5946e0e46899e..d005e5261680d 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -234,12 +234,17 @@ struct ExpiringCryptoKey { }; WRITE_CLASS_ENCODER(ExpiringCryptoKey); +static inline ostream& operator<<(ostream& out, const ExpiringCryptoKey& c) +{ + return out << c.key << " expires " << c.expiration; +} + struct RotatingSecrets { map secrets; version_t max_ver; - + RotatingSecrets() : max_ver(0) {} - + void encode(bufferlist& bl) const { __u8 struct_v = 1; ::encode(struct_v, bl); @@ -252,19 +257,28 @@ struct RotatingSecrets { ::decode(secrets, bl); ::decode(max_ver, bl); } + + void add(ExpiringCryptoKey& key) { + secrets[++max_ver] = key; + while (secrets.size() > KEY_ROTATE_NUM) + secrets.erase(secrets.begin()); + } + + bool need_new_secrets() { + return secrets.size() < KEY_ROTATE_NUM; + } - void add(ExpiringCryptoKey& key); + void dump(); }; WRITE_CLASS_ENCODER(RotatingSecrets); - class KeyStore { public: virtual ~KeyStore() {} virtual bool get_secret(EntityName& name, CryptoKey& secret) = 0; - virtual bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret) = 0; + //virtual bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret) = 0; }; static inline bool auth_principal_needs_rotating_keys(EntityName& name) diff --git a/src/auth/AuthAuthorizeHandler.h b/src/auth/AuthAuthorizeHandler.h index 037a400d34fe6..f7479c984d881 100644 --- a/src/auth/AuthAuthorizeHandler.h +++ b/src/auth/AuthAuthorizeHandler.h @@ -19,9 +19,13 @@ #include "config.h" #include "Auth.h" +class KeyRing; +class RotatingKeyRing; + struct AuthAuthorizeHandler { virtual ~AuthAuthorizeHandler() {} - virtual bool verify_authorizer(bufferlist& authorizer_data, bufferlist& authorizer_reply, + virtual bool verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys, + bufferlist& authorizer_data, bufferlist& authorizer_reply, EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info) = 0; }; diff --git a/src/auth/AuthClientHandler.cc b/src/auth/AuthClientHandler.cc index c7cf1acdbb887..5c11a2d01e45c 100644 --- a/src/auth/AuthClientHandler.cc +++ b/src/auth/AuthClientHandler.cc @@ -24,13 +24,13 @@ #include "cephx/CephxClientHandler.h" #include "none/AuthNoneClientHandler.h" -AuthClientHandler *get_auth_client_handler(int proto) +AuthClientHandler *get_auth_client_handler(int proto, RotatingKeyRing *rkeys) { switch (proto) { case CEPH_AUTH_CEPHX: - return new CephxClientHandler(); + return new CephxClientHandler(rkeys); case CEPH_AUTH_NONE: - return new AuthNoneClientHandler(); + return new AuthNoneClientHandler(rkeys); default: return NULL; } diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h index 1f3238ce45114..a7f0e1a1e8587 100644 --- a/src/auth/AuthClientHandler.h +++ b/src/auth/AuthClientHandler.h @@ -25,6 +25,7 @@ class MAuthReply; class AuthClientHandler; +class RotatingKeyRing; class AuthClientHandler { protected: @@ -78,7 +79,7 @@ public: }; -extern AuthClientHandler *get_auth_client_handler(int proto); +extern AuthClientHandler *get_auth_client_handler(int proto, RotatingKeyRing *rkeys); #endif diff --git a/src/auth/KeyRing.cc b/src/auth/KeyRing.cc index 6bf21551d3ad1..4468ff58ee6f5 100644 --- a/src/auth/KeyRing.cc +++ b/src/auth/KeyRing.cc @@ -96,78 +96,4 @@ void KeyRing::import(KeyRing& other) } } -// ---------------- -// rotating crap - -void KeyRing::set_rotating(RotatingSecrets& secrets) -{ - Mutex::Locker l(lock); - - rotating_secrets = secrets; - - dout(0) << "KeyRing::set_rotating max_ver=" << secrets.max_ver << dendl; - - map::iterator iter = secrets.secrets.begin(); - - for (; iter != secrets.secrets.end(); ++iter) { - ExpiringCryptoKey& key = iter->second; - - dout(0) << "id: " << iter->first << dendl; - dout(0) << "key.expiration: " << key.expiration << dendl; - bufferptr& bp = key.key.get_secret(); - bufferlist bl; - bl.append(bp); - hexdump(" key", bl.c_str(), bl.length()); - } -} - -bool KeyRing::need_rotating_secrets() -{ - Mutex::Locker l(lock); - - if (rotating_secrets.secrets.size() < KEY_ROTATE_NUM) - return true; - - map::iterator iter = rotating_secrets.secrets.lower_bound(0); - ExpiringCryptoKey& key = iter->second; - if (key.expiration < g_clock.now()) { - dout(0) << "key.expiration=" << key.expiration << " now=" << g_clock.now() << dendl; - return true; - } - - return false; -} - - -void KeyRing::dump_rotating() -{ - dout(0) << "dump_rotating:" << dendl; - for (map::iterator iter = rotating_secrets.secrets.begin(); - iter != rotating_secrets.secrets.end(); - ++iter) - dout(0) << " id " << iter->first << " " << iter->second.key - << " expires " << iter->second.expiration << dendl; -} - -bool KeyRing::get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret) -{ - Mutex::Locker l(lock); - - /* we ignore the service id, there's only one service id that we're handling */ - map::iterator iter = rotating_secrets.secrets.find(secret_id); - if (iter == rotating_secrets.secrets.end()) { - dout(0) << "could not find secret_id=" << secret_id << dendl; - dump_rotating(); - return false; - } - - ExpiringCryptoKey& key = iter->second; - if (key.expiration > g_clock.now()) { - secret = key.key; - return true; - } - dout(0) << "secret expired!" << dendl; - return false; -} - diff --git a/src/auth/KeyRing.h b/src/auth/KeyRing.h index a95a18ecd09b9..fee6471a2aa62 100644 --- a/src/auth/KeyRing.h +++ b/src/auth/KeyRing.h @@ -20,23 +20,16 @@ #include "auth/Crypto.h" #include "auth/Auth.h" -/* - KeyRing is being used at the service side, for holding the temporary rotating - key of that service -*/ - class KeyRing : public KeyStore { map keys; - RotatingSecrets rotating_secrets; - Mutex lock; -public: - KeyRing() : lock("KeyRing") {} +public: map& get_keys() { return keys; } // yuck bool load(const char *filename); void print(ostream& out); + // accessors bool get_auth(EntityName& name, EntityAuth &a) { string n = name.to_str(); if (keys.count(n)) { @@ -57,7 +50,7 @@ public: get_secret(*g_conf.entity_name, dest); } - // + // modifiers void add(EntityName& name, EntityAuth &a) { string s = name.to_str(); keys[s] = a; @@ -68,12 +61,7 @@ public: } void import(KeyRing& other); - // weirdness - void dump_rotating(); - void set_rotating(RotatingSecrets& secrets); - bool need_rotating_secrets(); - bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret); - + // encoders void encode(bufferlist& bl) const { __u8 struct_v = 1; ::encode(struct_v, bl); @@ -89,6 +77,4 @@ WRITE_CLASS_ENCODER(KeyRing) extern KeyRing g_keyring; - - #endif diff --git a/src/auth/RotatingKeyRing.cc b/src/auth/RotatingKeyRing.cc new file mode 100644 index 0000000000000..394ae5f990b90 --- /dev/null +++ b/src/auth/RotatingKeyRing.cc @@ -0,0 +1,54 @@ +#include +#include + +#include "config.h" +#include "include/str_list.h" + +#include "Crypto.h" +#include "auth/RotatingKeyRing.h" + +#define DOUT_SUBSYS auth +#undef dout_prefix +#define dout_prefix *_dout << dbeginl << "auth: " + + +bool RotatingKeyRing::need_new_secrets() +{ + Mutex::Locker l(lock); + return secrets.need_new_secrets(); +} + +void RotatingKeyRing::set_secrets(RotatingSecrets& s) +{ + Mutex::Locker l(lock); + secrets = s; +} + +void RotatingKeyRing::dump_rotating() +{ + dout(0) << "dump_rotating:" << dendl; + for (map::iterator iter = secrets.secrets.begin(); + iter != secrets.secrets.end(); + ++iter) + dout(0) << " id " << iter->first << " " << iter->second << dendl; +} + +bool RotatingKeyRing::get_service_secret(uint64_t secret_id, CryptoKey& secret) +{ + Mutex::Locker l(lock); + + map::iterator iter = secrets.secrets.find(secret_id); + if (iter == secrets.secrets.end()) { + dout(0) << "could not find secret_id=" << secret_id << dendl; + dump_rotating(); + return false; + } + + ExpiringCryptoKey& key = iter->second; + if (key.expiration > g_clock.now()) { + secret = key.key; + return true; + } + dout(0) << "secret " << key << " expired!" << dendl; + return false; +} diff --git a/src/auth/RotatingKeyRing.h b/src/auth/RotatingKeyRing.h new file mode 100644 index 0000000000000..f0482acbdc0a2 --- /dev/null +++ b/src/auth/RotatingKeyRing.h @@ -0,0 +1,40 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab +/* + * Ceph - scalable distributed file system + * + * Copyright (C) 2004-2009 Sage Weil + * + * This is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License version 2.1, as published by the Free Software + * Foundation. See file COPYING. + * + */ + +#ifndef __ROTATINGKEYRING_H +#define __ROTATINGKEYRING_H + +#include "config.h" + +#include "auth/Crypto.h" +#include "auth/Auth.h" + +/* + * mediate access to a service's rotating secrets + */ + +class RotatingKeyRing { + RotatingSecrets secrets; + Mutex lock; + +public: + RotatingKeyRing() : lock("RotatingKeyRing::lock") {} + + bool need_new_secrets(); + void set_secrets(RotatingSecrets& s); + void dump_rotating(); + bool get_service_secret(uint64_t secret_id, CryptoKey& secret); +}; + +#endif diff --git a/src/auth/cephx/CephxAuthorizeHandler.cc b/src/auth/cephx/CephxAuthorizeHandler.cc index ab4da210993d4..385173168db9b 100644 --- a/src/auth/cephx/CephxAuthorizeHandler.cc +++ b/src/auth/cephx/CephxAuthorizeHandler.cc @@ -5,7 +5,8 @@ #include "CephxAuthorizeHandler.h" -bool CephxAuthorizeHandler::verify_authorizer(bufferlist& authorizer_data, bufferlist& authorizer_reply, +bool CephxAuthorizeHandler::verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys, + bufferlist& authorizer_data, bufferlist& authorizer_reply, EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info) { bufferlist::iterator iter = authorizer_data.begin(); @@ -17,7 +18,7 @@ bool CephxAuthorizeHandler::verify_authorizer(bufferlist& authorizer_data, buffe CephXServiceTicketInfo auth_ticket_info; - bool isvalid = cephx_verify_authorizer(g_keyring, iter, auth_ticket_info, authorizer_reply); + bool isvalid = cephx_verify_authorizer(keys, rkeys, iter, auth_ticket_info, authorizer_reply); dout(0) << "CephxAuthorizeHandler::verify_authorizer isvalid=" << isvalid << dendl; if (isvalid) { diff --git a/src/auth/cephx/CephxAuthorizeHandler.h b/src/auth/cephx/CephxAuthorizeHandler.h index 0cb755b5586ae..84672312ab24c 100644 --- a/src/auth/cephx/CephxAuthorizeHandler.h +++ b/src/auth/cephx/CephxAuthorizeHandler.h @@ -18,7 +18,8 @@ #include "../AuthAuthorizeHandler.h" struct CephxAuthorizeHandler : public AuthAuthorizeHandler { - bool verify_authorizer(bufferlist& authorizer_data, bufferlist& authorizer_reply, + bool verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys, + bufferlist& authorizer_data, bufferlist& authorizer_reply, EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info); }; diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index 11b4d97278c19..72f3e4e5a684a 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -143,13 +143,15 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) case CEPHX_GET_ROTATING_KEY: { dout(10) << " get_rotating_key" << dendl; - RotatingSecrets secrets; - CryptoKey secret_key; - g_keyring.get_master(secret_key); - if (decode_decrypt(secrets, secret_key, indata) == 0) { - g_keyring.set_rotating(secrets); - } else { - derr(0) << "could not set rotating key: decode_decrypt failed" << dendl; + if (rotating_secrets) { + RotatingSecrets secrets; + CryptoKey secret_key; + g_keyring.get_master(secret_key); + if (decode_decrypt(secrets, secret_key, indata) == 0) { + rotating_secrets->set_secrets(secrets); + } else { + derr(0) << "could not set rotating key: decode_decrypt failed" << dendl; + } } } break; diff --git a/src/auth/cephx/CephxClientHandler.h b/src/auth/cephx/CephxClientHandler.h index 7d8c7888b572b..8234a851e8073 100644 --- a/src/auth/cephx/CephxClientHandler.h +++ b/src/auth/cephx/CephxClientHandler.h @@ -26,9 +26,13 @@ class CephxClientHandler : public AuthClientHandler { CephXAuthorizer *authorizer; CephXTicketManager tickets; + + RotatingKeyRing *rotating_secrets; public: - CephxClientHandler() : authorizer(0) { + CephxClientHandler(RotatingKeyRing *rsecrets) : + authorizer(0), + rotating_secrets(rsecrets) { reset(); } diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index 5c6ea16f5a64b..db9fdcc117d4d 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -20,16 +20,6 @@ #include -void RotatingSecrets::add(ExpiringCryptoKey& key) -{ - secrets[++max_ver] = key; - - while (secrets.size() > KEY_ROTATE_NUM) { - map::iterator iter = secrets.lower_bound(0); - secrets.erase(iter); - } -} - bool KeyServerData::get_service_secret(uint32_t service_id, ExpiringCryptoKey& secret, uint64_t& secret_id) { map::iterator iter = rotating_secrets.find(service_id); diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index 088ed7fe3bc20..4671f07f670b8 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -303,7 +303,7 @@ void CephXTicketManager::validate_tickets(uint32_t mask, uint32_t& have, uint32_ } } -bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info) +bool cephx_decode_ticket(KeyStore *keys, RotatingKeyRing *rkeys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info) { uint64_t secret_id = ticket_blob.secret_id; CryptoKey service_secret; @@ -312,14 +312,16 @@ bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& t return false; } - if (secret_id == (uint64_t)-1) { - if (!keys.get_secret(*g_conf.entity_name, service_secret)) { - dout(0) << "ceph_decode_ticket could not get general service secret for service_id=" << service_id << " secret_id=" << secret_id << dendl; + if (secret_id == (uint64_t)-1 || rkeys == NULL) { + if (!keys->get_secret(*g_conf.entity_name, service_secret)) { + dout(0) << "ceph_decode_ticket could not get general service secret for service_id=" + << service_id << " secret_id=" << secret_id << dendl; return false; } } else { - if (!keys.get_service_secret(service_id, secret_id, service_secret)) { - dout(0) << "ceph_decode_ticket could not get service secret for service_id=" << service_id << " secret_id=" << secret_id << dendl; + if (!rkeys->get_service_secret(secret_id, service_secret)) { + dout(0) << "ceph_decode_ticket could not get service secret for service_id=" + << service_id << " secret_id=" << secret_id << dendl; return false; } } @@ -337,8 +339,9 @@ bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& t * * {timestamp + 1}^session_key */ -bool cephx_verify_authorizer(KeyStore& keys, bufferlist::iterator& indata, - CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl) +bool cephx_verify_authorizer(KeyStore *keys, RotatingKeyRing *rkeys, + bufferlist::iterator& indata, + CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl) { __u8 authorizer_v; ::decode(authorizer_v, indata); @@ -356,16 +359,16 @@ bool cephx_verify_authorizer(KeyStore& keys, bufferlist::iterator& indata, dout(10) << "verify_authorizer decrypted service_id=" << service_id << " secret_id=" << ticket.secret_id << dendl; - if (ticket.secret_id == (uint64_t)-1) { + if (ticket.secret_id == (uint64_t)-1 || rkeys == NULL) { EntityName name; name.entity_type = service_id; - if (!keys.get_secret(name, service_secret)) { + if (!keys->get_secret(name, service_secret)) { dout(0) << "verify_authorizer could not get general service secret for service_id=" << service_id << " secret_id=" << ticket.secret_id << dendl; return false; } } else { - if (!keys.get_service_secret(service_id, ticket.secret_id, service_secret)) { + if (!rkeys->get_service_secret(ticket.secret_id, service_secret)) { dout(0) << "verify_authorizer could not get service secret for service_id=" << service_id << " secret_id=" << ticket.secret_id << dendl; return false; diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 754d6d9968565..6498cba5c9d9a 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -83,7 +83,7 @@ #define CEPHX_REQUEST_TYPE_MASK 0x0F00 #include "../Auth.h" - +#include "../RotatingKeyRing.h" /* * Authentication @@ -372,12 +372,14 @@ WRITE_CLASS_ENCODER(CephXAuthorize); /* * Decode an extract ticket */ -bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info); +bool cephx_decode_ticket(KeyStore *keys, RotatingKeyRing *rkeys, + uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info); /* * Verify authorizer and generate reply authorizer */ -extern bool cephx_verify_authorizer(KeyStore& keys, bufferlist::iterator& indata, +extern bool cephx_verify_authorizer(KeyStore *keys, RotatingKeyRing *rkeys, + bufferlist::iterator& indata, CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl); diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index 01ad4428883f1..0ed890f380755 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -93,7 +93,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist } CephXServiceTicketInfo old_ticket_info; - if (cephx_decode_ticket(*key_server, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket_info)) { + if (cephx_decode_ticket(key_server, NULL, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket_info)) { global_id = old_ticket_info.ticket.global_id; dout(10) << "decoded old_ticket with global_id=" << global_id << dendl; should_enc_ticket = true; @@ -135,7 +135,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist bufferlist tmp_bl; CephXServiceTicketInfo auth_ticket_info; - if (!cephx_verify_authorizer(*key_server, indata, auth_ticket_info, tmp_bl)) { + if (!cephx_verify_authorizer(key_server, NULL, indata, auth_ticket_info, tmp_bl)) { ret = -EPERM; break; } diff --git a/src/auth/none/AuthNoneAuthorizeHandler.cc b/src/auth/none/AuthNoneAuthorizeHandler.cc index 82afb15f63bb7..a11986fbfbba0 100644 --- a/src/auth/none/AuthNoneAuthorizeHandler.cc +++ b/src/auth/none/AuthNoneAuthorizeHandler.cc @@ -3,8 +3,9 @@ #include "AuthNoneAuthorizeHandler.h" -bool AuthNoneAuthorizeHandler::verify_authorizer(bufferlist& authorizer_data, bufferlist& authorizer_reply, - EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info) +bool AuthNoneAuthorizeHandler::verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys, + bufferlist& authorizer_data, bufferlist& authorizer_reply, + EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info) { bufferlist::iterator iter = authorizer_data.begin(); diff --git a/src/auth/none/AuthNoneAuthorizeHandler.h b/src/auth/none/AuthNoneAuthorizeHandler.h index 719000522ac24..81ddc6c211bb7 100644 --- a/src/auth/none/AuthNoneAuthorizeHandler.h +++ b/src/auth/none/AuthNoneAuthorizeHandler.h @@ -18,7 +18,8 @@ #include "../AuthAuthorizeHandler.h" struct AuthNoneAuthorizeHandler : public AuthAuthorizeHandler { - bool verify_authorizer(bufferlist& authorizer_data, bufferlist& authorizer_reply, + bool verify_authorizer(KeyRing *keys, RotatingKeyRing *rkeys, + bufferlist& authorizer_data, bufferlist& authorizer_reply, EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info); }; diff --git a/src/auth/none/AuthNoneClientHandler.h b/src/auth/none/AuthNoneClientHandler.h index 83199b22a89ee..c4f4739cb9ea4 100644 --- a/src/auth/none/AuthNoneClientHandler.h +++ b/src/auth/none/AuthNoneClientHandler.h @@ -20,7 +20,7 @@ class AuthNoneClientHandler : public AuthClientHandler { public: - AuthNoneClientHandler() {} + AuthNoneClientHandler(RotatingKeyRing *rkeys) {} void reset() { } diff --git a/src/cmds.cc b/src/cmds.cc index 7e79006830e58..da2e814e00770 100644 --- a/src/cmds.cc +++ b/src/cmds.cc @@ -63,7 +63,8 @@ int main(int argc, const char **argv) if (g_conf.clock_tare) g_clock.tare(); // get monmap - MonClient mc; + RotatingKeyRing rkeys; + MonClient mc(&rkeys); if (mc.build_initial_monmap() < 0) return -1; diff --git a/src/cosd.cc b/src/cosd.cc index 70af58d007f9e..ed22f54a4e47b 100644 --- a/src/cosd.cc +++ b/src/cosd.cc @@ -92,7 +92,8 @@ int main(int argc, const char **argv) _dout_create_courtesy_output_symlink("osd", whoami); // get monmap - MonClient mc; + RotatingKeyRing rkeys; + MonClient mc(&rkeys); if (mc.build_initial_monmap() < 0) return -1; if (mc.get_monmap_privately() < 0) diff --git a/src/mds/MDS.cc b/src/mds/MDS.cc index a8725353f1559..3d5dfb912d8da 100644 --- a/src/mds/MDS.cc +++ b/src/mds/MDS.cc @@ -63,6 +63,7 @@ #include "messages/MMonCommand.h" #include "auth/AuthAuthorizeHandler.h" +#include "auth/KeyRing.h" #include "config.h" @@ -1549,7 +1550,8 @@ bool MDS::ms_verify_authorizer(Connection *con, int peer_type, EntityName name; uint64_t global_id; - is_valid = authorize_handler->verify_authorizer(authorizer_data, authorizer_reply, name, global_id, caps_info); + is_valid = authorize_handler->verify_authorizer(&g_keyring, monc->rotating_secrets, + authorizer_data, authorizer_reply, name, global_id, caps_info); if (is_valid) { entity_name_t n(con->get_peer_type(), global_id); diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index fc2c751384394..7390683b79246 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -288,7 +288,7 @@ void MonClient::handle_auth(MAuthReply *m) if (state == MC_STATE_NEGOTIATING) { if (!auth || (int)m->protocol != auth->get_protocol()) { delete auth; - auth = get_auth_client_handler(m->protocol); + auth = get_auth_client_handler(m->protocol, rotating_secrets); if (!auth) { delete m; return; @@ -506,7 +506,10 @@ int MonClient::_check_auth_rotating() _send_mon_message(m); } - if (!g_keyring.need_rotating_secrets()) + if (!rotating_secrets) + return 0; + + if (!rotating_secrets->need_new_secrets()) return 0; if (!auth_principal_needs_rotating_keys(entity_name)) { @@ -536,8 +539,11 @@ int MonClient::wait_auth_rotating(double timeout) return 0; } + if (!rotating_secrets) + return 0; + while (auth_principal_needs_rotating_keys(entity_name) && - g_keyring.need_rotating_secrets()) + rotating_secrets->need_new_secrets()) auth_cond.WaitInterval(monc_lock, interval); return 0; } diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h index 3f6efeeb6626c..e10489f5ef18d 100644 --- a/src/mon/MonClient.h +++ b/src/mon/MonClient.h @@ -23,6 +23,7 @@ #include "common/Timer.h" #include "auth/AuthClientHandler.h" +#include "auth/RotatingKeyRing.h" #include "messages/MMonSubscribe.h" @@ -163,16 +164,20 @@ public: _sub_got(what, have); } + RotatingKeyRing *rotating_secrets; + public: - MonClient() : state(MC_STATE_NONE), - messenger(NULL), cur_mon(-1), - monc_lock("MonClient::monc_lock"), - timer(monc_lock), - hunting(false), - want_monmap(false), - want_keys(0), global_id(0), - authenticate_err(0), - auth(NULL) { } + MonClient(RotatingKeyRing *rkeys=0) : + state(MC_STATE_NONE), + messenger(NULL), cur_mon(-1), + monc_lock("MonClient::monc_lock"), + timer(monc_lock), + hunting(false), + want_monmap(false), + want_keys(0), global_id(0), + authenticate_err(0), + auth(NULL), + rotating_secrets(rkeys) { } ~MonClient() { timer.cancel_all_events(); } diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 06b805d25120a..60793845f1b52 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -1034,7 +1034,7 @@ bool Monitor::ms_verify_authorizer(Connection *con, int peer_type, if (!authorizer_data.length()) return true; /* we're not picky */ - int ret = cephx_verify_authorizer(key_server, iter, auth_ticket_info, authorizer_reply); + int ret = cephx_verify_authorizer(&key_server, NULL, iter, auth_ticket_info, authorizer_reply); dout(0) << "Monitor::verify_authorizer returns " << ret << dendl; isvalid = (ret >= 0); diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc index 950f275e120b4..c6453edc6240a 100644 --- a/src/osd/OSD.cc +++ b/src/osd/OSD.cc @@ -1597,7 +1597,8 @@ bool OSD::ms_verify_authorizer(Connection *con, int peer_type, EntityName name; uint64_t global_id; - isvalid = authorize_handler->verify_authorizer(authorizer_data, authorizer_reply, name, global_id, caps_info); + isvalid = authorize_handler->verify_authorizer(&g_keyring, monc->rotating_secrets, + authorizer_data, authorizer_reply, name, global_id, caps_info); dout(10) << "OSD::ms_verify_authorizer name=" << name << dendl; -- 2.39.5