From 7830f859e0c8c317c516736343eb9f3d8d824f77 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Tue, 8 May 2012 16:30:26 -0700 Subject: [PATCH] mon: use external keyring for mon->mon auth - Feed our keyring into the auth methods. - Do not fail to build a ticket for type MON when we don't have a cap; it won't be in the auth database. Also, we don't have caps on the monitors that are enfoced between each other. Signed-off-by: Sage Weil --- src/auth/cephx/CephxKeyServer.cc | 10 ++++++---- src/mon/Monitor.cc | 7 ++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index 044aaa2d8d438..a1944b3bb2979 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -387,11 +387,13 @@ int KeyServer::_build_session_auth_info(uint32_t service_id, CephXServiceTicketI generate_secret(info.session_key); - string s = ceph_entity_type_name(service_id); - if (!data.get_caps(cct, info.ticket.name, s, info.ticket.caps)) { - return -EINVAL; + // mon keys are stored externally. and the caps are blank anyway. + if (service_id != CEPH_ENTITY_TYPE_MON) { + string s = ceph_entity_type_name(service_id); + if (!data.get_caps(cct, info.ticket.name, s, info.ticket.caps)) { + return -EINVAL; + } } - return 0; } diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 054b1ad98d29d..ac20f6ef40fd0 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -1923,8 +1923,9 @@ bool Monitor::ms_get_authorizer(int service_id, AuthAuthorizer **authorizer, boo auth_ticket_info.ticket.global_id = 0; CryptoKey secret; - if (!key_server.get_secret(name, secret)) { - dout(0) << " couldn't get secret for mon service" << dendl; + if (!keyring.get_secret(name, secret) && + !key_server.get_secret(name, secret)) { + dout(0) << " couldn't get secret for mon service from keyring or keyserver" << dendl; stringstream ss; key_server.list_secrets(ss); dout(0) << ss.str() << dendl; @@ -1978,7 +1979,7 @@ bool Monitor::ms_verify_authorizer(Connection *con, int peer_type, CephXServiceTicketInfo auth_ticket_info; if (authorizer_data.length()) { - int ret = cephx_verify_authorizer(g_ceph_context, &key_server, iter, + int ret = cephx_verify_authorizer(g_ceph_context, &keyring, iter, auth_ticket_info, authorizer_reply); if (ret >= 0) isvalid = true; -- 2.39.5