From 7d7af85c3a8b90ef93a152131a4b8fd66ceb6996 Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <yehuda@hq.newdream.net>
Date: Fri, 14 Jan 2011 16:29:41 -0800
Subject: [PATCH] auth: new rotating secret ttl should depend on now() + ttl

Before it only depended on the previous rotating secret (which was
always bigger than g_clock.now()). Since the tickets rotation is
never being done exactly when the old ticket expires (probably takes
a few seconds after that), then we ended up having tickets that expire
much sooner than we expected.
---
 src/auth/cephx/CephxKeyServer.cc | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index 1188f3bc00f45..f5ebcb0fe1b83 100644
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -181,10 +181,13 @@ int KeyServer::_rotate_secret(uint32_t service_id)
   while (r.need_new_secrets(now)) {
     ExpiringCryptoKey ek;
     generate_secret(ek.key);
-    if (r.empty())
+    if (r.empty()) {
       ek.expiration = now;
-    else
-      ek.expiration = MAX(now, r.next().expiration);
+    } else {
+      utime_t next_ttl = now;
+      next_ttl += ttl;
+      ek.expiration = MAX(next_ttl, r.next().expiration);
+    }
     ek.expiration += ttl;
     uint64_t secret_id = r.add(ek);
     dout(10) << "_rotate_secret adding " << ceph_entity_type_name(service_id)
-- 
2.39.5