From 9c3dd336b76ddce483c6791ab6508844cf47d6c3 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Tue, 22 Jan 2019 12:27:29 -0600 Subject: [PATCH] auth/AuthRegistry: refactor handling of auth_*_requred options - simplify/consolidate my type and peer type effects on auth method - watch for runtime config changes Signed-off-by: Sage Weil --- src/auth/AuthAuthorizeHandler.cc | 57 --------- src/auth/AuthAuthorizeHandler.h | 22 ---- src/auth/AuthClient.h | 1 - src/auth/AuthRegistry.cc | 198 +++++++++++++++++++++++++++++++ src/auth/AuthRegistry.h | 54 +++++++++ src/auth/AuthServer.cc | 51 -------- src/auth/AuthServer.h | 21 ++-- src/auth/CMakeLists.txt | 3 +- src/ceph_mon.cc | 3 +- src/mon/MonClient.cc | 66 +++++------ src/mon/MonClient.h | 13 +- src/mon/Monitor.cc | 2 + src/msg/Messenger.cc | 28 +---- src/msg/Messenger.h | 6 +- 14 files changed, 308 insertions(+), 217 deletions(-) delete mode 100644 src/auth/AuthAuthorizeHandler.cc create mode 100644 src/auth/AuthRegistry.cc create mode 100644 src/auth/AuthRegistry.h delete mode 100644 src/auth/AuthServer.cc diff --git a/src/auth/AuthAuthorizeHandler.cc b/src/auth/AuthAuthorizeHandler.cc deleted file mode 100644 index 746a21ee01c..00000000000 --- a/src/auth/AuthAuthorizeHandler.cc +++ /dev/null @@ -1,57 +0,0 @@ -// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- -// vim: ts=8 sw=2 smarttab -/* - * Ceph - scalable distributed file system - * - * Copyright (C) 2009-2011 New Dream Network - * - * This is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License version 2.1, as published by the Free Software - * Foundation. See file COPYING. - * - */ - -#include "AuthAuthorizeHandler.h" -#include "cephx/CephxAuthorizeHandler.h" -#ifdef HAVE_GSSAPI -#include "krb/KrbAuthorizeHandler.hpp" -#endif -#include "none/AuthNoneAuthorizeHandler.h" - -AuthAuthorizeHandler *AuthAuthorizeHandlerRegistry::get_handler(int protocol) -{ - if (!supported.is_supported_auth(protocol)) { - return NULL; - } - - std::scoped_lock l{m_lock}; - map::iterator iter = m_authorizers.find(protocol); - if (iter != m_authorizers.end()) - return iter->second; - - switch (protocol) { - case CEPH_AUTH_NONE: - m_authorizers[protocol] = new AuthNoneAuthorizeHandler(); - return m_authorizers[protocol]; - - case CEPH_AUTH_CEPHX: - m_authorizers[protocol] = new CephxAuthorizeHandler(); - return m_authorizers[protocol]; -#ifdef HAVE_GSSAPI - case CEPH_AUTH_GSS: - m_authorizers[protocol] = new KrbAuthorizeHandler(); - return m_authorizers[protocol]; -#endif - default: - return nullptr; - } -} - -AuthAuthorizeHandlerRegistry::~AuthAuthorizeHandlerRegistry() -{ - for (map::iterator iter = m_authorizers.begin(); - iter != m_authorizers.end(); - ++iter) - delete iter->second; -} diff --git a/src/auth/AuthAuthorizeHandler.h b/src/auth/AuthAuthorizeHandler.h index 59725caf21a..74703407dc9 100644 --- a/src/auth/AuthAuthorizeHandler.h +++ b/src/auth/AuthAuthorizeHandler.h @@ -16,7 +16,6 @@ #define CEPH_AUTHAUTHORIZEHANDLER_H #include "Auth.h" -#include "AuthMethodList.h" #include "include/types.h" #include "common/ceph_mutex.h" // Different classes of session crypto handling @@ -44,25 +43,4 @@ struct AuthAuthorizeHandler { virtual int authorizer_session_crypto() = 0; }; -class AuthAuthorizeHandlerRegistry { - ceph::mutex m_lock; - map m_authorizers; - AuthMethodList supported; - -public: - AuthAuthorizeHandlerRegistry(CephContext *cct_, const std::string &methods) - : m_lock{ceph::make_mutex("AuthAuthorizeHandlerRegistry::m_lock")}, - supported{cct_, methods} - {} - ~AuthAuthorizeHandlerRegistry(); - - void get_supported_methods(std::vector *v) { - v->clear(); - for (auto m : supported.get_supported_set()) { - v->push_back(m); - } - } - AuthAuthorizeHandler *get_handler(int protocol); -}; - #endif diff --git a/src/auth/AuthClient.h b/src/auth/AuthClient.h index 37e956e2e9d..aa11e3c29a5 100644 --- a/src/auth/AuthClient.h +++ b/src/auth/AuthClient.h @@ -6,7 +6,6 @@ #include class EntityName; -class AuthMethodList; class CryptoKey; class AuthClient { diff --git a/src/auth/AuthRegistry.cc b/src/auth/AuthRegistry.cc new file mode 100644 index 00000000000..0f2752cf55c --- /dev/null +++ b/src/auth/AuthRegistry.cc @@ -0,0 +1,198 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab + +#include "AuthRegistry.h" + +#include "cephx/CephxAuthorizeHandler.h" +#ifdef HAVE_GSSAPI +#include "krb/KrbAuthorizeHandler.hpp" +#endif +#include "none/AuthNoneAuthorizeHandler.h" +#include "common/ceph_context.h" +#include "common/debug.h" +#include "auth/KeyRing.h" + +#define dout_subsys ceph_subsys_auth +#undef dout_prefix +#define dout_prefix *_dout << "AuthRegistry(" << this << ") " + +const char** AuthRegistry::get_tracked_conf_keys() const +{ + static const char *keys[] = { + "auth_supported", + "auth_client_required", + "auth_cluster_required", + "auth_service_required", + "keyring", + NULL + }; + return keys; +} + +void AuthRegistry::handle_conf_change( + const ConfigProxy& conf, + const std::set& changed) +{ + std::scoped_lock l(lock); + _refresh_config(); +} + + +void AuthRegistry::_parse_method_list(const string& s, + std::vector *v) +{ + std::list sup_list; + get_str_list(s, sup_list); + if (sup_list.empty()) { + lderr(cct) << "WARNING: empty auth protocol list" << dendl; + } + for (auto& i : sup_list) { + ldout(cct, 5) << "adding auth protocol: " << i << dendl; + if (i == "cephx") { + v->push_back(CEPH_AUTH_CEPHX); + } else if (i == "none") { + v->push_back(CEPH_AUTH_NONE); + } else if (i == "gss") { + v->push_back(CEPH_AUTH_GSS); + } else { + v->push_back(CEPH_AUTH_UNKNOWN); + lderr(cct) << "WARNING: unknown auth protocol defined: " << i << dendl; + } + } + if (v->empty()) { + lderr(cct) << "WARNING: no auth protocol defined, use 'cephx' by default" + << dendl; + v->push_back(CEPH_AUTH_CEPHX); + } + ldout(cct,20) << __func__ << " " << s << " -> " << *v << dendl; +} + +void AuthRegistry::_refresh_config() +{ + if (cct->_conf->auth_supported.size()) { + _parse_method_list(cct->_conf->auth_supported, &cluster_methods); + _parse_method_list(cct->_conf->auth_supported, &service_methods); + _parse_method_list(cct->_conf->auth_supported, &client_methods); + } else { + _parse_method_list(cct->_conf->auth_cluster_required, &cluster_methods); + _parse_method_list(cct->_conf->auth_service_required, &service_methods); + _parse_method_list(cct->_conf->auth_client_required, &client_methods); + } + + ldout(cct,10) << __func__ << " cluster_methods " << cluster_methods + << " service_methods " << service_methods + << " client_methods " << client_methods + << dendl; + + // if we have no keyring, filter out cephx + _no_keyring_disabled_cephx = false; + KeyRing k; + int r = k.from_ceph_context(cct); + if (r == -ENOENT) { + for (auto *p : {&cluster_methods, &service_methods, &client_methods}) { + auto q = std::find(p->begin(), p->end(), CEPH_AUTH_CEPHX); + if (q != p->end()) { + p->erase(q); + _no_keyring_disabled_cephx = true; + } + } + } + if (_no_keyring_disabled_cephx) { + lderr(cct) << "no keyring found at " << cct->_conf->keyring + << ", disabling cephx" << dendl; + } +} + +void AuthRegistry::get_supported_methods(int peer_type, + std::vector *v) +{ + if (cct->get_module_type() == CEPH_ENTITY_TYPE_CLIENT) { + *v = client_methods; + return; + } + switch (peer_type) { + case CEPH_ENTITY_TYPE_MON: + case CEPH_ENTITY_TYPE_MGR: + case CEPH_ENTITY_TYPE_MDS: + case CEPH_ENTITY_TYPE_OSD: + *v = cluster_methods; + break; + default: + *v = service_methods; + break; + } +} + +bool AuthRegistry::is_supported_method(int peer_type, int method) +{ + std::vector s; + get_supported_methods(peer_type, &s); + return std::find(s.begin(), s.end(), method) != s.end(); +} + +bool AuthRegistry::any_supported_methods(int peer_type) +{ + std::vector s; + get_supported_methods(peer_type, &s); + return !s.empty(); +} + +AuthAuthorizeHandler *AuthRegistry::get_handler(int peer_type, int method) +{ + std::scoped_lock l{lock}; + ldout(cct,20) << __func__ << " peer_type " << peer_type << " method " << method + << " cluster_methods " << cluster_methods + << " service_methods " << service_methods + << " client_methods " << client_methods + << dendl; + if (cct->get_module_type() == CEPH_ENTITY_TYPE_CLIENT) { + return nullptr; + } + switch (peer_type) { + case CEPH_ENTITY_TYPE_MON: + case CEPH_ENTITY_TYPE_MGR: + case CEPH_ENTITY_TYPE_MDS: + case CEPH_ENTITY_TYPE_OSD: + if (std::find(cluster_methods.begin(), cluster_methods.end(), method) == + cluster_methods.end()) { + return nullptr; + } + break; + default: + if (std::find(service_methods.begin(), service_methods.end(), method) == + service_methods.end()) { + return nullptr; + } + break; + } + + auto iter = authorize_handlers.find(method); + if (iter != authorize_handlers.end()) { + return iter->second; + } + AuthAuthorizeHandler *ah = nullptr; + switch (method) { + case CEPH_AUTH_NONE: + ah = new AuthNoneAuthorizeHandler(); + break; + case CEPH_AUTH_CEPHX: + ah = new CephxAuthorizeHandler(); + break; +#ifdef HAVE_GSSAPI + case CEPH_AUTH_GSS: + ah = new KrbAuthorizeHandler(); + break; +#endif + } + if (ah) { + authorize_handlers[method] = ah; + } + return ah; +} + +AuthRegistry::~AuthRegistry() +{ + for (auto i : authorize_handlers) { + delete i.second; + } +} diff --git a/src/auth/AuthRegistry.h b/src/auth/AuthRegistry.h new file mode 100644 index 00000000000..190b615592c --- /dev/null +++ b/src/auth/AuthRegistry.h @@ -0,0 +1,54 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab + +#pragma once + +#include +#include + +#include "AuthAuthorizeHandler.h" +#include "AuthMethodList.h" +#include "common/ceph_mutex.h" +#include "common/ceph_context.h" +#include "common/config_cacher.h" + +class AuthRegistry : public md_config_obs_t { + CephContext *cct; + ceph::mutex lock = ceph::make_mutex("AuthRegistry::lock"); + + std::map authorize_handlers; + + bool _no_keyring_disabled_cephx = false; + + std::vector cluster_methods; // CEPH_AUTH_* + std::vector service_methods; // CEPH_AUTH_* + std::vector client_methods; // CEPH_AUTH_* + + void _parse_method_list(const string& str, std::vector *v); + void _refresh_config(); + +public: + AuthRegistry(CephContext *cct) : cct(cct) { + } + ~AuthRegistry(); + + void refresh_config() { + std::scoped_lock l(lock); + _refresh_config(); + } + + void get_supported_methods(int peer_type, std::vector *v); + bool is_supported_method(int peer_type, int method); + bool any_supported_methods(int peer_type); + + AuthAuthorizeHandler *get_handler(int peer_type, int method); + + const char** get_tracked_conf_keys() const override; + void handle_conf_change(const ConfigProxy& conf, + const std::set& changed) override; + + bool no_keyring_disabled_cephx() { + std::scoped_lock l(lock); + return _no_keyring_disabled_cephx; + } +}; diff --git a/src/auth/AuthServer.cc b/src/auth/AuthServer.cc deleted file mode 100644 index aeb02a8464f..00000000000 --- a/src/auth/AuthServer.cc +++ /dev/null @@ -1,51 +0,0 @@ -// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- -// vim: ts=8 sw=2 smarttab - -#include "AuthServer.h" -#include "common/ceph_context.h" - -AuthServer::AuthServer(CephContext *cct) - : auth_ah_service_registry( - new AuthAuthorizeHandlerRegistry( - cct, - cct->_conf->auth_supported.empty() ? - cct->_conf->auth_service_required : - cct->_conf->auth_supported)), - auth_ah_cluster_registry( - new AuthAuthorizeHandlerRegistry( - cct, - cct->_conf->auth_supported.empty() ? - cct->_conf->auth_cluster_required : - cct->_conf->auth_supported)) -{ -} - -AuthAuthorizeHandler *AuthServer::get_auth_authorize_handler( - int peer_type, - int auth_method) -{ - switch (peer_type) { - case CEPH_ENTITY_TYPE_MDS: - case CEPH_ENTITY_TYPE_MON: - case CEPH_ENTITY_TYPE_MGR: - case CEPH_ENTITY_TYPE_OSD: - return auth_ah_cluster_registry->get_handler(auth_method); - default: - return auth_ah_service_registry->get_handler(auth_method); - } -} - -void AuthServer::get_supported_auth_methods( - int peer_type, - vector *methods) -{ - switch (peer_type) { - case CEPH_ENTITY_TYPE_MDS: - case CEPH_ENTITY_TYPE_MON: - case CEPH_ENTITY_TYPE_MGR: - case CEPH_ENTITY_TYPE_OSD: - return auth_ah_cluster_registry->get_supported_methods(methods); - default: - return auth_ah_service_registry->get_supported_methods(methods); - } -} diff --git a/src/auth/AuthServer.h b/src/auth/AuthServer.h index 3ac4dbf3659..d80c1b0d811 100644 --- a/src/auth/AuthServer.h +++ b/src/auth/AuthServer.h @@ -3,7 +3,7 @@ #pragma once -#include "AuthAuthorizeHandler.h" +#include "AuthRegistry.h" #include @@ -11,20 +11,23 @@ class CephContext; class Connection; class AuthServer { -private: - std::unique_ptr auth_ah_service_registry; - std::unique_ptr auth_ah_cluster_registry; public: - AuthServer(CephContext *cct); + AuthRegistry auth_registry; + + AuthServer(CephContext *cct) : auth_registry(cct) {} virtual ~AuthServer() {} - AuthAuthorizeHandler *get_auth_authorize_handler( + virtual void get_supported_auth_methods( int peer_type, - int auth_method); + std::vector *methods) { + auth_registry.get_supported_methods(peer_type, methods); + } - virtual void get_supported_auth_methods( + AuthAuthorizeHandler *get_auth_authorize_handler( int peer_type, - std::vector *methods); + int auth_method) { + return auth_registry.get_handler(peer_type, auth_method); + } virtual int handle_auth_request( Connection *con, diff --git a/src/auth/CMakeLists.txt b/src/auth/CMakeLists.txt index 5103f1adf3a..d4bfa1a52fa 100644 --- a/src/auth/CMakeLists.txt +++ b/src/auth/CMakeLists.txt @@ -1,8 +1,7 @@ set(auth_srcs - AuthAuthorizeHandler.cc AuthClientHandler.cc AuthMethodList.cc - AuthServer.cc + AuthRegistry.cc AuthSessionHandler.cc Crypto.cc KeyRing.cc diff --git a/src/ceph_mon.cc b/src/ceph_mon.cc index 79f28cf2269..881499817d1 100644 --- a/src/ceph_mon.cc +++ b/src/ceph_mon.cc @@ -242,7 +242,8 @@ int main(int argc, const char **argv) { "leveldb_cache_size", "536870912" }, { "leveldb_block_size", "65536" }, { "leveldb_compression", "false"}, - { "leveldb_log", "" } + { "leveldb_log", "" }, + { "keyring", "$mon_data/keyring" }, }; int flags = 0; diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index d37b9b65719..6727434fead 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -426,39 +426,22 @@ int MonClient::init() entity_name = cct->_conf->name; - std::lock_guard l(monc_lock); + auth_registry.refresh_config(); - string method; - if (!cct->_conf->auth_supported.empty()) - method = cct->_conf->auth_supported; - else if (entity_name.get_type() == CEPH_ENTITY_TYPE_OSD || - entity_name.get_type() == CEPH_ENTITY_TYPE_MDS || - entity_name.get_type() == CEPH_ENTITY_TYPE_MON || - entity_name.get_type() == CEPH_ENTITY_TYPE_MGR) - method = cct->_conf->auth_cluster_required; - else - method = cct->_conf->auth_client_required; - auth_supported.reset(new AuthMethodList(cct, method)); - ldout(cct, 10) << "auth_supported " << auth_supported->get_supported_set() << " method " << method << dendl; - - int r = 0; - keyring.reset(new KeyRing); // initializing keyring anyway - - if (auth_supported->is_supported_auth(CEPH_AUTH_CEPHX)) { - r = keyring->from_ceph_context(cct); - if (r == -ENOENT) { - auth_supported->remove_supported_auth(CEPH_AUTH_CEPHX); - if (!auth_supported->get_supported_set().empty()) { - r = 0; - no_keyring_disabled_cephx = true; - } else { - lderr(cct) << "ERROR: missing keyring, cannot use cephx for authentication" << dendl; - } + std::lock_guard l(monc_lock); + keyring.reset(new KeyRing); + if (auth_registry.is_supported_method(messenger->get_mytype(), + CEPH_AUTH_CEPHX)) { + // this should succeed, because auth_registry just checked! + int r = keyring->from_ceph_context(cct); + if (r != 0) { + // but be somewhat graceful in case there was a race condition + lderr(cct) << "keyring not found" << dendl; + return r; } } - - if (r < 0) { - return r; + if (!auth_registry.any_supported_methods(messenger->get_mytype())) { + return -ENOENT; } rotating_secrets.reset( @@ -550,7 +533,7 @@ int MonClient::authenticate(double timeout) authenticated = true; } - if (authenticate_err < 0 && no_keyring_disabled_cephx) { + if (authenticate_err < 0 && auth_registry.no_keyring_disabled_cephx()) { lderr(cct) << __func__ << " NOTE: no keyring found; disabled cephx authentication" << dendl; } @@ -659,7 +642,7 @@ void MonClient::_reopen_session(int rank) } for (auto& c : pending_cons) { - c.second.start(monmap.get_epoch(), entity_name, *auth_supported); + c.second.start(monmap.get_epoch(), entity_name); } if (sub.reload()) { @@ -671,7 +654,7 @@ MonConnection& MonClient::_add_conn(unsigned rank, uint64_t global_id) { auto peer = monmap.get_addrs(rank); auto conn = messenger->connect_to_mon(peer); - MonConnection mc(cct, conn, global_id, auth_supported->get_supported_set()); + MonConnection mc(cct, conn, global_id, &auth_registry); auto inserted = pending_cons.insert(make_pair(peer, move(mc))); ldout(cct, 10) << "picked mon." << monmap.get_name(rank) << " con " << conn @@ -1430,8 +1413,8 @@ AuthAuthorizer* MonClient::build_authorizer(int service_id) const { MonConnection::MonConnection( CephContext *cct, ConnectionRef con, uint64_t global_id, - const list& auth_supported) - : cct(cct), con(con), global_id(global_id), auth_supported(auth_supported) + AuthRegistry *ar) + : cct(cct), con(con), global_id(global_id), auth_registry(ar) {} MonConnection::~MonConnection() @@ -1448,8 +1431,7 @@ bool MonConnection::have_session() const } void MonConnection::start(epoch_t epoch, - const EntityName& entity_name, - const AuthMethodList& auth_supported) + const EntityName& entity_name) { if (con->get_peer_addr().is_msgr2()) { ldout(cct, 10) << __func__ << " opening mon connection" << dendl; @@ -1471,7 +1453,9 @@ void MonConnection::start(epoch_t epoch, m->monmap_epoch = epoch; __u8 struct_v = 1; encode(struct_v, m->auth_payload); - encode(auth_supported.get_supported_set(), m->auth_payload); + vector auth_supported; + auth_registry->get_supported_methods(con->get_peer_type(), &auth_supported); + encode(auth_supported, m->auth_payload); encode(entity_name, m->auth_payload); encode(global_id, m->auth_payload); con->send_message(m); @@ -1485,7 +1469,9 @@ int MonConnection::get_auth_request( { // choose method if (auth_method < 0) { - auth_method = auth_supported.front(); + vector as; + auth_registry->get_supported_methods(con->get_peer_type(), &as); + auth_method = as.front(); } *method = auth_method; ldout(cct,10) << __func__ << " method " << *method << dendl; @@ -1566,6 +1552,8 @@ int MonConnection::handle_auth_bad_method( ldout(cct,10) << __func__ << " old_auth_method " << old_auth_method << " result " << cpp_strerror(result) << " allowed_methods " << allowed_methods << dendl; + vector auth_supported; + auth_registry->get_supported_methods(con->get_peer_type(), &auth_supported); auto p = std::find(auth_supported.begin(), auth_supported.end(), old_auth_method); assert(p != auth_supported.end()); diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h index 0f4f21c2161..be73a2f68ef 100644 --- a/src/mon/MonClient.h +++ b/src/mon/MonClient.h @@ -27,6 +27,7 @@ #include "auth/AuthClient.h" #include "auth/AuthServer.h" +#include "auth/AuthRegistry.h" class MMonMap; class MConfig; @@ -102,7 +103,7 @@ public: MonConnection(CephContext *cct, ConnectionRef conn, uint64_t global_id, - const list& auto_supported); + AuthRegistry *auth_registry); ~MonConnection(); MonConnection(MonConnection&& rhs) = default; MonConnection& operator=(MonConnection&&) = default; @@ -114,8 +115,7 @@ public: RotatingKeyRing* keyring); int authenticate(MAuthReply *m); void start(epoch_t epoch, - const EntityName& entity_name, - const AuthMethodList& auth_supported); + const EntityName& entity_name); bool have_session() const; uint64_t get_global_id() const { return global_id; @@ -174,7 +174,8 @@ private: std::unique_ptr auth; uint64_t global_id; - const list& auth_supported; + + AuthRegistry *auth_registry; }; class MonClient : public Dispatcher, @@ -200,16 +201,12 @@ private: bool initialized; bool stopping = false; - bool no_keyring_disabled_cephx = false; - bool no_ktfile_disabled_krb = false; LogClient *log_client; bool more_log_pending; void send_log(bool flush = false); - std::unique_ptr auth_supported; - bool ms_dispatch(Message *m) override; bool ms_handle_reset(Connection *con) override; void ms_handle_remote_reset(Connection *con) override {} diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 7eec0cc45b1..724feb68f4f 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -883,6 +883,8 @@ int Monitor::init() mgr_messenger->add_dispatcher_tail(this); // for auth ms_* calls mgr_messenger->set_auth_client(this); + auth_registry.refresh_config(); + bootstrap(); // add features of myself into feature_map session_map.feature_map.add_mon(con_self->get_features()); diff --git a/src/msg/Messenger.cc b/src/msg/Messenger.cc index 5d38dfa35dd..23ce0ad7861 100644 --- a/src/msg/Messenger.cc +++ b/src/msg/Messenger.cc @@ -58,19 +58,10 @@ Messenger::Messenger(CephContext *cct_, entity_name_t w) socket_priority(-1), cct(cct_), crcflags(get_default_crc_flags(cct->_conf)), - auth_ah_service_registry( - new AuthAuthorizeHandlerRegistry( - cct, - cct->_conf->auth_supported.empty() ? - cct->_conf->auth_service_required : - cct->_conf->auth_supported)), - auth_ah_cluster_registry( - new AuthAuthorizeHandlerRegistry( - cct, - cct->_conf->auth_supported.empty() ? - cct->_conf->auth_cluster_required : - cct->_conf->auth_supported)) -{} + auth_registry(cct) +{ + auth_registry.refresh_config(); +} void Messenger::set_endpoint_addr(const entity_addr_t& a, const entity_name_t &name) @@ -136,16 +127,7 @@ bool Messenger::ms_deliver_verify_authorizer( } } } - AuthAuthorizeHandler *ah = 0; - switch (peer_type) { - case CEPH_ENTITY_TYPE_MDS: - case CEPH_ENTITY_TYPE_MON: - case CEPH_ENTITY_TYPE_OSD: - ah = auth_ah_cluster_registry->get_handler(protocol); - break; - default: - ah = auth_ah_service_registry->get_handler(protocol); - } + AuthAuthorizeHandler *ah = auth_registry.get_handler(peer_type, protocol); if (get_mytype() == CEPH_ENTITY_TYPE_MON && peer_type != CEPH_ENTITY_TYPE_MON) { // the monitor doesn't do authenticators for msgr1. diff --git a/src/msg/Messenger.h b/src/msg/Messenger.h index d38fdc922ed..bfd3eeef042 100644 --- a/src/msg/Messenger.h +++ b/src/msg/Messenger.h @@ -35,7 +35,7 @@ #include "include/ceph_features.h" #include "auth/Crypto.h" #include "common/item_history.h" -#include "auth/AuthAuthorizeHandler.h" +#include "auth/AuthRegistry.h" #include "include/ceph_assert.h" #include @@ -46,7 +46,6 @@ class Timer; -class AuthAuthorizerHandlerRegistry; class AuthClient; class AuthServer; @@ -96,8 +95,7 @@ public: protected: // for authentication - std::unique_ptr auth_ah_service_registry; - std::unique_ptr auth_ah_cluster_registry; + AuthRegistry auth_registry; public: /** -- 2.39.5