From 9f47de6782223cf8c0ef1e12d556f14c4be45781 Mon Sep 17 00:00:00 2001 From: Patrick Donnelly Date: Thu, 29 May 2025 11:57:13 -0400 Subject: [PATCH] auth: add more debugging for service tickets Signed-off-by: Patrick Donnelly (cherry picked from commit db73ba2fad354ccc7d83b942a3581feae6ad3beb) --- src/auth/Auth.h | 26 +++++++++------------ src/auth/Crypto.h | 6 ----- src/auth/RotatingKeyRing.cc | 2 ++ src/auth/cephx/CephxKeyServer.cc | 16 +++++++++---- src/auth/cephx/CephxKeyServer.h | 4 ++-- src/auth/cephx/CephxProtocol.cc | 39 ++++++++++++++++++++------------ src/auth/cephx/CephxProtocol.h | 2 ++ 7 files changed, 54 insertions(+), 41 deletions(-) diff --git a/src/auth/Auth.h b/src/auth/Auth.h index f7656027755..189873f7295 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -16,6 +16,7 @@ #define CEPH_AUTHTYPES_H #include "Crypto.h" +#include "common/CanHasPrint.h" #include "common/ceph_json.h" #include "common/entity_name.h" #include "common/Formatter.h" @@ -47,6 +48,13 @@ struct EntityAuth { std::map caps; CryptoKey pending_key; ///< new but uncommitted key + void print(std::ostream& out) const { + out << "auth(key=" << key; + if (!pending_key.empty()) { + out << " pending_key=" << pending_key; + } + out << ")"; + } void encode(ceph::buffer::list& bl) const { __u8 struct_v = 3; using ceph::encode; @@ -81,16 +89,6 @@ struct EntityAuth { }; WRITE_CLASS_ENCODER(EntityAuth) -inline std::ostream& operator<<(std::ostream& out, const EntityAuth& a) -{ - out << "auth(key=" << a.key; - if (!a.pending_key.empty()) { - out << " pending_key=" << a.pending_key; - } - out << ")"; - return out; -} - struct AuthCapsInfo { bool allow_all; ceph::buffer::list caps; @@ -268,6 +266,9 @@ struct ExpiringCryptoKey { CryptoKey key; utime_t expiration; + void print(std::ostream& out) const { + out << key << " expires " << expiration; + } void encode(ceph::buffer::list& bl) const { using ceph::encode; __u8 struct_v = 1; @@ -295,11 +296,6 @@ struct ExpiringCryptoKey { }; WRITE_CLASS_ENCODER(ExpiringCryptoKey) -inline std::ostream& operator<<(std::ostream& out, const ExpiringCryptoKey& c) -{ - return out << c.key << " expires " << c.expiration; -} - struct RotatingSecrets { std::map secrets; version_t max_ver; diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h index d3b39a4382c..c12d316fa0e 100644 --- a/src/auth/Crypto.h +++ b/src/auth/Crypto.h @@ -226,12 +226,6 @@ public: }; WRITE_CLASS_ENCODER(CryptoKey) -inline std::ostream& operator<<(std::ostream& out, const CryptoKey& k) -{ - k.print(out); - return out; -} - /* * Driver for a particular algorithm diff --git a/src/auth/RotatingKeyRing.cc b/src/auth/RotatingKeyRing.cc index ccc5dbc2d02..54ee8302ed0 100644 --- a/src/auth/RotatingKeyRing.cc +++ b/src/auth/RotatingKeyRing.cc @@ -51,6 +51,8 @@ bool RotatingKeyRing::get_secret(const EntityName& name, CryptoKey& secret) cons bool RotatingKeyRing::get_service_secret(uint32_t service_id_, uint64_t secret_id, CryptoKey& secret) const { + ldout(cct, 30) << __func__ << ": service_id=" << service_id_ << " secret_id=" << secret_id << dendl; + std::lock_guard l{lock}; if (service_id_ != this->service_id) { diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index 6ccec4e3663..7b51c46ef44 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -33,6 +33,7 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id, CryptoKey& secret, uint64_t& secret_id, double& ttl) const { + ldout(cct,30) << __func__ << ": " << service_id << dendl; auto iter = rotating_secrets.find(service_id); if (iter == rotating_secrets.end()) { ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id) << " not found " << dendl; @@ -98,21 +99,28 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id, return true; } -bool KeyServerData::get_auth(const EntityName& name, EntityAuth& auth) const { +bool KeyServerData::get_auth(CephContext *cct, const EntityName& name, EntityAuth& auth) const { + ldout(cct, 20) << __func__ << ": " << name << dendl; auto iter = secrets.find(name); if (iter != secrets.end()) { auth = iter->second; + ldout(cct, 30) << __func__ << ": found " << auth << dendl; return true; } + ldout(cct, 30) << __func__ << ": searching extra secrets" << dendl; return extra_secrets->get_auth(name, auth); } -bool KeyServerData::get_secret(const EntityName& name, CryptoKey& secret) const { +bool KeyServerData::get_secret(CephContext *cct, const EntityName& name, CryptoKey& secret) const { + ldout(cct, 20) << __func__ << ": " << name << dendl; auto iter = secrets.find(name); if (iter != secrets.end()) { secret = iter->second.key; + ldout(cct, 30) << __func__ << ": found " << secret << dendl; return true; } + + ldout(cct, 30) << __func__ << ": searching extra secrets" << dendl; return extra_secrets->get_secret(name, secret); } @@ -225,13 +233,13 @@ int KeyServer::_rotate_secret(uint32_t service_id, KeyServerData &pending_data) bool KeyServer::get_secret(const EntityName& name, CryptoKey& secret) const { std::scoped_lock l{lock}; - return data.get_secret(name, secret); + return data.get_secret(cct, name, secret); } bool KeyServer::get_auth(const EntityName& name, EntityAuth& auth) const { std::scoped_lock l{lock}; - return data.get_auth(name, auth); + return data.get_auth(cct, name, auth); } bool KeyServer::get_caps(const EntityName& name, const string& type, diff --git a/src/auth/cephx/CephxKeyServer.h b/src/auth/cephx/CephxKeyServer.h index 0382cca0ed5..a2645c46c23 100644 --- a/src/auth/cephx/CephxKeyServer.h +++ b/src/auth/cephx/CephxKeyServer.h @@ -109,8 +109,8 @@ struct KeyServerData { double& ttl) const; bool get_service_secret(CephContext *cct, uint32_t service_id, uint64_t secret_id, CryptoKey& secret) const; - bool get_auth(const EntityName& name, EntityAuth& auth) const; - bool get_secret(const EntityName& name, CryptoKey& secret) const; + bool get_auth(CephContext *cct, const EntityName& name, EntityAuth& auth) const; + bool get_secret(CephContext *cct, const EntityName& name, CryptoKey& secret) const; bool get_caps(CephContext *cct, const EntityName& name, const std::string& type, AuthCapsInfo& caps) const; diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index 1846217b977..131bb29fa05 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -62,6 +62,17 @@ void cephx_calc_client_server_challenge(CephContext *cct, CryptoKey& secret, uin *key = k; } +void CephXSessionAuthInfo::print(std::ostream& os) const +{ + os << "session_auth_info(" + << ceph_entity_type_name(service_id) + << " id=" << secret_id + << " session_key=" << session_key + << " service_secret=" << service_secret + << " ticket.name=" << ticket.name + << " ticket.global_id=" << ticket.global_id + << ")"; +} /* * Authentication @@ -75,12 +86,7 @@ bool cephx_build_service_ticket_blob(CephContext *cct, const CephXSessionAuthInf ticket_info.ticket = info.ticket; ticket_info.ticket.caps = info.ticket.caps; - ldout(cct, 10) << "build_service_ticket service " - << ceph_entity_type_name(info.service_id) - << " secret_id " << info.secret_id - << " ticket_info.ticket.name=" - << ticket_info.ticket.name.to_str() - << " ticket.global_id " << info.ticket.global_id << dendl; + ldout(cct, 10) << "build_service_ticket service " << info << dendl; blob.secret_id = info.secret_id; std::string error; if (!info.service_secret.get_secret().length()) @@ -465,19 +471,22 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys, // Unable to decode! return false; } - ldout(cct, 10) << "verify_authorizer decrypted service " + + ldout(cct, 10) << __func__ << ": decoded service " << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl; if (ticket.secret_id == (uint64_t)-1) { EntityName name; name.set_type(service_id); + ldout(cct, 20) << __func__ << ": looking up secret for " << ceph_entity_type_name(service_id) << dendl; if (!keys.get_secret(name, service_secret)) { ldout(cct, 0) << "verify_authorizer could not get general service secret for service " << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl; return false; } } else { + ldout(cct, 20) << __func__ << ": looking up service secret for " << ceph_entity_type_name(service_id) << dendl; if (!keys.get_service_secret(service_id, ticket.secret_id, service_secret)) { ldout(cct, 0) << "verify_authorizer could not get service secret for service " << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl; @@ -486,24 +495,26 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys, return false; } } + ldout(cct, 30) << __func__ << ": got secret " << service_secret << dendl; + std::string error; if (!service_secret.get_secret().length()) error = "invalid key"; // Bad key? else decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error); if (!error.empty()) { - ldout(cct, 0) << "verify_authorizer could not decrypt ticket info: error: " - << error << dendl; + ldout(cct, 0) << __func__ << ": could not decrypt ticket info: " << error << dendl; return false; } if (ticket_info.ticket.global_id != global_id) { - ldout(cct, 0) << "verify_authorizer global_id mismatch: declared id=" << global_id + ldout(cct, 0) << __func__ << ": global_id mismatch: declared id=" << global_id << " ticket_id=" << ticket_info.ticket.global_id << dendl; return false; } - ldout(cct, 10) << "verify_authorizer global_id=" << global_id << dendl; + ldout(cct, 10) << __func__ << ": global_id=" << global_id << dendl; + ldout(cct, 30) << __func__ << ": session key=" << ticket_info.session_key << dendl; // CephXAuthorize CephXAuthorize auth_msg; @@ -519,17 +530,17 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys, c = new CephXAuthorizeChallenge; challenge->reset(c); cct->random()->get_bytes((char*)&c->server_challenge, sizeof(c->server_challenge)); - ldout(cct,10) << __func__ << " adding server_challenge " << c->server_challenge + ldout(cct,10) << __func__ << ": adding server_challenge " << c->server_challenge << dendl; encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, *reply_bl, error); if (!error.empty()) { - ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl; + ldout(cct, 0) << __func__ << ": encode_encrypt error: " << error << dendl; return false; } return false; } - ldout(cct, 10) << __func__ << " got server_challenge+1 " + ldout(cct, 10) << __func__ << ": got server_challenge+1 " << auth_msg.server_challenge_plus_one << " expecting " << c->server_challenge + 1 << dendl; if (c->server_challenge + 1 != auth_msg.server_challenge_plus_one) { diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 956c08400ee..3c4383a19f2 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -248,6 +248,8 @@ struct CephXSessionAuthInfo { CryptoKey session_key; CryptoKey service_secret; utime_t validity; + + void print(std::ostream& os) const; }; -- 2.39.5