From a34fe37418e8b3c89f0bbdcf320b1f28110ed0e4 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Wed, 16 Jan 2019 13:56:43 -0600 Subject: [PATCH] auth/AuthServiceHandler: take session_key and connection_secret as args Allow these methods to populate session and connection secrets. No functional change (yet). Signed-off-by: Sage Weil --- src/auth/AuthServiceHandler.h | 9 +++++++-- src/auth/cephx/CephxServiceHandler.cc | 8 ++++++-- src/auth/cephx/CephxServiceHandler.h | 9 +++++++-- src/auth/krb/KrbServiceHandler.cpp | 20 +++++++++++++------- src/auth/krb/KrbServiceHandler.hpp | 12 ++++++++---- src/auth/none/AuthNoneServiceHandler.h | 12 +++++++++--- src/auth/unknown/AuthUnknownServiceHandler.h | 13 ++++++++++--- src/mon/AuthMonitor.cc | 6 ++++-- 8 files changed, 64 insertions(+), 25 deletions(-) diff --git a/src/auth/AuthServiceHandler.h b/src/auth/AuthServiceHandler.h index a4464049c9e..a787663c299 100644 --- a/src/auth/AuthServiceHandler.h +++ b/src/auth/AuthServiceHandler.h @@ -22,6 +22,7 @@ class CephContext; class KeyServer; +class CryptoKey; struct AuthCapsInfo; struct AuthServiceHandler { @@ -37,11 +38,15 @@ public: virtual int start_session(const EntityName& name, bufferlist *result, - AuthCapsInfo *caps) = 0; + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) = 0; virtual int handle_request(bufferlist::const_iterator& indata, bufferlist *result, uint64_t *global_id, - AuthCapsInfo *caps) = 0; + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) = 0; EntityName& get_entity_name() { return entity_name; } }; diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index b470cd39130..22426d38329 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -29,7 +29,9 @@ int CephxServiceHandler::start_session(const EntityName& name, bufferlist *result_bl, - AuthCapsInfo *caps) + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) { entity_name = name; @@ -49,7 +51,9 @@ int CephxServiceHandler::handle_request( bufferlist::const_iterator& indata, bufferlist *result_bl, uint64_t *global_id, - AuthCapsInfo *caps) + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) { int ret = 0; diff --git a/src/auth/cephx/CephxServiceHandler.h b/src/auth/cephx/CephxServiceHandler.h index b6acb3c71d8..2a5af6f7af7 100644 --- a/src/auth/cephx/CephxServiceHandler.h +++ b/src/auth/cephx/CephxServiceHandler.h @@ -31,12 +31,17 @@ public: int start_session(const EntityName& name, bufferlist *result_bl, - AuthCapsInfo *caps) override; + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) override; int handle_request( bufferlist::const_iterator& indata, bufferlist *result_bl, uint64_t *global_id, - AuthCapsInfo *caps) override; + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) override; + void build_cephx_response_header(int request_type, int status, bufferlist& bl); }; diff --git a/src/auth/krb/KrbServiceHandler.cpp b/src/auth/krb/KrbServiceHandler.cpp index 2935ee06c51..3efd8c90872 100644 --- a/src/auth/krb/KrbServiceHandler.cpp +++ b/src/auth/krb/KrbServiceHandler.cpp @@ -26,10 +26,13 @@ #define dout_prefix *_dout << "krb5/gssapi service: " << entity_name << " : " -int KrbServiceHandler::handle_request(bufferlist::const_iterator& indata, - bufferlist *buff_list, - uint64_t *global_id, - AuthCapsInfo *caps) +int KrbServiceHandler::handle_request( + bufferlist::const_iterator& indata, + bufferlist *buff_list, + uint64_t *global_id, + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) { auto result(0); gss_buffer_desc gss_buffer_in = {0, nullptr}; @@ -148,9 +151,12 @@ int KrbServiceHandler::handle_request(bufferlist::const_iterator& indata, return result; } -int KrbServiceHandler::start_session(const EntityName& name, - bufferlist *buff_list, - AuthCapsInfo *caps) +int KrbServiceHandler::start_session( + const EntityName& name, + bufferlist *buff_list, + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) { gss_buffer_desc gss_buffer_in = {0, nullptr}; gss_OID gss_object_id = GSS_C_NT_HOSTBASED_SERVICE; diff --git a/src/auth/krb/KrbServiceHandler.hpp b/src/auth/krb/KrbServiceHandler.hpp index 8f81158631f..8fe808a48a8 100644 --- a/src/auth/krb/KrbServiceHandler.hpp +++ b/src/auth/krb/KrbServiceHandler.hpp @@ -40,14 +40,18 @@ class KrbServiceHandler : public AuthServiceHandler { int handle_request(bufferlist::const_iterator& indata, bufferlist *buff_list, uint64_t *global_id, - AuthCapsInfo *caps) override; + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) override; int start_session(const EntityName& name, bufferlist *buff_list, - AuthCapsInfo *caps) override; + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) override; - private: - gss_buffer_desc m_gss_buffer_out; + private: + gss_buffer_desc m_gss_buffer_out; gss_cred_id_t m_gss_credentials; gss_ctx_id_t m_gss_sec_ctx; gss_name_t m_gss_service_name; diff --git a/src/auth/none/AuthNoneServiceHandler.h b/src/auth/none/AuthNoneServiceHandler.h index 07d68ddda87..d62f2a283a4 100644 --- a/src/auth/none/AuthNoneServiceHandler.h +++ b/src/auth/none/AuthNoneServiceHandler.h @@ -28,7 +28,9 @@ public: int start_session(const EntityName& name, bufferlist *result_bl, - AuthCapsInfo *caps) override { + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) override { entity_name = name; caps->allow_all = true; return 1; @@ -36,10 +38,14 @@ public: int handle_request(bufferlist::const_iterator& indata, bufferlist *result_bl, uint64_t *global_id, - AuthCapsInfo *caps) override { + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) override { return 0; } - void build_cephx_response_header(int request_type, int status, bufferlist& bl) { } + void build_cephx_response_header(int request_type, int status, + bufferlist& bl) { + } }; #endif diff --git a/src/auth/unknown/AuthUnknownServiceHandler.h b/src/auth/unknown/AuthUnknownServiceHandler.h index b353959dde1..8a2315c1276 100644 --- a/src/auth/unknown/AuthUnknownServiceHandler.h +++ b/src/auth/unknown/AuthUnknownServiceHandler.h @@ -28,17 +28,24 @@ public: int start_session(const EntityName& name, bufferlist *result_bl, - AuthCapsInfo *caps) { + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) { return 1; } int handle_request(bufferlist::iterator& indata, bufferlist *result_bl, uint64_t *global_id, - AuthCapsInfo *caps) { + AuthCapsInfo *caps, + CryptoKey *session_key, + CryptoKey *connection_secret) { ceph_abort(); // shouldn't get called return 0; } - void build_cephx_response_header(int request_type, int status, bufferlist& bl) { } + + void build_cephx_response_header(int request_type, int status, + bufferlist& bl) { + } }; #endif diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index c56b5424b73..ba1f2c5e557 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -666,14 +666,16 @@ bool AuthMonitor::prep_auth(MonOpRequestRef op, bool paxos_writable) if (start) { // new session ret = s->auth_handler->start_session(entity_name, &response_bl, - &s->con->peer_caps_info); + &s->con->peer_caps_info, + nullptr, nullptr); } else { // request ret = s->auth_handler->handle_request( indata, &response_bl, &s->con->peer_global_id, - &s->con->peer_caps_info); + &s->con->peer_caps_info, + nullptr, nullptr); } if (ret == -EIO) { wait_for_active(op, new C_RetryMessage(this,op)); -- 2.39.5