From adf7c725035a70d98d345831141547bbdd4c1cb1 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Fri, 7 Mar 2025 13:20:58 -0500 Subject: [PATCH] auth: add a configurable to control rotating keys cipher type auth_service_cipher: a mon configurable that determines what type of cipher the rotating keys are using. The configurable can change at runtime. Note that the change does not invalidate existing keys, these would expire based on their ttl. Signed-off-by: Yehuda Sadeh --- src/auth/cephx/CephxKeyServer.cc | 9 ++++++++- src/common/options/global.yaml.in | 27 +++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index c0e22824d2b..026a36fb888 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -183,7 +183,14 @@ int KeyServer::_rotate_secret(uint32_t service_id, KeyServerData &pending_data) while (r.need_new_secrets(now)) { ExpiringCryptoKey ek; - generate_secret(ek.key); + auto s = cct->_conf.get_val("auth_service_cipher"); + + int key_type = CryptoManager::get_key_type(s); + if (key_type < 0 || key_type == CEPH_CRYPTO_NONE) { + key_type = CEPH_CRYPTO_AES256KRB5; + } + + generate_secret(ek.key, key_type); if (r.empty()) { ek.expiration = now; } else { diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in index 78933a7523f..de9c0e06f2c 100644 --- a/src/common/options/global.yaml.in +++ b/src/common/options/global.yaml.in @@ -2163,6 +2163,33 @@ options: Ceph services. Valid settings are ``cephx`` or ``none``. default: cephx with_legacy: true +- name: auth_service_cipher + type: str + level: advanced + desc: cipher type that is used to encrypt service tickets. + fmt_desc: When service tickets are being generaeted, this would + be the cipher that will be used to encrypt them. This requires + that all the services support the specific cipher. Valid settings + are ``aes` or ``aes256k``. + default: aes + services: + - mon + enum_values: + - aes + - aes256k + with_legacy: false + flags: + - runtime +- name: auth_cipher_allow + type: str + level: advanced + desc: cipher types that are allowed to be used for authentication + fmt_desc: This list of cipher types determines which ciphers are + allowed to be used for the clients and services to establish + a connection to the cluster via the cephx autentication protocol. + Valid options are ``aes` or ``aes256k``. + default: aes, aes256k + with_legacy: true # what clients require of daemons - name: auth_client_required type: str -- 2.39.5