From cd095d8366abd86b45846af672f69de6f4800bea Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Fri, 23 Oct 2009 16:12:39 -0700 Subject: [PATCH] auth: move auth rotating interaction into auth handlers --- src/Makefile.am | 1 - src/auth/AuthClientHandler.h | 2 +- src/auth/cephx/CephxClientHandler.cc | 41 +++++++--------- src/auth/cephx/CephxClientHandler.h | 3 +- src/auth/cephx/CephxProtocol.h | 4 +- src/auth/cephx/CephxServiceHandler.cc | 31 +++++++----- src/auth/cephx/CephxServiceHandler.h | 3 +- src/messages/MAuthRotating.h | 49 ------------------ src/mon/AuthMonitor.cc | 24 --------- src/mon/AuthMonitor.h | 3 -- src/mon/MonClient.cc | 71 ++++++++++----------------- src/mon/MonClient.h | 1 - src/mon/Monitor.cc | 1 - src/msg/Message.cc | 5 -- src/msg/Message.h | 2 - 15 files changed, 67 insertions(+), 174 deletions(-) delete mode 100644 src/messages/MAuthRotating.h diff --git a/src/Makefile.am b/src/Makefile.am index c91e3220b5a3a..6c1f601fea188 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -546,7 +546,6 @@ noinst_HEADERS = \ mds/snap.h\ messages/MAuth.h\ messages/MAuthReply.h\ - messages/MAuthRotating.h\ messages/MClass.h\ messages/MClassAck.h\ messages/MClientCaps.h\ diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h index 72b04657d5720..bcd0991acb2ab 100644 --- a/src/auth/AuthClientHandler.h +++ b/src/auth/AuthClientHandler.h @@ -58,7 +58,7 @@ public: virtual void reset() = 0; virtual int build_request(bufferlist& bl) = 0; virtual int handle_response(int ret, bufferlist::iterator& iter) = 0; - virtual int handle_rotating_response(int ret, bufferlist& bl) = 0; + virtual void build_rotating_request(bufferlist& bl) = 0; virtual void tick() = 0; diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index b7405fbd6e88b..fb68e72351ba9 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -103,8 +103,8 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) struct CephXResponseHeader header; ::decode(header, indata); - switch (state) { - case STATE_GETTING_MON_KEY: + switch (header.request_type) { + case CEPHX_GET_AUTH_SESSION_KEY: { dout(0) << "request_type=" << hex << header.request_type << dec << dendl; dout(0) << "handle_cephx_response()" << dendl; @@ -129,7 +129,7 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) } break; - case STATE_GETTING_SESSION_KEYS: + case CEPHX_GET_PRINCIPAL_SESSION_KEY: { CephXTicketHandler& ticket_handler = tickets.get_handler(CEPH_ENTITY_TYPE_AUTH); dout(0) << "CEPHX_GET_PRINCIPAL_SESSION_KEY session_key " << ticket_handler.session_key << dendl; @@ -145,9 +145,17 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) } break; - case STATE_DONE: - // ignore? - ret = 0; + case CEPHX_GET_ROTATING_KEY: + { + RotatingSecrets secrets; + CryptoKey secret_key; + g_keyring.get_master(secret_key); + if (decode_decrypt(secrets, secret_key, indata) == 0) { + g_keyring.set_rotating(secrets); + } else { + derr(0) << "could not set rotating key: decode_decrypt failed" << dendl; + } + } break; default: @@ -165,21 +173,10 @@ AuthAuthorizer *CephxClientHandler::build_authorizer(uint32_t service_id) } - -int CephxClientHandler::handle_rotating_response(int ret, bufferlist& bl) +void CephxClientHandler::build_rotating_request(bufferlist& bl) { - dout(0) << "handle_rotating_response " << ret << " length=" << bl.length() << dendl; - - if (!ret) { - RotatingSecrets secrets; - CryptoKey secret_key; - g_keyring.get_master(secret_key); - bufferlist::iterator iter = bl.begin(); - if (decode_decrypt(secrets, secret_key, iter) == 0) { - g_keyring.set_rotating(secrets); - } else { - derr(0) << "could not set rotating key: decode_decrypt failed" << dendl; - } - } - return 0; + CephXRequestHeader header; + header.request_type = CEPHX_GET_ROTATING_KEY; + ::encode(header, bl); } + diff --git a/src/auth/cephx/CephxClientHandler.h b/src/auth/cephx/CephxClientHandler.h index 38e2562bcfa15..2ff21241190ac 100644 --- a/src/auth/cephx/CephxClientHandler.h +++ b/src/auth/cephx/CephxClientHandler.h @@ -44,8 +44,7 @@ public: } int build_request(bufferlist& bl); int handle_response(int ret, bufferlist::iterator& iter); - int handle_rotating_response(int ret, bufferlist& bl); - + void build_rotating_request(bufferlist& bl); int get_protocol() { return CEPH_AUTH_CEPHX; } diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 5361cd47d4546..3523498189830 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -78,9 +78,7 @@ /* authenticate requests */ #define CEPHX_GET_AUTH_SESSION_KEY 0x0100 #define CEPHX_GET_PRINCIPAL_SESSION_KEY 0x0200 - -/* authorize requests */ -#define CEPHX_OPEN_SESSION 0x0300 +#define CEPHX_GET_ROTATING_KEY 0x0400 #define CEPHX_REQUEST_TYPE_MASK 0x0F00 diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index dd19c6c42c848..780934e2ebd18 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -30,9 +30,10 @@ int CephxServiceHandler::start_session(bufferlist& result_bl) { CephXServerChallenge ch; get_random_bytes((char *)&server_challenge, sizeof(server_challenge)); + if (!server_challenge) + server_challenge = 1; // always non-zero. ch.server_challenge = server_challenge; ::encode(ch, result_bl); - state = 1; return CEPH_AUTH_CEPHX; } @@ -41,18 +42,14 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist int ret = 0; dout(0) << "CephxServiceHandler: handle request" << dendl; - dout(0) << "state=" << state << dendl; struct CephXRequestHeader cephx_header; ::decode(cephx_header, indata); dout(0) << "op = " << cephx_header.request_type << dendl; - switch (state) { - case 0: - assert(0); - break; - case 1: + switch (cephx_header.request_type) { + case CEPHX_GET_AUTH_SESSION_KEY: { CephXAuthenticate req; ::decode(req, indata); @@ -67,6 +64,10 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist break; } + if (!server_challenge) { + ret = -EPERM; + break; + } bufferlist key, key_enc; ::encode(server_challenge, key); ::encode(req.client_challenge, key); @@ -124,7 +125,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist } break; - case 2: + case CEPHX_GET_PRINCIPAL_SESSION_KEY: { dout(0) << "CEPHX_GET_PRINCIPAL_SESSION_KEY " << cephx_header.request_type << dendl; @@ -157,14 +158,18 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist } break; + case CEPHX_GET_ROTATING_KEY: + { + dout(10) << "getting rotating secret for " << entity_name << dendl; + build_cephx_response_header(cephx_header.request_type, 0, result_bl); + key_server->get_rotating_encrypted(entity_name, result_bl); + ret = 0; + } + break; + default: return -EINVAL; } - - if (!ret || (ret == -EAGAIN)) { - state++; - } - dout(0) << "returning with state=" << state << dendl; return ret; } diff --git a/src/auth/cephx/CephxServiceHandler.h b/src/auth/cephx/CephxServiceHandler.h index 5abbab28e43f6..67e7da4459c73 100644 --- a/src/auth/cephx/CephxServiceHandler.h +++ b/src/auth/cephx/CephxServiceHandler.h @@ -22,12 +22,11 @@ class KeyServer; class CephxServiceHandler : public AuthServiceHandler { KeyServer *key_server; - int state; uint64_t server_challenge; EntityName entity_name; public: - CephxServiceHandler(KeyServer *ks) : key_server(ks), state(0) {} + CephxServiceHandler(KeyServer *ks) : key_server(ks), server_challenge(0) {} ~CephxServiceHandler() {} int start_session(bufferlist& result_bl); diff --git a/src/messages/MAuthRotating.h b/src/messages/MAuthRotating.h deleted file mode 100644 index 6600188701372..0000000000000 --- a/src/messages/MAuthRotating.h +++ /dev/null @@ -1,49 +0,0 @@ -// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- -// vim: ts=8 sw=2 smarttab -/* - * Ceph - scalable distributed file system - * - * Copyright (C) 2004-2006 Sage Weil - * - * This is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License version 2.1, as published by the Free Software - * Foundation. See file COPYING. - * - */ - -#ifndef __MAUTHROTATING_H -#define __MAUTHROTATING_H - -#include "messages/PaxosServiceMessage.h" -#include "auth/Auth.h" - -class MAuthRotating : public PaxosServiceMessage { -public: - bufferlist response_bl; - uint32_t status; - EntityName entity_name; - - MAuthRotating() : PaxosServiceMessage(MSG_AUTH_ROTATING, 0) { } - - const char *get_type_name() { return "auth_rotating"; } - void print(ostream& out) { - out << "auth_rotating(" << status << " " << entity_name << " " << response_bl.length() << " bytes)"; - } - - void decode_payload() { - bufferlist::iterator p = payload.begin(); - paxos_decode(p); - ::decode(status, p); - ::decode(entity_name, p); - ::decode(response_bl, p); - } - void encode_payload() { - paxos_encode(); - ::encode(status, payload); - ::encode(entity_name, payload); - ::encode(response_bl, payload); - } -}; - -#endif diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index 5cc4b3b4a9637..3de8680b257f4 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -20,7 +20,6 @@ #include "messages/MMonCommand.h" #include "messages/MAuth.h" #include "messages/MAuthReply.h" -#include "messages/MAuthRotating.h" #include "common/Timer.h" @@ -225,9 +224,6 @@ bool AuthMonitor::preprocess_query(PaxosServiceMessage *m) case CEPH_MSG_AUTH: return preprocess_auth((MAuth *)m); - case MSG_AUTH_ROTATING: - return preprocess_auth_rotating((MAuthRotating *)m); - default: assert(0); delete m; @@ -316,26 +312,6 @@ done: return true; } - -bool AuthMonitor::preprocess_auth_rotating(MAuthRotating *m) -{ - dout(10) << "handle_request " << *m << " from " << m->get_orig_source() << dendl; - MAuthRotating *reply = new MAuthRotating(); - - if (!reply) - return true; - - if (mon->key_server.get_rotating_encrypted(m->entity_name, reply->response_bl)) { - reply->status = 0; - } else { - reply->status = -EPERM; - } - - mon->messenger->send_message(reply, m->get_orig_source_inst()); - delete m; - return true; -} - void AuthMonitor::auth_usage(stringstream& ss) { ss << "error: usage:" << std::endl; diff --git a/src/mon/AuthMonitor.h b/src/mon/AuthMonitor.h index 7135890aea0d0..88b43b43fa7d6 100644 --- a/src/mon/AuthMonitor.h +++ b/src/mon/AuthMonitor.h @@ -29,7 +29,6 @@ using namespace std; class MMonCommand; class MAuth; class MAuthMon; -class MAuthRotating; class AuthMonitor : public PaxosService { void auth_usage(stringstream& ss); @@ -50,8 +49,6 @@ class AuthMonitor : public PaxosService { bool preprocess_auth(MAuth *m); - bool preprocess_auth_rotating(MAuthRotating *m); - bool preprocess_command(MMonCommand *m); bool prepare_command(MMonCommand *m); diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index d98f9082b3f71..780add0e2522d 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -24,7 +24,6 @@ #include "messages/MClientMountAck.h" #include "messages/MMonSubscribe.h" #include "messages/MMonSubscribeAck.h" -#include "messages/MAuthRotating.h" #include "common/ConfUtils.h" #include "MonClient.h" @@ -198,10 +197,6 @@ bool MonClient::ms_dispatch(Message *m) case CEPH_MSG_MON_SUBSCRIBE_ACK: handle_subscribe_ack((MMonSubscribeAck*)m); return true; - - case MSG_AUTH_ROTATING: - handle_auth_rotating_response((MAuthRotating*)m); - return true; } @@ -335,13 +330,21 @@ void MonClient::handle_auth(MAuthReply *m) } if (ret == 0) { - state = MC_STATE_HAVE_SESSION; - while (!waiting_for_session.empty()) { - _send_mon_message(waiting_for_session.front()); - waiting_for_session.pop_front(); + if (state != MC_STATE_HAVE_SESSION) { + state = MC_STATE_HAVE_SESSION; + while (!waiting_for_session.empty()) { + _send_mon_message(waiting_for_session.front()); + waiting_for_session.pop_front(); + } + authenticate_cond.SignalAll(); } - authenticate_cond.SignalAll(); + + if (g_keyring.need_rotating_secrets()) + _start_auth_rotating(); + + auth_cond.SignalAll(); } + /* switch (state) { case MC_STATE_AUTHENTICATING: @@ -415,9 +418,6 @@ void MonClient::_reopen_session() _send_mon_message(m, true); } - if (g_keyring.need_rotating_secrets()) - _start_auth_rotating(); - if (mounting) _send_mount(); if (!sub_have.empty()) @@ -536,9 +536,7 @@ int MonClient::wait_authenticate(double timeout) _reopen_session(); int ret = authenticate_cond.WaitInterval(monc_lock, interval); - dout(0) << "wait_authenticate ended, returned " << ret << dendl; - return ret; } @@ -549,42 +547,25 @@ int MonClient::_start_auth_rotating() return 0; } - MAuthRotating *m = new MAuthRotating; - m->entity_name = entity_name; - _send_mon_message(m); + if (auth) { + MAuth *m = new MAuth; + m->protocol = auth->get_protocol(); + auth->build_rotating_request(m->auth_payload); + _send_mon_message(m); + } return 0; } -int MonClient::_wait_auth_rotating(double timeout) -{ - utime_t interval; - interval += timeout; - - int ret = auth_cond.WaitInterval(monc_lock, interval); - - return ret; -} - int MonClient::wait_auth_rotating(double timeout) { Mutex::Locker l(monc_lock); - - if (!auth_principal_needs_rotating_keys(entity_name)) - return 0; - - if (!g_keyring.need_rotating_secrets()) - return 0; - - return _wait_auth_rotating(timeout); + utime_t interval; + interval += timeout; + + while (auth_principal_needs_rotating_keys(entity_name) && + g_keyring.need_rotating_secrets()) + auth_cond.WaitInterval(monc_lock, interval); + return 0; } -void MonClient::handle_auth_rotating_response(MAuthRotating *m) -{ - Mutex::Locker l(monc_lock); - - if (auth) - auth->handle_rotating_response(m->status, m->response_bl); - - auth_cond.SignalAll(); -} diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h index bf98fc758a7c1..c39b860b67f88 100644 --- a/src/mon/MonClient.h +++ b/src/mon/MonClient.h @@ -109,7 +109,6 @@ public: void set_entity_name(EntityName name) { entity_name = name; } int _start_auth_rotating(); - int _wait_auth_rotating(double timeout); int wait_auth_rotating(double timeout); int mount(double mount_timeout); diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index d6756d954683c..d2443e67aa10c 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -544,7 +544,6 @@ bool Monitor::ms_dispatch(Message *m) // auth case CEPH_MSG_AUTH: - case MSG_AUTH_ROTATING: paxos_service[PAXOS_AUTH]->dispatch((PaxosServiceMessage*)m); break; diff --git a/src/msg/Message.cc b/src/msg/Message.cc index e5c2066232a4a..31cf665641c44 100644 --- a/src/msg/Message.cc +++ b/src/msg/Message.cc @@ -125,7 +125,6 @@ using namespace std; #include "messages/MLock.h" #include "messages/MClass.h" -#include "messages/MAuthRotating.h" #include "config.h" @@ -504,10 +503,6 @@ Message *decode_message(ceph_msg_header& header, ceph_msg_footer& footer, m = new MClass(); break; - case MSG_AUTH_ROTATING: - m = new MAuthRotating(); - break; - default: dout(0) << "can't decode unknown message type " << type << " MSG_AUTH=" << CEPH_MSG_AUTH << dendl; assert(0); diff --git a/src/msg/Message.h b/src/msg/Message.h index 5baf48c039284..7906ae1ed9c4b 100644 --- a/src/msg/Message.h +++ b/src/msg/Message.h @@ -36,8 +36,6 @@ #define MSG_GETPOOLSTATS 58 #define MSG_GETPOOLSTATSREPLY 59 -#define MSG_AUTH_ROTATING 62 - #define MSG_POOLOP 49 #define MSG_POOLOPREPLY 48 -- 2.39.5