From cfe7f4992be3c2180f6649c4960342ab4b288f1f Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Sun, 20 Jan 2019 17:03:18 -0600 Subject: [PATCH] auth: introduce AuthClient and AuthServer handlers These will be the primary interfaces consumed by the messenger and implemented by either MonClient (regular client, or service daemon) or Monitor for doing authentication. Signed-off-by: Sage Weil --- src/auth/Auth.h | 13 ++++++++--- src/auth/AuthClient.h | 34 +++++++++++++++++++++++++++ src/auth/AuthServer.cc | 51 +++++++++++++++++++++++++++++++++++++++++ src/auth/AuthServer.h | 35 ++++++++++++++++++++++++++++ src/auth/CMakeLists.txt | 1 + 5 files changed, 131 insertions(+), 3 deletions(-) create mode 100644 src/auth/AuthClient.h create mode 100644 src/auth/AuthServer.cc create mode 100644 src/auth/AuthServer.h diff --git a/src/auth/Auth.h b/src/auth/Auth.h index 15ea576ec42..00f852d25f8 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -154,9 +154,16 @@ struct AuthAuthorizerChallenge { }; struct AuthConnectionMeta { - uint32_t auth_method = CEPH_AUTH_UNKNOWN; - CryptoKey session_key; - CryptoKey connection_secret; + uint32_t auth_method = CEPH_AUTH_UNKNOWN; //< CEPH_AUTH_* + + /// client: initial empty, but populated if server said bad method + std::vector allowed_methods; + + int auth_mode = 0; ///< server: AUTH_MODE_* + + CryptoKey session_key; ///< per-ticket key + CryptoKey connection_secret; ///< per-connection key + std::unique_ptr authorizer; std::unique_ptr authorizer_challenge; }; diff --git a/src/auth/AuthClient.h b/src/auth/AuthClient.h new file mode 100644 index 00000000000..37e956e2e9d --- /dev/null +++ b/src/auth/AuthClient.h @@ -0,0 +1,34 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab + +#pragma once + +#include + +class EntityName; +class AuthMethodList; +class CryptoKey; + +class AuthClient { +public: + virtual ~AuthClient() {} + + virtual int get_auth_request( + Connection *con, + uint32_t *method, bufferlist *out) = 0; + virtual int handle_auth_reply_more( + Connection *con, + const bufferlist& bl, + bufferlist *reply) = 0; + virtual int handle_auth_done( + Connection *con, + uint64_t global_id, + const bufferlist& bl, + CryptoKey *session_key, + CryptoKey *connection_key) = 0; + virtual int handle_auth_bad_method( + Connection *con, + uint32_t old_auth_method, + int result, + const std::vector& allowed_methods) = 0; +}; diff --git a/src/auth/AuthServer.cc b/src/auth/AuthServer.cc new file mode 100644 index 00000000000..aeb02a8464f --- /dev/null +++ b/src/auth/AuthServer.cc @@ -0,0 +1,51 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab + +#include "AuthServer.h" +#include "common/ceph_context.h" + +AuthServer::AuthServer(CephContext *cct) + : auth_ah_service_registry( + new AuthAuthorizeHandlerRegistry( + cct, + cct->_conf->auth_supported.empty() ? + cct->_conf->auth_service_required : + cct->_conf->auth_supported)), + auth_ah_cluster_registry( + new AuthAuthorizeHandlerRegistry( + cct, + cct->_conf->auth_supported.empty() ? + cct->_conf->auth_cluster_required : + cct->_conf->auth_supported)) +{ +} + +AuthAuthorizeHandler *AuthServer::get_auth_authorize_handler( + int peer_type, + int auth_method) +{ + switch (peer_type) { + case CEPH_ENTITY_TYPE_MDS: + case CEPH_ENTITY_TYPE_MON: + case CEPH_ENTITY_TYPE_MGR: + case CEPH_ENTITY_TYPE_OSD: + return auth_ah_cluster_registry->get_handler(auth_method); + default: + return auth_ah_service_registry->get_handler(auth_method); + } +} + +void AuthServer::get_supported_auth_methods( + int peer_type, + vector *methods) +{ + switch (peer_type) { + case CEPH_ENTITY_TYPE_MDS: + case CEPH_ENTITY_TYPE_MON: + case CEPH_ENTITY_TYPE_MGR: + case CEPH_ENTITY_TYPE_OSD: + return auth_ah_cluster_registry->get_supported_methods(methods); + default: + return auth_ah_service_registry->get_supported_methods(methods); + } +} diff --git a/src/auth/AuthServer.h b/src/auth/AuthServer.h new file mode 100644 index 00000000000..3ac4dbf3659 --- /dev/null +++ b/src/auth/AuthServer.h @@ -0,0 +1,35 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab + +#pragma once + +#include "AuthAuthorizeHandler.h" + +#include + +class CephContext; +class Connection; + +class AuthServer { +private: + std::unique_ptr auth_ah_service_registry; + std::unique_ptr auth_ah_cluster_registry; +public: + AuthServer(CephContext *cct); + virtual ~AuthServer() {} + + AuthAuthorizeHandler *get_auth_authorize_handler( + int peer_type, + int auth_method); + + virtual void get_supported_auth_methods( + int peer_type, + std::vector *methods); + + virtual int handle_auth_request( + Connection *con, + bool more, + uint32_t auth_method, + const bufferlist& bl, + bufferlist *reply) = 0; +}; diff --git a/src/auth/CMakeLists.txt b/src/auth/CMakeLists.txt index d24f9a5df3c..5103f1adf3a 100644 --- a/src/auth/CMakeLists.txt +++ b/src/auth/CMakeLists.txt @@ -2,6 +2,7 @@ set(auth_srcs AuthAuthorizeHandler.cc AuthClientHandler.cc AuthMethodList.cc + AuthServer.cc AuthSessionHandler.cc Crypto.cc KeyRing.cc -- 2.39.5