From d57326fce6d78e4b92e318ce933ca39bf8e8fcc4 Mon Sep 17 00:00:00 2001 From: Patrick Donnelly Date: Tue, 18 Jun 2024 13:31:14 -0400 Subject: [PATCH] mon/AuthMonitor: add `ceph auth rotate` command Add command to rotate the permanent key of an entity. This avoids the need to delete / recreate the key when it is compromised, lost, or just scheduled for rotation. Fixes: https://tracker.ceph.com/issues/66509 Signed-off-by: Patrick Donnelly --- src/mon/AuthMonitor.cc | 27 +++++++++++++++++++++++++++ src/mon/MonCommands.h | 4 ++++ 2 files changed, 31 insertions(+) diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index b20eac8399ed2..0a60ab6d26dd3 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -858,6 +858,7 @@ bool AuthMonitor::preprocess_command(MonOpRequestRef op) string prefix; cmd_getval(cmdmap, "prefix", prefix); if (prefix == "auth add" || + prefix == "auth rotate" || prefix == "auth del" || prefix == "auth rm" || prefix == "auth get-or-create" || @@ -1825,6 +1826,32 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) wait_for_commit(op, new Monitor::C_Command(mon, op, 0, rs, get_last_committed() + 1)); return true; + } else if (prefix == "auth rotate") { + if (entity_name.empty()) { + ss << "bad entity name"; + err = -EINVAL; + goto done; + } + + EntityAuth entity_auth; + if (!mon.key_server.get_auth(entity, entity_auth)) { + ss << "entity does not exist"; + err = -ENOENT; + goto done; + } + + entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES); + + KeyServerData::Incremental auth_inc; + auth_inc.op = KeyServerData::AUTH_INC_ADD; + auth_inc.name = entity; + auth_inc.auth = entity_auth; + push_cephx_inc(auth_inc); + + _encode_auth(entity, entity_auth, rdata, f.get()); + wait_for_commit(op, new Monitor::C_Command(mon, op, 0, rs, rdata, + get_last_committed() + 1)); + return true; } done: rdata.append(ds); diff --git a/src/mon/MonCommands.h b/src/mon/MonCommands.h index b2a678dff53c5..ff03e6549edbe 100644 --- a/src/mon/MonCommands.h +++ b/src/mon/MonCommands.h @@ -163,6 +163,10 @@ COMMAND("auth add " "add auth info for from input file, or random key if no " "input is given, and/or any caps specified in the command", "auth", "rwx") +COMMAND("auth rotate " + "name=entity,type=CephString", + "rotate entity key", + "auth", "rwx") COMMAND("auth get-or-create-key " "name=entity,type=CephString " "name=caps,type=CephString,n=N,req=false", -- 2.39.5