From ed41f29ac9a2d36efeca0da7f190325ae94390e5 Mon Sep 17 00:00:00 2001 From: Colin Patrick McCabe Date: Wed, 1 Jun 2011 14:17:55 -0700 Subject: [PATCH] remove g_keyring Signed-off-by: Colin McCabe --- src/auth/KeyRing.cc | 68 +++++++++++++++++++++++++--- src/auth/KeyRing.h | 7 ++- src/auth/RotatingKeyRing.cc | 6 +++ src/auth/RotatingKeyRing.h | 1 + src/auth/cephx/CephxClientHandler.cc | 6 +-- src/auth/cephx/CephxClientHandler.h | 5 +- src/cmds.cc | 8 +++- src/common/common_init.cc | 56 ----------------------- src/cosd.cc | 13 ++++-- 9 files changed, 97 insertions(+), 73 deletions(-) diff --git a/src/auth/KeyRing.cc b/src/auth/KeyRing.cc index 51367495fd558..b9bd13583d7c8 100644 --- a/src/auth/KeyRing.cc +++ b/src/auth/KeyRing.cc @@ -14,24 +14,80 @@ #include #include +#include #include +#include "auth/AuthSupported.h" +#include "auth/Crypto.h" +#include "auth/KeyRing.h" +#include "common/ConfUtils.h" #include "common/config.h" #include "common/debug.h" #include "include/str_list.h" -#include "common/ConfUtils.h" - -#include "Crypto.h" -#include "auth/KeyRing.h" #define DOUT_SUBSYS auth #undef dout_prefix #define dout_prefix *_dout << "auth: " - +using std::auto_ptr; using namespace std; -KeyRing g_keyring; +KeyRing *KeyRing:: +from_ceph_conf(const md_config_t *conf) +{ + bool found_key = false; + auto_ptr < KeyRing > keyring(new KeyRing()); + + if (!is_supported_auth(CEPH_AUTH_CEPHX)) { + derr << "KeyRing::from_ceph_conf: CephX auth is not supported." << dendl; + return NULL; + } + + int ret = 0; + string filename; + if (ceph_resolve_file_search(conf->keyring, filename)) { + ret = keyring->load(filename); + if (ret) { + derr << "KeyRing::from_ceph_conf: failed to load " << filename + << ": error " << ret << dendl; + } + else { + found_key = true; + } + } + + if (!conf->key.empty()) { + EntityAuth ea; + ea.key.decode_base64(conf->key); + keyring->add(conf->name, ea); + found_key = true; + } + + if (!conf->keyfile.empty()) { + FILE *fp = fopen(conf->keyfile.c_str(), "r"); + if (fp) { + char buf[100]; + int res = fread(buf, 1, sizeof(buf) - 1, fp); + if (res < 0) { + res = ferror(fp); + derr << "KeyRing::from_ceph_conf: failed to read '" << conf->keyfile + << "'" << dendl; + } + else { + string k = buf; + EntityAuth ea; + ea.key.decode_base64(k); + keyring->add(conf->name, ea); + found_key = true; + } + fclose(fp); + } + } + + if (!found_key) + return NULL; + return keyring.release(); +} int KeyRing::set_modifier(const char *type, const char *val, EntityName& name, map& caps) { diff --git a/src/auth/KeyRing.h b/src/auth/KeyRing.h index 220bdd620b795..9869875b7bb06 100644 --- a/src/auth/KeyRing.h +++ b/src/auth/KeyRing.h @@ -20,12 +20,17 @@ #include "auth/Crypto.h" #include "auth/Auth.h" +class md_config_t; + class KeyRing { map keys; int set_modifier(const char *type, const char *val, EntityName& name, map& caps); void decode_plaintext(bufferlist::iterator& bl); public: + /* Create a KeyRing from a Ceph configuration */ + static KeyRing *from_ceph_conf(const md_config_t *conf); + map& get_keys() { return keys; } // yuck int load(const std::string &filename); @@ -77,6 +82,4 @@ public: }; WRITE_CLASS_ENCODER(KeyRing) -extern KeyRing g_keyring; - #endif diff --git a/src/auth/RotatingKeyRing.cc b/src/auth/RotatingKeyRing.cc index 993474955975b..d00a7d601daa8 100644 --- a/src/auth/RotatingKeyRing.cc +++ b/src/auth/RotatingKeyRing.cc @@ -69,3 +69,9 @@ bool RotatingKeyRing::get_service_secret(uint32_t service_id_, uint64_t secret_i secret = iter->second.key; return true; } + +KeyRing *RotatingKeyRing:: +get_keyring() +{ + return keyring; +} diff --git a/src/auth/RotatingKeyRing.h b/src/auth/RotatingKeyRing.h index 8bcf80f47393b..a088d995d0a9d 100644 --- a/src/auth/RotatingKeyRing.h +++ b/src/auth/RotatingKeyRing.h @@ -46,6 +46,7 @@ public: bool get_secret(const EntityName& name, CryptoKey& secret) const; bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret) const; + KeyRing *get_keyring(); }; #endif diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index 4d950538cd587..fa9b705d91076 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -45,7 +45,7 @@ int CephxClientHandler::build_request(bufferlist& bl) ::encode(header, bl); CryptoKey secret; - g_keyring.get_master(secret); + keyring->get_master(secret); CephXAuthenticate req; get_random_bytes((char *)&req.client_challenge, sizeof(req.client_challenge)); @@ -110,7 +110,7 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) { dout(10) << " get_auth_session_key" << dendl; CryptoKey secret; - g_keyring.get_master(secret); + keyring->get_master(secret); if (!tickets.verify_service_ticket_reply(secret, indata)) { dout(0) << "could not verify service_ticket reply" << dendl; @@ -147,7 +147,7 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) if (rotating_secrets) { RotatingSecrets secrets; CryptoKey secret_key; - g_keyring.get_master(secret_key); + keyring->get_master(secret_key); if (decode_decrypt(secrets, secret_key, indata) == 0) { rotating_secrets->set_secrets(secrets); } else { diff --git a/src/auth/cephx/CephxClientHandler.h b/src/auth/cephx/CephxClientHandler.h index f21e245b78705..b3ddc2b901455 100644 --- a/src/auth/cephx/CephxClientHandler.h +++ b/src/auth/cephx/CephxClientHandler.h @@ -28,11 +28,14 @@ class CephxClientHandler : public AuthClientHandler { CephXTicketManager tickets; RotatingKeyRing *rotating_secrets; + KeyRing *keyring; public: CephxClientHandler(RotatingKeyRing *rsecrets) : authorizer(0), - rotating_secrets(rsecrets) { + rotating_secrets(rsecrets), + keyring(rsecrets->get_keyring()) + { reset(); } diff --git a/src/cmds.cc b/src/cmds.cc index 76e869dc18108..39fc871cdc576 100644 --- a/src/cmds.cc +++ b/src/cmds.cc @@ -66,6 +66,11 @@ int main(int argc, const char **argv) env_to_vec(args); common_init(args, CEPH_ENTITY_TYPE_MDS, CODE_ENVIRONMENT_DAEMON, 0); + KeyRing *cmds_keyring = KeyRing::from_ceph_conf(g_ceph_context._conf); + if (!cmds_keyring) { + derr << "Unable to get a Ceph keyring." << dendl; + return 1; + } // mds specific args int shadow = 0; @@ -117,7 +122,7 @@ int main(int argc, const char **argv) } // get monmap - RotatingKeyRing rkeys(CEPH_ENTITY_TYPE_MDS, &g_keyring); + RotatingKeyRing rkeys(CEPH_ENTITY_TYPE_MDS, cmds_keyring); MonClient mc(&rkeys); if (mc.build_initial_monmap() < 0) return -1; @@ -165,6 +170,7 @@ int main(int argc, const char **argv) if (shadow != MDSMap::STATE_ONESHOT_REPLAY) common_init_daemonize(&g_ceph_context, 0); common_init_finish(&g_ceph_context); + ... messenger->start(); // start mds diff --git a/src/common/common_init.cc b/src/common/common_init.cc index c20843345e786..83cfbc99cb282 100644 --- a/src/common/common_init.cc +++ b/src/common/common_init.cc @@ -12,8 +12,6 @@ * */ -#include "auth/AuthSupported.h" -#include "auth/KeyRing.h" #include "common/DoutStreambuf.h" #include "common/Thread.h" #include "common/ceph_argparse.h" @@ -37,59 +35,6 @@ #define _STR(x) #x #define STRINGIFY(x) _STR(x) -int keyring_init(CephContext *cct) -{ - md_config_t *conf = cct->_conf; - - if (!is_supported_auth(CEPH_AUTH_CEPHX)) - return 0; - - int ret = 0; - string filename; - if (ceph_resolve_file_search(conf->keyring, filename)) { - ret = g_keyring.load(filename); - } - - if (!conf->key.empty()) { - EntityAuth ea; - ea.key.decode_base64(conf->key); - g_keyring.add(conf->name, ea); - - ret = 0; - } else if (!conf->keyfile.empty()) { - char buf[100]; - int fd = ::open(conf->keyfile.c_str(), O_RDONLY); - if (fd < 0) { - int err = errno; - derr << "unable to open " << conf->keyfile << ": " - << cpp_strerror(err) << dendl; - ceph_abort(); - } - memset(buf, 0, sizeof(buf)); - int len = safe_read(fd, buf, sizeof(buf) - 1); - if (len < 0) { - derr << "unable to read key from " << conf->keyfile << ": " - << cpp_strerror(len) << dendl; - TEMP_FAILURE_RETRY(::close(fd)); - ceph_abort(); - } - TEMP_FAILURE_RETRY(::close(fd)); - - buf[len] = 0; - string k = buf; - EntityAuth ea; - ea.key.decode_base64(k); - - g_keyring.add(conf->name, ea); - - ret = 0; - } - - if (ret) - derr << "keyring_init: failed to load " << filename << dendl; - return ret; -} - CephContext *common_preinit(const CephInitParameters &iparams, enum code_environment_t code_env, int flags) { @@ -303,6 +248,5 @@ void common_init_daemonize(const CephContext *cct, int flags) void common_init_finish(CephContext *cct) { ceph::crypto::init(); - keyring_init(cct); cct->start_service_thread(); } diff --git a/src/cosd.cc b/src/cosd.cc index eb5b83d049cfd..01a0ceff70298 100644 --- a/src/cosd.cc +++ b/src/cosd.cc @@ -57,6 +57,11 @@ int main(int argc, const char **argv) vector::iterator args_iter; common_init(args, CEPH_ENTITY_TYPE_OSD, CODE_ENVIRONMENT_DAEMON, 0); + KeyRing *cosd_keyring = KeyRing::from_ceph_conf(g_ceph_context._conf); + if (!cosd_keyring) { + derr << "Unable to get a Ceph keyring." << dendl; + return 1; + } ceph_heap_profiler_init(); @@ -123,7 +128,7 @@ int main(int argc, const char **argv) if (mkfs) { common_init_finish(&g_ceph_context); - RotatingKeyRing rkeys(CEPH_ENTITY_TYPE_OSD, &g_keyring); + RotatingKeyRing rkeys(CEPH_ENTITY_TYPE_OSD, cosd_keyring); MonClient mc(&rkeys); if (mc.build_initial_monmap() < 0) return -1; @@ -146,9 +151,9 @@ int main(int argc, const char **argv) EntityName ename(g_conf.name); EntityAuth eauth; eauth.key.create(CEPH_CRYPTO_AES); - g_keyring.add(ename, eauth); + cosd_keyring->add(ename, eauth); bufferlist bl; - g_keyring.encode_plaintext(bl); + cosd_keyring->encode_plaintext(bl); int r = bl.write_file(g_conf.keyring.c_str(), 0600); if (r) derr << TEXT_RED << " ** ERROR: writing new keyring to " << g_conf.keyring @@ -274,7 +279,7 @@ int main(int argc, const char **argv) // Leave stderr open in case we need to report errors. common_init_daemonize(&g_ceph_context, CINIT_FLAG_NO_CLOSE_STDERR); common_init_finish(&g_ceph_context); - RotatingKeyRing rkeys(CEPH_ENTITY_TYPE_OSD, &g_keyring); + RotatingKeyRing rkeys(CEPH_ENTITY_TYPE_OSD, cosd_keyring); MonClient mc(&rkeys); if (mc.build_initial_monmap() < 0) return -1; -- 2.39.5