RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-02-24 19:47:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc/architecture: "Edit HA Auth"

Browse Source 
Rewrite the explanation of how a client authenticates against a monitor.
This is a rewrite of a single paragraph, and has been set apart in its
own PR so that it can receive the maximum amount of scrutiny that the
upstream Ceph community can muster.

Co-authored-by: Anthony D'Atri <anthony.datri@gmail.com>
Signed-off-by: Zac Dover <zac.dover@proton.me>
This commit is contained in:
Zac Dover 2023-09-23 12:26:18 +10:00
parent 1378703106
commit c71cd84ec9
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
doc/architecture.rst
View File

@ -278,16 +278,16 @@ the client and the monitor share a secret key.
| transmit key | | transmit key |
| | | |
To authenticate with the monitor, the client passes in the user name to the Here is how a client authenticates with a monitor. The client passes the user
monitor, and the monitor generates a session key and encrypts it with the secret name to the monitor. The monitor generates a session key that is encrypted with
key associated to the user name. Then, the monitor transmits the encrypted the secret key associated with the ``username``. The monitor transmits the
ticket back to the client. The client then decrypts the payload with the shared encrypted ticket to the client. The client uses the shared secret key to
secret key to retrieve the session key. The session key identifies the user for decrypt the payload. The session key identifies the user, and this act of
the current session. The client then requests a ticket on behalf of the user identification will last for the duration of the session. The client requests
signed by the session key. The monitor generates a ticket, encrypts it with the a ticket for the user, and the ticket is signed with the session key. The
user's secret key and transmits it back to the client. The client decrypts the monitor generates a ticket and uses the user's secret key to encrypt it. The
ticket and uses it to sign requests to OSDs and metadata servers throughout the encrypted ticket is transmitted to the client. The client decrypts the ticket
cluster. and uses it to sign requests to OSDs and to metadata servers in the cluster.
.. ditaa:: .. ditaa::