RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-02-01 07:52:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

auth: move keys_server to the monitor

Browse Source
This commit is contained in:
Yehuda Sadeh 2009-09-23 14:58:42 -07:00
parent 0d2a3f117d
commit d5b79beddb
9 changed files with 36 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/auth/Auth.cc
View File

@ -97,7 +97,8 @@ bool build_service_ticket_reply(
return true;
}
bool verify_service_ticket_request(CryptoKey& service_secret,
bool verify_service_ticket_request(EntityName& name,
CryptoKey& service_secret,
CryptoKey& session_key,
AuthServiceTicketRequest& ticket_req,
AuthServiceTicketInfo& ticket_info,

3
src/auth/Auth.h
View File

@ -394,7 +394,8 @@ int encode_encrypt(const T& t, CryptoKey& key, bufferlist& out) {
/*
* Verify authorizer and generate reply authorizer
*/
extern bool verify_service_ticket_request(CryptoKey& service_secret,
extern bool verify_service_ticket_request(EntityName& name,
CryptoKey& service_secret,
CryptoKey& session_key,
AuthServiceTicketRequest& ticket_req,
AuthServiceTicketInfo& ticket_info,

7
src/auth/AuthProtocol.h
View File

@ -38,7 +38,7 @@ struct CephXPremable {
};
WRITE_CLASS_ENCODER(CephXPremable)
/*
/*
Ceph X-Envelope protocol
*/
struct CephXEnvRequest1 {
@ -58,15 +58,12 @@ struct CephXEnvRequest1 {
void decode(bufferlist::iterator& bl) {
uint32_t num_auth;
::decode(num_auth, bl);
dout(0) << "num_auth=" << num_auth << dendl;
auth_types.clear();
for (uint32_t i=0; i<num_auth; i++) {
uint32_t auth_type;
::decode(auth_type, bl);
dout(0) << "auth_type[" << i << "] = " << auth_type << dendl;
auth_types[auth_type] = true;
}
}

5
src/auth/AuthServiceManager.cc
View File

@ -45,7 +45,6 @@ static inline void hexdump(string msg, const char *s, int len)
dout(0) << msg << ":\n" << buf << dendl;
}
class CephAuthServer {
/* FIXME: this is all temporary */
AuthTicket ticket;
@ -233,10 +232,12 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
{
CryptoKey auth_secret;
auth_server.get_service_secret(auth_secret, CEPHX_PRINCIPAL_AUTH);
// ... FIXME .. get entity name, session_key from Monitor::Session
AuthServiceTicketRequest ticket_req;
AuthServiceTicketInfo ticket_info;
if (!verify_service_ticket_request(auth_secret, session_key, ticket_req, ticket_info, indata)) {
EntityName name;
if (!verify_service_ticket_request(name, auth_secret, session_key, ticket_req, ticket_info, indata)) {
ret = -EPERM;
break;
}

5
src/auth/KeysServer.cc
View File

@ -54,6 +54,9 @@ bool KeysServerData::get_service_secret(uint32_t service_id, RotatingSecrets& se
if (iter == rotating_secrets.end())
return false;
if (rotating_secrets.size() > 1)
++iter; /* avoid giving the oldest rotating secret, as it'll expire soon */
secret = iter->second;
return true;
}
@ -189,6 +192,8 @@ bool KeysServer::contains(EntityName& name)
void KeysServer::list_secrets(stringstream& ss)
{
Mutex::Locker l(lock);
map<EntityName, CryptoKey>::iterator mapiter = data.secrets_begin();
if (mapiter != data.secrets_end()) {
ss << "installed auth entries: " << std::endl;

4
src/auth/KeysServer.h
View File

@ -106,6 +106,7 @@ public:
KeysServer();
bool get_secret(EntityName& name, CryptoKey& secret);
bool get_active_rotating_secret(EntityName& name, CryptoKey& secret);
int start_server(bool init);
void rotate_timeout(double timeout);
@ -118,6 +119,7 @@ public:
::encode(data, bl);
}
void decode(bufferlist::iterator& bl) {
Mutex::Locker l(lock);
::decode(data, bl);
}
bool contains(EntityName& name);
@ -155,6 +157,8 @@ public:
void decode_rotating(bufferlist& rotating_bl);
bool get_rotating_encrypted(EntityName& name, bufferlist& enc_bl);
Mutex& get_lock() { return lock; }
};
WRITE_CLASS_ENCODER(KeysServer);

27
src/mon/AuthMonitor.cc
View File

@ -53,7 +53,7 @@ ostream& operator<<(ostream& out, AuthMonitor& pm)
void AuthMonitor::check_rotate()
{
AuthLibEntry entry;
if (!keys_server.updated_rotating(entry.rotating_bl, last_rotating_ver))
if (!mon->keys_server.updated_rotating(entry.rotating_bl, last_rotating_ver))
return;
dout(0) << "AuthMonitor::tick() updated rotating, now calling propose_pending" << dendl;
@ -87,7 +87,7 @@ void AuthMonitor::on_active()
if (!mon->is_leader())
return;
keys_server.start_server(true);
mon->keys_server.start_server(true);
check_rotate();
}
@ -121,7 +121,7 @@ bool AuthMonitor::update_from_paxos()
{
dout(0) << "AuthMonitor::update_from_paxos()" << dendl;
version_t paxosv = paxos->get_version();
version_t keys_ver = keys_server.get_ver();
version_t keys_ver = mon->keys_server.get_ver();
if (paxosv == keys_ver) return true;
assert(paxosv >= keys_ver);
@ -132,7 +132,7 @@ bool AuthMonitor::update_from_paxos()
if (v) {
dout(7) << "update_from_paxos startup: loading summary e" << v << dendl;
bufferlist::iterator p = latest.begin();
::decode(keys_server, p);
::decode(mon->keys_server, p);
}
}
@ -150,18 +150,18 @@ bool AuthMonitor::update_from_paxos()
switch (inc.op) {
case AUTH_INC_ADD:
if (!entry.rotating) {
keys_server.add_secret(entry.name, entry.secret);
mon->keys_server.add_secret(entry.name, entry.secret);
} else {
derr(0) << "got AUTH_INC_ADD with entry.rotating" << dendl;
}
break;
case AUTH_INC_DEL:
keys_server.remove_secret(entry.name);
mon->keys_server.remove_secret(entry.name);
break;
case AUTH_INC_SET_ROTATING:
{
dout(0) << "AuthMonitor::update_from_paxos: decode_rotating" << dendl;
keys_server.decode_rotating(entry.rotating_bl);
mon->keys_server.decode_rotating(entry.rotating_bl);
}
break;
case AUTH_INC_NOP:
@ -171,11 +171,12 @@ bool AuthMonitor::update_from_paxos()
}
keys_ver++;
keys_server.set_ver(keys_ver);
mon->keys_server.set_ver(keys_ver);
}
bufferlist bl;
::encode(keys_server, bl);
Mutex::Locker l(mon->keys_server.get_lock());
::encode(mon->keys_server, bl);
paxos->stash_latest(paxosv, bl);
return true;
@ -291,7 +292,7 @@ bool AuthMonitor::preprocess_auth_rotating(MAuthRotating *m)
if (!reply)
return true;
if (keys_server.get_rotating_encrypted(m->entity_name, reply->response_bl)) {
if (mon->keys_server.get_rotating_encrypted(m->entity_name, reply->response_bl)) {
reply->status = 0;
} else {
reply->status = -EPERM;
@ -313,7 +314,7 @@ bool AuthMonitor::preprocess_auth_mon(MAuthMon *m)
for (deque<AuthLibEntry>::iterator p = m->info.begin();
p != m->info.end();
p++) {
if (!keys_server.contains((*p).name))
if (!mon->keys_server.contains((*p).name))
num_new++;
}
if (!num_new) {
@ -430,7 +431,7 @@ bool AuthMonitor::prepare_command(MMonCommand *m)
string name = m->cmd[2];
AuthLibEntry entry;
entry.name.from_str(name);
if (!keys_server.contains(entry.name)) {
if (!mon->keys_server.contains(entry.name)) {
ss << "couldn't find entry " << name;
rs = -ENOENT;
goto done;
@ -445,7 +446,7 @@ bool AuthMonitor::prepare_command(MMonCommand *m)
paxos->wait_for_commit(new Monitor::C_Command(mon, m, 0, rs, paxos->get_version()));
return true;
} else if (m->cmd[1] == "list") {
keys_server.list_secrets(ss);
mon->keys_server.list_secrets(ss);
err = 0;
goto done;
} else {

1
src/mon/AuthMonitor.h
View File

@ -38,7 +38,6 @@ class MAuthRotating;
class AuthMonitor : public PaxosService {
void auth_usage(stringstream& ss);
vector<AuthLibIncremental> pending_auth;
KeysServer keys_server;
version_t last_rotating_ver;
AuthServiceManager auth_mgr;

4
src/mon/Monitor.h
View File

@ -37,6 +37,8 @@
#include "common/LogClient.h"
#include "auth/KeysServer.h"
class MonitorStore;
@ -67,6 +69,8 @@ public:
void reset_tick();
friend class C_Mon_Tick;
KeysServer keys_server;
// -- local storage --
public:
MonitorStore *store;