[ceph.git] / ceph / src / mon / AuthMonitor.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- 
// vim: ts=8 sw=2 smarttab
/*
 * Ceph - scalable distributed file system
 *
 * Copyright (C) 2004-2006 Sage Weil <sage@newdream.net>
 *
 * This is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License version 2.1, as published by the Free Software 
 * Foundation.  See file COPYING.
 * 
 */

#ifndef CEPH_AUTHMONITOR_H
#define CEPH_AUTHMONITOR_H

#include <map>
#include <set>

#include "global/global_init.h"
#include "include/ceph_features.h"
#include "include/types.h"
#include "mon/PaxosService.h"
#include "mon/MonitorDBStore.h"

class MAuth;
class KeyRing;
class Monitor;

#define MIN_GLOBAL_ID 0x1000

class AuthMonitor : public PaxosService {
public:
  enum IncType {
    GLOBAL_ID,
    AUTH_DATA,
  };
  struct Incremental {
    IncType inc_type;
    uint64_t max_global_id;
    uint32_t auth_type;
    ceph::buffer::list auth_data;

    Incremental() : inc_type(GLOBAL_ID), max_global_id(0), auth_type(0) {}

    void encode(ceph::buffer::list& bl, uint64_t features=-1) const {
      using ceph::encode;
      ENCODE_START(2, 2, bl);
      __u32 _type = (__u32)inc_type;
      encode(_type, bl);
      if (_type == GLOBAL_ID) {
	encode(max_global_id, bl);
      } else {
	encode(auth_type, bl);
	encode(auth_data, bl);
      }
      ENCODE_FINISH(bl);
    }
    void decode(ceph::buffer::list::const_iterator& bl) {
      DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
      __u32 _type;
      decode(_type, bl);
      inc_type = (IncType)_type;
      ceph_assert(inc_type >= GLOBAL_ID && inc_type <= AUTH_DATA);
      if (_type == GLOBAL_ID) {
	decode(max_global_id, bl);
      } else {
	decode(auth_type, bl);
	decode(auth_data, bl);
      }
      DECODE_FINISH(bl);
    }
    void dump(ceph::Formatter *f) const {
      f->dump_int("type", inc_type);
      f->dump_int("max_global_id", max_global_id);
      f->dump_int("auth_type", auth_type);
      f->dump_int("auth_data_len", auth_data.length());
    }
    static void generate_test_instances(std::list<Incremental*>& ls) {
      ls.push_back(new Incremental);
      ls.push_back(new Incremental);
      ls.back()->inc_type = GLOBAL_ID;
      ls.back()->max_global_id = 1234;
      ls.push_back(new Incremental);
      ls.back()->inc_type = AUTH_DATA;
      ls.back()->auth_type = 12;
      ls.back()->auth_data.append("foo");
    }
  };

  struct auth_entity_t {
    EntityName name;
    EntityAuth auth;
  };


private:
  std::vector<Incremental> pending_auth;
  uint64_t max_global_id;
  uint64_t last_allocated_id;

  // these are protected by mon->auth_lock
  int mon_num = 0, mon_rank = 0;

  bool _upgrade_format_to_dumpling();
  bool _upgrade_format_to_luminous();
  bool _upgrade_format_to_mimic();
  void upgrade_format() override;

  void export_keyring(KeyRing& keyring);
  int import_keyring(KeyRing& keyring);

  void push_cephx_inc(KeyServerData::Incremental& auth_inc) {
    Incremental inc;
    inc.inc_type = AUTH_DATA;
    encode(auth_inc, inc.auth_data);
    inc.auth_type = CEPH_AUTH_CEPHX;
    pending_auth.push_back(inc);
  }

  /* validate mon/osd/mds caps; fail on unrecognized service/type */
  bool valid_caps(const std::string& type, const std::string& caps, std::ostream *out);
  bool valid_caps(const std::string& type, const ceph::buffer::list& bl, std::ostream *out) {
    auto p = bl.begin();
    std::string v;
    try {
      using ceph::decode;
      decode(v, p);
    } catch (ceph::buffer::error& e) {
      *out << "corrupt capability encoding";
      return false;
    }
    return valid_caps(type, v, out);
  }
  bool valid_caps(const std::vector<std::string>& caps, std::ostream *out);

  void on_active() override;
  bool should_propose(double& delay) override;
  void get_initial_keyring(KeyRing *keyring);
  void create_initial_keys(KeyRing *keyring);
  void create_initial() override;
  void update_from_paxos(bool *need_bootstrap) override;
  void create_pending() override;  // prepare a new pending
  bool prepare_global_id(MonOpRequestRef op);
  bool _should_increase_max_global_id(); ///< called under mon->auth_lock
  void increase_max_global_id();
  uint64_t assign_global_id(bool should_increase_max);
public:
  uint64_t _assign_global_id(); ///< called under mon->auth_lock
  void _set_mon_num_rank(int num, int rank); ///< called under mon->auth_lock

private:
  bool prepare_used_pending_keys(MonOpRequestRef op);

  // propose pending update to peers
  void encode_pending(MonitorDBStore::TransactionRef t) override;
  void encode_full(MonitorDBStore::TransactionRef t) override;
  version_t get_trim_to() const override;

  bool preprocess_query(MonOpRequestRef op) override;  // true if processed.
  bool prepare_update(MonOpRequestRef op) override;

  bool prep_auth(MonOpRequestRef op, bool paxos_writable);

  bool preprocess_command(MonOpRequestRef op);
  bool prepare_command(MonOpRequestRef op);

  bool check_rotate();
  void process_used_pending_keys(const std::map<EntityName,CryptoKey>& keys);

  bool entity_is_pending(EntityName& entity);
  int exists_and_matches_entity(
      const auth_entity_t& entity,
      bool has_secret,
      std::stringstream& ss);
  int exists_and_matches_entity(
      const EntityName& name,
      const EntityAuth& auth,
      const std::map<std::string,ceph::buffer::list>& caps,
      bool has_secret,
      std::stringstream& ss);
  int remove_entity(const EntityName &entity);
  int add_entity(
      const EntityName& name,
      const EntityAuth& auth);

 public:
  AuthMonitor(Monitor &mn, Paxos &p, const std::string& service_name)
    : PaxosService(mn, p, service_name),
      max_global_id(0),
      last_allocated_id(0)
  {}

  void pre_auth(MAuth *m);

  void tick() override;  // check state, take actions

  int validate_osd_destroy(
      int32_t id,
      const uuid_d& uuid,
      EntityName& cephx_entity,
      EntityName& lockbox_entity,
      std::stringstream& ss);
  int do_osd_destroy(
      const EntityName& cephx_entity,
      const EntityName& lockbox_entity);

  int do_osd_new(
      const auth_entity_t& cephx_entity,
      const auth_entity_t& lockbox_entity,
      bool has_lockbox);
  int validate_osd_new(
      int32_t id,
      const uuid_d& uuid,
      const std::string& cephx_secret,
      const std::string& lockbox_secret,
      auth_entity_t& cephx_entity,
      auth_entity_t& lockbox_entity,
      std::stringstream& ss);

  void dump_info(ceph::Formatter *f);

  bool is_valid_cephx_key(const std::string& k) {
    if (k.empty())
      return false;

    EntityAuth ea;
    try {
      ea.key.decode_base64(k);
      return true;
    } catch (ceph::buffer::error& e) { /* fallthrough */ }
    return false;
  }
};


WRITE_CLASS_ENCODER_FEATURES(AuthMonitor::Incremental)

#endif
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3	/*
	4	* Ceph - scalable distributed file system
	5	*
	6	* Copyright (C) 2004-2006 Sage Weil <sage@newdream.net>
	7	*
	8	* This is free software; you can redistribute it and/or
	9	* modify it under the terms of the GNU Lesser General Public
	10	* License version 2.1, as published by the Free Software
	11	* Foundation. See file COPYING.
	12	*
	13	*/
	14
	15	#ifndef CEPH_AUTHMONITOR_H
	16	#define CEPH_AUTHMONITOR_H
	17
	18	#include <map>
	19	#include <set>
7c673cae	20
a8e16298	21	#include "global/global_init.h"
7c673cae FG	22	#include "include/ceph_features.h"
	23	#include "include/types.h"
	24	#include "mon/PaxosService.h"
	25	#include "mon/MonitorDBStore.h"
	26
f67539c2	27	class MAuth;
7c673cae FG	28	class KeyRing;
	29	class Monitor;
	30
	31	#define MIN_GLOBAL_ID 0x1000
	32
	33	class AuthMonitor : public PaxosService {
	34	public:
	35	enum IncType {
	36	GLOBAL_ID,
	37	AUTH_DATA,
	38	};
	39	struct Incremental {
	40	IncType inc_type;
	41	uint64_t max_global_id;
	42	uint32_t auth_type;
f67539c2	43	ceph::buffer::list auth_data;
7c673cae FG	44
	45	Incremental() : inc_type(GLOBAL_ID), max_global_id(0), auth_type(0) {}
	46
f67539c2	47	void encode(ceph::buffer::list& bl, uint64_t features=-1) const {
11fdf7f2	48	using ceph::encode;
7c673cae FG	49	ENCODE_START(2, 2, bl);
7c673cae FG	50	__u32 _type = (__u32)inc_type;
11fdf7f2	51	encode(_type, bl);
7c673cae	52	if (_type == GLOBAL_ID) {
11fdf7f2	53	encode(max_global_id, bl);
7c673cae	54	} else {
11fdf7f2 TL	55	encode(auth_type, bl);
11fdf7f2 TL	56	encode(auth_data, bl);
7c673cae FG	57	}
	58	ENCODE_FINISH(bl);
	59	}
f67539c2	60	void decode(ceph::buffer::list::const_iterator& bl) {
7c673cae FG	61	DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
7c673cae FG	62	__u32 _type;
11fdf7f2	63	decode(_type, bl);
7c673cae	64	inc_type = (IncType)_type;
11fdf7f2	65	ceph_assert(inc_type >= GLOBAL_ID && inc_type <= AUTH_DATA);
7c673cae	66	if (_type == GLOBAL_ID) {
11fdf7f2	67	decode(max_global_id, bl);
7c673cae	68	} else {
11fdf7f2 TL	69	decode(auth_type, bl);
11fdf7f2 TL	70	decode(auth_data, bl);
7c673cae FG	71	}
	72	DECODE_FINISH(bl);
	73	}
f67539c2	74	void dump(ceph::Formatter *f) const {
7c673cae FG	75	f->dump_int("type", inc_type);
	76	f->dump_int("max_global_id", max_global_id);
	77	f->dump_int("auth_type", auth_type);
	78	f->dump_int("auth_data_len", auth_data.length());
	79	}
f67539c2	80	static void generate_test_instances(std::list<Incremental*>& ls) {
7c673cae FG	81	ls.push_back(new Incremental);
	82	ls.push_back(new Incremental);
	83	ls.back()->inc_type = GLOBAL_ID;
	84	ls.back()->max_global_id = 1234;
	85	ls.push_back(new Incremental);
	86	ls.back()->inc_type = AUTH_DATA;
	87	ls.back()->auth_type = 12;
	88	ls.back()->auth_data.append("foo");
	89	}
	90	};
	91
31f18b77 FG	92	struct auth_entity_t {
	93	EntityName name;
	94	EntityAuth auth;
	95	};
	96
	97
7c673cae	98	private:
f67539c2	99	std::vector<Incremental> pending_auth;
7c673cae FG	100	uint64_t max_global_id;
	101	uint64_t last_allocated_id;
	102
11fdf7f2 TL	103	// these are protected by mon->auth_lock
	104	int mon_num = 0, mon_rank = 0;
	105
	106	bool _upgrade_format_to_dumpling();
	107	bool _upgrade_format_to_luminous();
	108	bool _upgrade_format_to_mimic();
7c673cae FG	109	void upgrade_format() override;
	110
	111	void export_keyring(KeyRing& keyring);
	112	int import_keyring(KeyRing& keyring);
	113
	114	void push_cephx_inc(KeyServerData::Incremental& auth_inc) {
	115	Incremental inc;
	116	inc.inc_type = AUTH_DATA;
11fdf7f2	117	encode(auth_inc, inc.auth_data);
7c673cae FG	118	inc.auth_type = CEPH_AUTH_CEPHX;
	119	pending_auth.push_back(inc);
	120	}
	121
11fdf7f2	122	/* validate mon/osd/mds caps; fail on unrecognized service/type */
f67539c2 TL	123	bool valid_caps(const std::string& type, const std::string& caps, std::ostream *out);
f67539c2 TL	124	bool valid_caps(const std::string& type, const ceph::buffer::list& bl, std::ostream *out) {
11fdf7f2	125	auto p = bl.begin();
f67539c2	126	std::string v;
11fdf7f2	127	try {
f67539c2	128	using ceph::decode;
11fdf7f2	129	decode(v, p);
f67539c2	130	} catch (ceph::buffer::error& e) {
11fdf7f2 TL	131	*out << "corrupt capability encoding";
	132	return false;
	133	}
	134	return valid_caps(type, v, out);
	135	}
f67539c2	136	bool valid_caps(const std::vector<std::string>& caps, std::ostream *out);
7c673cae FG	137
	138	void on_active() override;
	139	bool should_propose(double& delay) override;
11fdf7f2 TL	140	void get_initial_keyring(KeyRing *keyring);
11fdf7f2 TL	141	void create_initial_keys(KeyRing *keyring);
7c673cae FG	142	void create_initial() override;
	143	void update_from_paxos(bool *need_bootstrap) override;
	144	void create_pending() override; // prepare a new pending
	145	bool prepare_global_id(MonOpRequestRef op);
11fdf7f2	146	bool _should_increase_max_global_id(); ///< called under mon->auth_lock
7c673cae	147	void increase_max_global_id();
11fdf7f2 TL	148	uint64_t assign_global_id(bool should_increase_max);
	149	public:
	150	uint64_t _assign_global_id(); ///< called under mon->auth_lock
	151	void _set_mon_num_rank(int num, int rank); ///< called under mon->auth_lock
	152
	153	private:
39ae355f TL	154	bool prepare_used_pending_keys(MonOpRequestRef op);
39ae355f TL	155
7c673cae FG	156	// propose pending update to peers
	157	void encode_pending(MonitorDBStore::TransactionRef t) override;
	158	void encode_full(MonitorDBStore::TransactionRef t) override;
11fdf7f2	159	version_t get_trim_to() const override;
7c673cae FG	160
	161	bool preprocess_query(MonOpRequestRef op) override; // true if processed.
	162	bool prepare_update(MonOpRequestRef op) override;
	163
	164	bool prep_auth(MonOpRequestRef op, bool paxos_writable);
	165
	166	bool preprocess_command(MonOpRequestRef op);
	167	bool prepare_command(MonOpRequestRef op);
	168
	169	bool check_rotate();
39ae355f	170	void process_used_pending_keys(const std::map<EntityName,CryptoKey>& keys);
31f18b77 FG	171
	172	bool entity_is_pending(EntityName& entity);
	173	int exists_and_matches_entity(
	174	const auth_entity_t& entity,
	175	bool has_secret,
f67539c2	176	std::stringstream& ss);
31f18b77 FG	177	int exists_and_matches_entity(
	178	const EntityName& name,
	179	const EntityAuth& auth,
f67539c2	180	const std::map<std::string,ceph::buffer::list>& caps,
31f18b77	181	bool has_secret,
f67539c2	182	std::stringstream& ss);
31f18b77 FG	183	int remove_entity(const EntityName &entity);
	184	int add_entity(
	185	const EntityName& name,
	186	const EntityAuth& auth);
	187
7c673cae	188	public:
f67539c2	189	AuthMonitor(Monitor &mn, Paxos &p, const std::string& service_name)
7c673cae	190	: PaxosService(mn, p, service_name),
7c673cae FG	191	max_global_id(0),
	192	last_allocated_id(0)
	193	{}
	194
	195	void pre_auth(MAuth *m);
31f18b77	196
7c673cae FG	197	void tick() override; // check state, take actions
7c673cae FG	198
31f18b77 FG	199	int validate_osd_destroy(
	200	int32_t id,
	201	const uuid_d& uuid,
	202	EntityName& cephx_entity,
	203	EntityName& lockbox_entity,
f67539c2	204	std::stringstream& ss);
31f18b77 FG	205	int do_osd_destroy(
	206	const EntityName& cephx_entity,
	207	const EntityName& lockbox_entity);
	208
	209	int do_osd_new(
	210	const auth_entity_t& cephx_entity,
	211	const auth_entity_t& lockbox_entity,
	212	bool has_lockbox);
	213	int validate_osd_new(
	214	int32_t id,
	215	const uuid_d& uuid,
f67539c2 TL	216	const std::string& cephx_secret,
f67539c2 TL	217	const std::string& lockbox_secret,
31f18b77 FG	218	auth_entity_t& cephx_entity,
31f18b77 FG	219	auth_entity_t& lockbox_entity,
f67539c2	220	std::stringstream& ss);
31f18b77	221
f67539c2	222	void dump_info(ceph::Formatter *f);
31f18b77	223
f67539c2	224	bool is_valid_cephx_key(const std::string& k) {
31f18b77 FG	225	if (k.empty())
	226	return false;
	227
	228	EntityAuth ea;
	229	try {
	230	ea.key.decode_base64(k);
	231	return true;
f67539c2	232	} catch (ceph::buffer::error& e) { /* fallthrough */ }
31f18b77 FG	233	return false;
31f18b77 FG	234	}
7c673cae FG	235	};
	236
	237
	238	WRITE_CLASS_ENCODER_FEATURES(AuthMonitor::Incremental)
	239
	240	#endif