]>
git.proxmox.com Git - ceph.git/blob - ceph/src/auth/cephx/CephxKeyServer.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
15 #ifndef CEPH_KEYSSERVER_H
16 #define CEPH_KEYSSERVER_H
18 #include "auth/KeyRing.h"
19 #include "CephxProtocol.h"
20 #include "CephxKeyServer.h"
21 #include "common/ceph_mutex.h"
22 #include "include/common_fwd.h"
24 struct KeyServerData
{
28 map
<EntityName
, EntityAuth
> secrets
;
29 KeyRing
*extra_secrets
;
31 /* for each service type */
32 version_t rotating_ver
;
33 map
<uint32_t, RotatingSecrets
> rotating_secrets
;
35 explicit KeyServerData(KeyRing
*extra
)
40 void encode(bufferlist
& bl
) const {
45 encode(rotating_ver
, bl
);
47 encode(rotating_secrets
, bl
);
49 void decode(bufferlist::const_iterator
& bl
) {
54 decode(rotating_ver
, bl
);
56 decode(rotating_secrets
, bl
);
59 void encode_rotating(bufferlist
& bl
) const {
63 encode(rotating_ver
, bl
);
64 encode(rotating_secrets
, bl
);
66 void decode_rotating(bufferlist
& rotating_bl
) {
68 auto iter
= rotating_bl
.cbegin();
70 decode(struct_v
, iter
);
71 decode(rotating_ver
, iter
);
72 decode(rotating_secrets
, iter
);
75 bool contains(const EntityName
& name
) const {
76 return (secrets
.find(name
) != secrets
.end());
79 void clear_secrets() {
83 rotating_secrets
.clear();
86 void add_auth(const EntityName
& name
, EntityAuth
& auth
) {
90 void remove_secret(const EntityName
& name
) {
91 map
<EntityName
, EntityAuth
>::iterator iter
= secrets
.find(name
);
92 if (iter
== secrets
.end())
97 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
98 ExpiringCryptoKey
& secret
, uint64_t& secret_id
) const;
99 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
100 CryptoKey
& secret
, uint64_t& secret_id
) const;
101 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
102 uint64_t secret_id
, CryptoKey
& secret
) const;
103 bool get_auth(const EntityName
& name
, EntityAuth
& auth
) const;
104 bool get_secret(const EntityName
& name
, CryptoKey
& secret
) const;
105 bool get_caps(CephContext
*cct
, const EntityName
& name
,
106 const std::string
& type
, AuthCapsInfo
& caps
) const;
108 map
<EntityName
, EntityAuth
>::iterator
secrets_begin()
109 { return secrets
.begin(); }
110 map
<EntityName
, EntityAuth
>::const_iterator
secrets_begin() const
111 { return secrets
.begin(); }
112 map
<EntityName
, EntityAuth
>::iterator
secrets_end()
113 { return secrets
.end(); }
114 map
<EntityName
, EntityAuth
>::const_iterator
secrets_end() const
115 { return secrets
.end(); }
116 map
<EntityName
, EntityAuth
>::iterator
find_name(const EntityName
& name
)
117 { return secrets
.find(name
); }
118 map
<EntityName
, EntityAuth
>::const_iterator
find_name(const EntityName
& name
) const
119 { return secrets
.find(name
); }
122 // -- incremental updates --
127 AUTH_INC_SET_ROTATING
,
132 bufferlist rotating_bl
; // if SET_ROTATING. otherwise,
136 void encode(bufferlist
& bl
) const {
139 encode(struct_v
, bl
);
140 __u32 _op
= (__u32
)op
;
142 if (op
== AUTH_INC_SET_ROTATING
) {
143 encode(rotating_bl
, bl
);
149 void decode(bufferlist::const_iterator
& bl
) {
152 decode(struct_v
, bl
);
155 op
= (IncrementalOp
)_op
;
156 ceph_assert(op
>= AUTH_INC_NOP
&& op
<= AUTH_INC_SET_ROTATING
);
157 if (op
== AUTH_INC_SET_ROTATING
) {
158 decode(rotating_bl
, bl
);
166 void apply_incremental(Incremental
& inc
) {
169 add_auth(inc
.name
, inc
.auth
);
173 remove_secret(inc
.name
);
176 case AUTH_INC_SET_ROTATING
:
177 decode_rotating(inc
.rotating_bl
);
189 WRITE_CLASS_ENCODER(KeyServerData
)
190 WRITE_CLASS_ENCODER(KeyServerData::Incremental
)
195 class KeyServer
: public KeyStore
{
198 mutable ceph::mutex lock
;
200 int _rotate_secret(uint32_t service_id
);
201 bool _check_rotating_secrets();
202 void _dump_rotating_secrets();
203 int _build_session_auth_info(uint32_t service_id
,
204 const AuthTicket
& parent_ticket
,
205 CephXSessionAuthInfo
& info
);
206 bool _get_service_caps(const EntityName
& name
, uint32_t service_id
,
207 AuthCapsInfo
& caps
) const;
209 KeyServer(CephContext
*cct_
, KeyRing
*extra_secrets
);
210 bool generate_secret(CryptoKey
& secret
);
212 bool get_secret(const EntityName
& name
, CryptoKey
& secret
) const override
;
213 bool get_auth(const EntityName
& name
, EntityAuth
& auth
) const;
214 bool get_caps(const EntityName
& name
, const string
& type
, AuthCapsInfo
& caps
) const;
215 bool get_active_rotating_secret(const EntityName
& name
, CryptoKey
& secret
) const;
217 void rotate_timeout(double timeout
);
219 int build_session_auth_info(uint32_t service_id
,
220 const AuthTicket
& parent_ticket
,
221 CephXSessionAuthInfo
& info
);
222 int build_session_auth_info(uint32_t service_id
,
223 const AuthTicket
& parent_ticket
,
224 CephXSessionAuthInfo
& info
,
225 CryptoKey
& service_secret
,
228 /* get current secret for specific service type */
229 bool get_service_secret(uint32_t service_id
, CryptoKey
& service_key
,
230 uint64_t& secret_id
) const;
231 bool get_service_secret(uint32_t service_id
, uint64_t secret_id
,
232 CryptoKey
& secret
) const override
;
234 bool generate_secret(EntityName
& name
, CryptoKey
& secret
);
236 void encode(bufferlist
& bl
) const {
240 void decode(bufferlist::const_iterator
& bl
) {
241 std::scoped_lock l
{lock
};
245 bool contains(const EntityName
& name
) const;
246 int encode_secrets(Formatter
*f
, stringstream
*ds
) const;
247 void encode_formatted(string label
, Formatter
*f
, bufferlist
&bl
);
248 void encode_plaintext(bufferlist
&bl
);
249 int list_secrets(stringstream
& ds
) const {
250 return encode_secrets(NULL
, &ds
);
252 version_t
get_ver() const {
253 std::scoped_lock l
{lock
};
257 void clear_secrets() {
258 std::scoped_lock l
{lock
};
259 data
.clear_secrets();
262 void apply_data_incremental(KeyServerData::Incremental
& inc
) {
263 std::scoped_lock l
{lock
};
264 data
.apply_incremental(inc
);
266 void set_ver(version_t ver
) {
267 std::scoped_lock l
{lock
};
271 void add_auth(const EntityName
& name
, EntityAuth
& auth
) {
272 std::scoped_lock l
{lock
};
273 data
.add_auth(name
, auth
);
276 void remove_secret(const EntityName
& name
) {
277 std::scoped_lock l
{lock
};
278 data
.remove_secret(name
);
282 map
<EntityName
, EntityAuth
>::const_iterator b
= data
.secrets_begin();
283 return (b
!= data
.secrets_end());
285 int get_num_secrets() {
286 std::scoped_lock l
{lock
};
287 return data
.secrets
.size();
290 void clone_to(KeyServerData
& dst
) const {
291 std::scoped_lock l
{lock
};
294 void export_keyring(KeyRing
& keyring
) {
295 std::scoped_lock l
{lock
};
296 for (map
<EntityName
, EntityAuth
>::iterator p
= data
.secrets
.begin();
297 p
!= data
.secrets
.end();
299 keyring
.add(p
->first
, p
->second
);
303 bool updated_rotating(bufferlist
& rotating_bl
, version_t
& rotating_ver
);
305 bool get_rotating_encrypted(const EntityName
& name
, bufferlist
& enc_bl
) const;
307 ceph::mutex
& get_lock() const { return lock
; }
308 bool get_service_caps(const EntityName
& name
, uint32_t service_id
,
309 AuthCapsInfo
& caps
) const;
311 map
<EntityName
, EntityAuth
>::iterator
secrets_begin()
312 { return data
.secrets_begin(); }
313 map
<EntityName
, EntityAuth
>::iterator
secrets_end()
314 { return data
.secrets_end(); }
316 WRITE_CLASS_ENCODER(KeyServer
)