]>
git.proxmox.com Git - ceph.git/blob - ceph/src/auth/cephx/CephxKeyServer.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
15 #ifndef CEPH_KEYSSERVER_H
16 #define CEPH_KEYSSERVER_H
18 #include "auth/KeyRing.h"
19 #include "CephxProtocol.h"
20 #include "CephxKeyServer.h"
21 #include "common/ceph_mutex.h"
25 struct KeyServerData
{
29 map
<EntityName
, EntityAuth
> secrets
;
30 KeyRing
*extra_secrets
;
32 /* for each service type */
33 version_t rotating_ver
;
34 map
<uint32_t, RotatingSecrets
> rotating_secrets
;
36 explicit KeyServerData(KeyRing
*extra
)
41 void encode(bufferlist
& bl
) const {
46 encode(rotating_ver
, bl
);
48 encode(rotating_secrets
, bl
);
50 void decode(bufferlist::const_iterator
& bl
) {
55 decode(rotating_ver
, bl
);
57 decode(rotating_secrets
, bl
);
60 void encode_rotating(bufferlist
& bl
) const {
64 encode(rotating_ver
, bl
);
65 encode(rotating_secrets
, bl
);
67 void decode_rotating(bufferlist
& rotating_bl
) {
69 auto iter
= rotating_bl
.cbegin();
71 decode(struct_v
, iter
);
72 decode(rotating_ver
, iter
);
73 decode(rotating_secrets
, iter
);
76 bool contains(const EntityName
& name
) const {
77 return (secrets
.find(name
) != secrets
.end());
80 void clear_secrets() {
84 void add_auth(const EntityName
& name
, EntityAuth
& auth
) {
88 void remove_secret(const EntityName
& name
) {
89 map
<EntityName
, EntityAuth
>::iterator iter
= secrets
.find(name
);
90 if (iter
== secrets
.end())
95 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
96 ExpiringCryptoKey
& secret
, uint64_t& secret_id
) const;
97 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
98 CryptoKey
& secret
, uint64_t& secret_id
) const;
99 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
100 uint64_t secret_id
, CryptoKey
& secret
) const;
101 bool get_auth(const EntityName
& name
, EntityAuth
& auth
) const;
102 bool get_secret(const EntityName
& name
, CryptoKey
& secret
) const;
103 bool get_caps(CephContext
*cct
, const EntityName
& name
,
104 const std::string
& type
, AuthCapsInfo
& caps
) const;
106 map
<EntityName
, EntityAuth
>::iterator
secrets_begin()
107 { return secrets
.begin(); }
108 map
<EntityName
, EntityAuth
>::const_iterator
secrets_begin() const
109 { return secrets
.begin(); }
110 map
<EntityName
, EntityAuth
>::iterator
secrets_end()
111 { return secrets
.end(); }
112 map
<EntityName
, EntityAuth
>::const_iterator
secrets_end() const
113 { return secrets
.end(); }
114 map
<EntityName
, EntityAuth
>::iterator
find_name(const EntityName
& name
)
115 { return secrets
.find(name
); }
116 map
<EntityName
, EntityAuth
>::const_iterator
find_name(const EntityName
& name
) const
117 { return secrets
.find(name
); }
120 // -- incremental updates --
125 AUTH_INC_SET_ROTATING
,
130 bufferlist rotating_bl
; // if SET_ROTATING. otherwise,
134 void encode(bufferlist
& bl
) const {
137 encode(struct_v
, bl
);
138 __u32 _op
= (__u32
)op
;
140 if (op
== AUTH_INC_SET_ROTATING
) {
141 encode(rotating_bl
, bl
);
147 void decode(bufferlist::const_iterator
& bl
) {
150 decode(struct_v
, bl
);
153 op
= (IncrementalOp
)_op
;
154 ceph_assert(op
>= AUTH_INC_NOP
&& op
<= AUTH_INC_SET_ROTATING
);
155 if (op
== AUTH_INC_SET_ROTATING
) {
156 decode(rotating_bl
, bl
);
164 void apply_incremental(Incremental
& inc
) {
167 add_auth(inc
.name
, inc
.auth
);
171 remove_secret(inc
.name
);
174 case AUTH_INC_SET_ROTATING
:
175 decode_rotating(inc
.rotating_bl
);
187 WRITE_CLASS_ENCODER(KeyServerData
)
188 WRITE_CLASS_ENCODER(KeyServerData::Incremental
)
193 class KeyServer
: public KeyStore
{
196 mutable ceph::mutex lock
;
198 int _rotate_secret(uint32_t service_id
);
199 bool _check_rotating_secrets();
200 void _dump_rotating_secrets();
201 int _build_session_auth_info(uint32_t service_id
,
202 const AuthTicket
& parent_ticket
,
203 CephXSessionAuthInfo
& info
);
204 bool _get_service_caps(const EntityName
& name
, uint32_t service_id
,
205 AuthCapsInfo
& caps
) const;
207 KeyServer(CephContext
*cct_
, KeyRing
*extra_secrets
);
208 bool generate_secret(CryptoKey
& secret
);
210 bool get_secret(const EntityName
& name
, CryptoKey
& secret
) const override
;
211 bool get_auth(const EntityName
& name
, EntityAuth
& auth
) const;
212 bool get_caps(const EntityName
& name
, const string
& type
, AuthCapsInfo
& caps
) const;
213 bool get_active_rotating_secret(const EntityName
& name
, CryptoKey
& secret
) const;
215 void rotate_timeout(double timeout
);
217 int build_session_auth_info(uint32_t service_id
,
218 const AuthTicket
& parent_ticket
,
219 CephXSessionAuthInfo
& info
);
220 int build_session_auth_info(uint32_t service_id
,
221 const AuthTicket
& parent_ticket
,
222 CephXSessionAuthInfo
& info
,
223 CryptoKey
& service_secret
,
226 /* get current secret for specific service type */
227 bool get_service_secret(uint32_t service_id
, CryptoKey
& service_key
,
228 uint64_t& secret_id
) const;
229 bool get_service_secret(uint32_t service_id
, uint64_t secret_id
,
230 CryptoKey
& secret
) const override
;
232 bool generate_secret(EntityName
& name
, CryptoKey
& secret
);
234 void encode(bufferlist
& bl
) const {
238 void decode(bufferlist::const_iterator
& bl
) {
239 std::scoped_lock l
{lock
};
243 bool contains(const EntityName
& name
) const;
244 int encode_secrets(Formatter
*f
, stringstream
*ds
) const;
245 void encode_formatted(string label
, Formatter
*f
, bufferlist
&bl
);
246 void encode_plaintext(bufferlist
&bl
);
247 int list_secrets(stringstream
& ds
) const {
248 return encode_secrets(NULL
, &ds
);
250 version_t
get_ver() const {
251 std::scoped_lock l
{lock
};
255 void clear_secrets() {
256 std::scoped_lock l
{lock
};
257 data
.clear_secrets();
260 void apply_data_incremental(KeyServerData::Incremental
& inc
) {
261 std::scoped_lock l
{lock
};
262 data
.apply_incremental(inc
);
264 void set_ver(version_t ver
) {
265 std::scoped_lock l
{lock
};
269 void add_auth(const EntityName
& name
, EntityAuth
& auth
) {
270 std::scoped_lock l
{lock
};
271 data
.add_auth(name
, auth
);
274 void remove_secret(const EntityName
& name
) {
275 std::scoped_lock l
{lock
};
276 data
.remove_secret(name
);
280 map
<EntityName
, EntityAuth
>::const_iterator b
= data
.secrets_begin();
281 return (b
!= data
.secrets_end());
283 int get_num_secrets() {
284 std::scoped_lock l
{lock
};
285 return data
.secrets
.size();
288 void clone_to(KeyServerData
& dst
) const {
289 std::scoped_lock l
{lock
};
292 void export_keyring(KeyRing
& keyring
) {
293 std::scoped_lock l
{lock
};
294 for (map
<EntityName
, EntityAuth
>::iterator p
= data
.secrets
.begin();
295 p
!= data
.secrets
.end();
297 keyring
.add(p
->first
, p
->second
);
301 bool updated_rotating(bufferlist
& rotating_bl
, version_t
& rotating_ver
);
303 bool get_rotating_encrypted(const EntityName
& name
, bufferlist
& enc_bl
) const;
305 ceph::mutex
& get_lock() const { return lock
; }
306 bool get_service_caps(const EntityName
& name
, uint32_t service_id
,
307 AuthCapsInfo
& caps
) const;
309 map
<EntityName
, EntityAuth
>::iterator
secrets_begin()
310 { return data
.secrets_begin(); }
311 map
<EntityName
, EntityAuth
>::iterator
secrets_end()
312 { return data
.secrets_end(); }
314 WRITE_CLASS_ENCODER(KeyServer
)