]>
git.proxmox.com Git - ceph.git/blob - ceph/src/auth/cephx/CephxKeyServer.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
15 #ifndef CEPH_KEYSSERVER_H
16 #define CEPH_KEYSSERVER_H
18 #include "auth/KeyRing.h"
19 #include "CephxProtocol.h"
20 #include "CephxKeyServer.h"
21 #include "common/Mutex.h"
25 struct KeyServerData
{
29 map
<EntityName
, EntityAuth
> secrets
;
30 KeyRing
*extra_secrets
;
32 /* for each service type */
33 version_t rotating_ver
;
34 map
<uint32_t, RotatingSecrets
> rotating_secrets
;
36 explicit KeyServerData(KeyRing
*extra
)
41 void encode(bufferlist
& bl
) const {
43 ::encode(struct_v
, bl
);
44 ::encode(version
, bl
);
45 ::encode(rotating_ver
, bl
);
46 ::encode(secrets
, bl
);
47 ::encode(rotating_secrets
, bl
);
49 void decode(bufferlist::iterator
& bl
) {
51 ::decode(struct_v
, bl
);
52 ::decode(version
, bl
);
53 ::decode(rotating_ver
, bl
);
54 ::decode(secrets
, bl
);
55 ::decode(rotating_secrets
, bl
);
58 void encode_rotating(bufferlist
& bl
) const {
60 ::encode(struct_v
, bl
);
61 ::encode(rotating_ver
, bl
);
62 ::encode(rotating_secrets
, bl
);
64 void decode_rotating(bufferlist
& rotating_bl
) {
65 bufferlist::iterator iter
= rotating_bl
.begin();
67 ::decode(struct_v
, iter
);
68 ::decode(rotating_ver
, iter
);
69 ::decode(rotating_secrets
, iter
);
72 bool contains(const EntityName
& name
) const {
73 return (secrets
.find(name
) != secrets
.end());
76 void clear_secrets() {
80 void add_auth(const EntityName
& name
, EntityAuth
& auth
) {
84 void remove_secret(const EntityName
& name
) {
85 map
<EntityName
, EntityAuth
>::iterator iter
= secrets
.find(name
);
86 if (iter
== secrets
.end())
91 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
92 ExpiringCryptoKey
& secret
, uint64_t& secret_id
) const;
93 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
94 CryptoKey
& secret
, uint64_t& secret_id
) const;
95 bool get_service_secret(CephContext
*cct
, uint32_t service_id
,
96 uint64_t secret_id
, CryptoKey
& secret
) const;
97 bool get_auth(const EntityName
& name
, EntityAuth
& auth
) const;
98 bool get_secret(const EntityName
& name
, CryptoKey
& secret
) const;
99 bool get_caps(CephContext
*cct
, const EntityName
& name
,
100 const std::string
& type
, AuthCapsInfo
& caps
) const;
102 map
<EntityName
, EntityAuth
>::iterator
secrets_begin()
103 { return secrets
.begin(); }
104 map
<EntityName
, EntityAuth
>::const_iterator
secrets_begin() const
105 { return secrets
.begin(); }
106 map
<EntityName
, EntityAuth
>::iterator
secrets_end()
107 { return secrets
.end(); }
108 map
<EntityName
, EntityAuth
>::const_iterator
secrets_end() const
109 { return secrets
.end(); }
110 map
<EntityName
, EntityAuth
>::iterator
find_name(const EntityName
& name
)
111 { return secrets
.find(name
); }
112 map
<EntityName
, EntityAuth
>::const_iterator
find_name(const EntityName
& name
) const
113 { return secrets
.find(name
); }
116 // -- incremental updates --
121 AUTH_INC_SET_ROTATING
,
126 bufferlist rotating_bl
; // if SET_ROTATING. otherwise,
130 void encode(bufferlist
& bl
) const {
132 ::encode(struct_v
, bl
);
133 __u32 _op
= (__u32
)op
;
135 if (op
== AUTH_INC_SET_ROTATING
) {
136 ::encode(rotating_bl
, bl
);
142 void decode(bufferlist::iterator
& bl
) {
144 ::decode(struct_v
, bl
);
147 op
= (IncrementalOp
)_op
;
148 assert(op
>= AUTH_INC_NOP
&& op
<= AUTH_INC_SET_ROTATING
);
149 if (op
== AUTH_INC_SET_ROTATING
) {
150 ::decode(rotating_bl
, bl
);
158 void apply_incremental(Incremental
& inc
) {
161 add_auth(inc
.name
, inc
.auth
);
165 remove_secret(inc
.name
);
168 case AUTH_INC_SET_ROTATING
:
169 decode_rotating(inc
.rotating_bl
);
181 WRITE_CLASS_ENCODER(KeyServerData
)
182 WRITE_CLASS_ENCODER(KeyServerData::Incremental
)
187 class KeyServer
: public KeyStore
{
192 int _rotate_secret(uint32_t service_id
);
193 bool _check_rotating_secrets();
194 void _dump_rotating_secrets();
195 int _build_session_auth_info(uint32_t service_id
,
196 CephXServiceTicketInfo
& auth_ticket_info
, CephXSessionAuthInfo
& info
);
197 bool _get_service_caps(const EntityName
& name
, uint32_t service_id
,
198 AuthCapsInfo
& caps
) const;
200 KeyServer(CephContext
*cct_
, KeyRing
*extra_secrets
);
201 bool generate_secret(CryptoKey
& secret
);
203 bool get_secret(const EntityName
& name
, CryptoKey
& secret
) const override
;
204 bool get_auth(const EntityName
& name
, EntityAuth
& auth
) const;
205 bool get_caps(const EntityName
& name
, const string
& type
, AuthCapsInfo
& caps
) const;
206 bool get_active_rotating_secret(const EntityName
& name
, CryptoKey
& secret
) const;
208 void rotate_timeout(double timeout
);
210 int build_session_auth_info(uint32_t service_id
, CephXServiceTicketInfo
& auth_ticket_info
, CephXSessionAuthInfo
& info
);
211 int build_session_auth_info(uint32_t service_id
, CephXServiceTicketInfo
& auth_ticket_info
, CephXSessionAuthInfo
& info
,
212 CryptoKey
& service_secret
, uint64_t secret_id
);
214 /* get current secret for specific service type */
215 bool get_service_secret(uint32_t service_id
, ExpiringCryptoKey
& service_key
,
216 uint64_t& secret_id
) const;
217 bool get_service_secret(uint32_t service_id
, CryptoKey
& service_key
,
218 uint64_t& secret_id
) const;
219 bool get_service_secret(uint32_t service_id
, uint64_t secret_id
,
220 CryptoKey
& secret
) const override
;
222 bool generate_secret(EntityName
& name
, CryptoKey
& secret
);
224 void encode(bufferlist
& bl
) const {
227 void decode(bufferlist::iterator
& bl
) {
228 Mutex::Locker
l(lock
);
231 bool contains(const EntityName
& name
) const;
232 int encode_secrets(Formatter
*f
, stringstream
*ds
) const;
233 void encode_formatted(string label
, Formatter
*f
, bufferlist
&bl
);
234 void encode_plaintext(bufferlist
&bl
);
235 int list_secrets(stringstream
& ds
) const {
236 return encode_secrets(NULL
, &ds
);
238 version_t
get_ver() const {
239 Mutex::Locker
l(lock
);
243 void clear_secrets() {
244 Mutex::Locker
l(lock
);
245 data
.clear_secrets();
248 void apply_data_incremental(KeyServerData::Incremental
& inc
) {
249 Mutex::Locker
l(lock
);
250 data
.apply_incremental(inc
);
252 void set_ver(version_t ver
) {
253 Mutex::Locker
l(lock
);
257 void add_auth(const EntityName
& name
, EntityAuth
& auth
) {
258 Mutex::Locker
l(lock
);
259 data
.add_auth(name
, auth
);
262 void remove_secret(const EntityName
& name
) {
263 Mutex::Locker
l(lock
);
264 data
.remove_secret(name
);
268 map
<EntityName
, EntityAuth
>::const_iterator b
= data
.secrets_begin();
269 return (b
!= data
.secrets_end());
271 int get_num_secrets() {
272 Mutex::Locker
l(lock
);
273 return data
.secrets
.size();
276 void clone_to(KeyServerData
& dst
) const {
277 Mutex::Locker
l(lock
);
280 void export_keyring(KeyRing
& keyring
) {
281 Mutex::Locker
l(lock
);
282 for (map
<EntityName
, EntityAuth
>::iterator p
= data
.secrets
.begin();
283 p
!= data
.secrets
.end();
285 keyring
.add(p
->first
, p
->second
);
289 bool updated_rotating(bufferlist
& rotating_bl
, version_t
& rotating_ver
);
291 bool get_rotating_encrypted(const EntityName
& name
, bufferlist
& enc_bl
) const;
293 Mutex
& get_lock() const { return lock
; }
294 bool get_service_caps(const EntityName
& name
, uint32_t service_id
,
295 AuthCapsInfo
& caps
) const;
297 map
<EntityName
, EntityAuth
>::iterator
secrets_begin()
298 { return data
.secrets_begin(); }
299 map
<EntityName
, EntityAuth
>::iterator
secrets_end()
300 { return data
.secrets_end(); }
302 WRITE_CLASS_ENCODER(KeyServer
)