1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2004-2006 Sage Weil <sage@newdream.net>
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
15 #ifndef CEPH_AUTHMONITOR_H
16 #define CEPH_AUTHMONITOR_H
21 #include "global/global_init.h"
22 #include "include/ceph_features.h"
23 #include "include/types.h"
24 #include "mon/PaxosService.h"
25 #include "mon/MonitorDBStore.h"
31 #define MIN_GLOBAL_ID 0x1000
33 class AuthMonitor
: public PaxosService
{
41 uint64_t max_global_id
;
45 Incremental() : inc_type(GLOBAL_ID
), max_global_id(0), auth_type(0) {}
47 void encode(bufferlist
& bl
, uint64_t features
=-1) const {
49 ENCODE_START(2, 2, bl
);
50 __u32 _type
= (__u32
)inc_type
;
52 if (_type
== GLOBAL_ID
) {
53 encode(max_global_id
, bl
);
55 encode(auth_type
, bl
);
56 encode(auth_data
, bl
);
60 void decode(bufferlist::const_iterator
& bl
) {
61 DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl
);
64 inc_type
= (IncType
)_type
;
65 ceph_assert(inc_type
>= GLOBAL_ID
&& inc_type
<= AUTH_DATA
);
66 if (_type
== GLOBAL_ID
) {
67 decode(max_global_id
, bl
);
69 decode(auth_type
, bl
);
70 decode(auth_data
, bl
);
74 void dump(Formatter
*f
) const {
75 f
->dump_int("type", inc_type
);
76 f
->dump_int("max_global_id", max_global_id
);
77 f
->dump_int("auth_type", auth_type
);
78 f
->dump_int("auth_data_len", auth_data
.length());
80 static void generate_test_instances(list
<Incremental
*>& ls
) {
81 ls
.push_back(new Incremental
);
82 ls
.push_back(new Incremental
);
83 ls
.back()->inc_type
= GLOBAL_ID
;
84 ls
.back()->max_global_id
= 1234;
85 ls
.push_back(new Incremental
);
86 ls
.back()->inc_type
= AUTH_DATA
;
87 ls
.back()->auth_type
= 12;
88 ls
.back()->auth_data
.append("foo");
92 struct auth_entity_t
{
99 vector
<Incremental
> pending_auth
;
100 version_t last_rotating_ver
;
101 uint64_t max_global_id
;
102 uint64_t last_allocated_id
;
104 // these are protected by mon->auth_lock
105 int mon_num
= 0, mon_rank
= 0;
107 bool _upgrade_format_to_dumpling();
108 bool _upgrade_format_to_luminous();
109 bool _upgrade_format_to_mimic();
110 void upgrade_format() override
;
112 void export_keyring(KeyRing
& keyring
);
113 int import_keyring(KeyRing
& keyring
);
115 void push_cephx_inc(KeyServerData::Incremental
& auth_inc
) {
117 inc
.inc_type
= AUTH_DATA
;
118 encode(auth_inc
, inc
.auth_data
);
119 inc
.auth_type
= CEPH_AUTH_CEPHX
;
120 pending_auth
.push_back(inc
);
123 /* validate mon/osd/mds caps; fail on unrecognized service/type */
124 bool valid_caps(const string
& type
, const string
& caps
, ostream
*out
);
125 bool valid_caps(const string
& type
, const bufferlist
& bl
, ostream
*out
) {
130 } catch (buffer::error
& e
) {
131 *out
<< "corrupt capability encoding";
134 return valid_caps(type
, v
, out
);
136 bool valid_caps(const vector
<string
>& caps
, ostream
*out
);
138 void on_active() override
;
139 bool should_propose(double& delay
) override
;
140 void get_initial_keyring(KeyRing
*keyring
);
141 void create_initial_keys(KeyRing
*keyring
);
142 void create_initial() override
;
143 void update_from_paxos(bool *need_bootstrap
) override
;
144 void create_pending() override
; // prepare a new pending
145 bool prepare_global_id(MonOpRequestRef op
);
146 bool _should_increase_max_global_id(); ///< called under mon->auth_lock
147 void increase_max_global_id();
148 uint64_t assign_global_id(bool should_increase_max
);
150 uint64_t _assign_global_id(); ///< called under mon->auth_lock
151 void _set_mon_num_rank(int num
, int rank
); ///< called under mon->auth_lock
154 // propose pending update to peers
155 void encode_pending(MonitorDBStore::TransactionRef t
) override
;
156 void encode_full(MonitorDBStore::TransactionRef t
) override
;
157 version_t
get_trim_to() const override
;
159 bool preprocess_query(MonOpRequestRef op
) override
; // true if processed.
160 bool prepare_update(MonOpRequestRef op
) override
;
162 bool prep_auth(MonOpRequestRef op
, bool paxos_writable
);
164 bool preprocess_command(MonOpRequestRef op
);
165 bool prepare_command(MonOpRequestRef op
);
169 bool entity_is_pending(EntityName
& entity
);
170 int exists_and_matches_entity(
171 const auth_entity_t
& entity
,
174 int exists_and_matches_entity(
175 const EntityName
& name
,
176 const EntityAuth
& auth
,
177 const map
<string
,bufferlist
>& caps
,
180 int remove_entity(const EntityName
&entity
);
182 const EntityName
& name
,
183 const EntityAuth
& auth
);
186 AuthMonitor(Monitor
*mn
, Paxos
*p
, const string
& service_name
)
187 : PaxosService(mn
, p
, service_name
),
188 last_rotating_ver(0),
193 void pre_auth(MAuth
*m
);
195 void tick() override
; // check state, take actions
197 int validate_osd_destroy(
200 EntityName
& cephx_entity
,
201 EntityName
& lockbox_entity
,
204 const EntityName
& cephx_entity
,
205 const EntityName
& lockbox_entity
);
208 const auth_entity_t
& cephx_entity
,
209 const auth_entity_t
& lockbox_entity
,
211 int validate_osd_new(
214 const string
& cephx_secret
,
215 const string
& lockbox_secret
,
216 auth_entity_t
& cephx_entity
,
217 auth_entity_t
& lockbox_entity
,
220 void dump_info(Formatter
*f
);
222 bool is_valid_cephx_key(const string
& k
) {
228 ea
.key
.decode_base64(k
);
230 } catch (buffer::error
& e
) { /* fallthrough */ }
236 WRITE_CLASS_ENCODER_FEATURES(AuthMonitor::Incremental
)