ceph/src/mon/AuthMonitor.h

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3 /*
   4  * Ceph - scalable distributed file system
   5  *
   6  * Copyright (C) 2004-2006 Sage Weil <sage@newdream.net>
   7  *
   8  * This is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public
  10  * License version 2.1, as published by the Free Software
  11  * Foundation.  See file COPYING.
  12  *
  13  */
  14
  15 #ifndef CEPH_AUTHMONITOR_H
  16 #define CEPH_AUTHMONITOR_H
  17
  18 #include <map>
  19 #include <set>
  20
  21 #include "global/global_init.h"
  22 #include "include/ceph_features.h"
  23 #include "include/types.h"
  24 #include "mon/PaxosService.h"
  25 #include "mon/MonitorDBStore.h"
  26
  27 struct MAuth;
  28 class KeyRing;
  29 class Monitor;
  30
  31 #define MIN_GLOBAL_ID 0x1000
  32
  33 class AuthMonitor : public PaxosService {
  34 public:
  35   enum IncType {
  36     GLOBAL_ID,
  37     AUTH_DATA,
  38   };
  39   struct Incremental {
  40     IncType inc_type;
  41     uint64_t max_global_id;
  42     uint32_t auth_type;
  43     bufferlist auth_data;
  44
  45     Incremental() : inc_type(GLOBAL_ID), max_global_id(0), auth_type(0) {}
  46
  47     void encode(bufferlist& bl, uint64_t features=-1) const {
  48       using ceph::encode;
  49       ENCODE_START(2, 2, bl);
  50       __u32 _type = (__u32)inc_type;
  51       encode(_type, bl);
  52       if (_type == GLOBAL_ID) {
  53         encode(max_global_id, bl);
  54       } else {
  55         encode(auth_type, bl);
  56         encode(auth_data, bl);
  57       }
  58       ENCODE_FINISH(bl);
  59     }
  60     void decode(bufferlist::const_iterator& bl) {
  61       DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
  62       __u32 _type;
  63       decode(_type, bl);
  64       inc_type = (IncType)_type;
  65       ceph_assert(inc_type >= GLOBAL_ID && inc_type <= AUTH_DATA);
  66       if (_type == GLOBAL_ID) {
  67         decode(max_global_id, bl);
  68       } else {
  69         decode(auth_type, bl);
  70         decode(auth_data, bl);
  71       }
  72       DECODE_FINISH(bl);
  73     }
  74     void dump(Formatter *f) const {
  75       f->dump_int("type", inc_type);
  76       f->dump_int("max_global_id", max_global_id);
  77       f->dump_int("auth_type", auth_type);
  78       f->dump_int("auth_data_len", auth_data.length());
  79     }
  80     static void generate_test_instances(list<Incremental*>& ls) {
  81       ls.push_back(new Incremental);
  82       ls.push_back(new Incremental);
  83       ls.back()->inc_type = GLOBAL_ID;
  84       ls.back()->max_global_id = 1234;
  85       ls.push_back(new Incremental);
  86       ls.back()->inc_type = AUTH_DATA;
  87       ls.back()->auth_type = 12;
  88       ls.back()->auth_data.append("foo");
  89     }
  90   };
  91
  92   struct auth_entity_t {
  93     EntityName name;
  94     EntityAuth auth;
  95   };
  96
  97
  98 private:
  99   vector<Incremental> pending_auth;
 100   version_t last_rotating_ver;
 101   uint64_t max_global_id;
 102   uint64_t last_allocated_id;
 103
 104   // these are protected by mon->auth_lock
 105   int mon_num = 0, mon_rank = 0;
 106
 107   bool _upgrade_format_to_dumpling();
 108   bool _upgrade_format_to_luminous();
 109   bool _upgrade_format_to_mimic();
 110   void upgrade_format() override;
 111
 112   void export_keyring(KeyRing& keyring);
 113   int import_keyring(KeyRing& keyring);
 114
 115   void push_cephx_inc(KeyServerData::Incremental& auth_inc) {
 116     Incremental inc;
 117     inc.inc_type = AUTH_DATA;
 118     encode(auth_inc, inc.auth_data);
 119     inc.auth_type = CEPH_AUTH_CEPHX;
 120     pending_auth.push_back(inc);
 121   }
 122
 123   /* validate mon/osd/mds caps; fail on unrecognized service/type */
 124   bool valid_caps(const string& type, const string& caps, ostream *out);
 125   bool valid_caps(const string& type, const bufferlist& bl, ostream *out) {
 126     auto p = bl.begin();
 127     string v;
 128     try {
 129       decode(v, p);
 130     } catch (buffer::error& e) {
 131       *out << "corrupt capability encoding";
 132       return false;
 133     }
 134     return valid_caps(type, v, out);
 135   }
 136   bool valid_caps(const vector<string>& caps, ostream *out);
 137
 138   void on_active() override;
 139   bool should_propose(double& delay) override;
 140   void get_initial_keyring(KeyRing *keyring);
 141   void create_initial_keys(KeyRing *keyring);
 142   void create_initial() override;
 143   void update_from_paxos(bool *need_bootstrap) override;
 144   void create_pending() override;  // prepare a new pending
 145   bool prepare_global_id(MonOpRequestRef op);
 146   bool _should_increase_max_global_id(); ///< called under mon->auth_lock
 147   void increase_max_global_id();
 148   uint64_t assign_global_id(bool should_increase_max);
 149 public:
 150   uint64_t _assign_global_id(); ///< called under mon->auth_lock
 151   void _set_mon_num_rank(int num, int rank); ///< called under mon->auth_lock
 152
 153 private:
 154   // propose pending update to peers
 155   void encode_pending(MonitorDBStore::TransactionRef t) override;
 156   void encode_full(MonitorDBStore::TransactionRef t) override;
 157   version_t get_trim_to() const override;
 158
 159   bool preprocess_query(MonOpRequestRef op) override;  // true if processed.
 160   bool prepare_update(MonOpRequestRef op) override;
 161
 162   bool prep_auth(MonOpRequestRef op, bool paxos_writable);
 163
 164   bool preprocess_command(MonOpRequestRef op);
 165   bool prepare_command(MonOpRequestRef op);
 166
 167   bool check_rotate();
 168
 169   bool entity_is_pending(EntityName& entity);
 170   int exists_and_matches_entity(
 171       const auth_entity_t& entity,
 172       bool has_secret,
 173       stringstream& ss);
 174   int exists_and_matches_entity(
 175       const EntityName& name,
 176       const EntityAuth& auth,
 177       const map<string,bufferlist>& caps,
 178       bool has_secret,
 179       stringstream& ss);
 180   int remove_entity(const EntityName &entity);
 181   int add_entity(
 182       const EntityName& name,
 183       const EntityAuth& auth);
 184
 185  public:
 186   AuthMonitor(Monitor *mn, Paxos *p, const string& service_name)
 187     : PaxosService(mn, p, service_name),
 188       last_rotating_ver(0),
 189       max_global_id(0),
 190       last_allocated_id(0)
 191   {}
 192
 193   void pre_auth(MAuth *m);
 194
 195   void tick() override;  // check state, take actions
 196
 197   int validate_osd_destroy(
 198       int32_t id,
 199       const uuid_d& uuid,
 200       EntityName& cephx_entity,
 201       EntityName& lockbox_entity,
 202       stringstream& ss);
 203   int do_osd_destroy(
 204       const EntityName& cephx_entity,
 205       const EntityName& lockbox_entity);
 206
 207   int do_osd_new(
 208       const auth_entity_t& cephx_entity,
 209       const auth_entity_t& lockbox_entity,
 210       bool has_lockbox);
 211   int validate_osd_new(
 212       int32_t id,
 213       const uuid_d& uuid,
 214       const string& cephx_secret,
 215       const string& lockbox_secret,
 216       auth_entity_t& cephx_entity,
 217       auth_entity_t& lockbox_entity,
 218       stringstream& ss);
 219
 220   void dump_info(Formatter *f);
 221
 222   bool is_valid_cephx_key(const string& k) {
 223     if (k.empty())
 224       return false;
 225
 226     EntityAuth ea;
 227     try {
 228       ea.key.decode_base64(k);
 229       return true;
 230     } catch (buffer::error& e) { /* fallthrough */ }
 231     return false;
 232   }
 233 };
 234
 235
 236 WRITE_CLASS_ENCODER_FEATURES(AuthMonitor::Incremental)
 237
 238 #endif