#undef dout_prefix
#define dout_prefix *_dout << "cephx keyserverdata: "
+using std::ostringstream;
+using std::string;
+using std::stringstream;
+
+using ceph::bufferptr;
+using ceph::bufferlist;
+using ceph::Formatter;
+
bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
- ExpiringCryptoKey& secret, uint64_t& secret_id) const
+ CryptoKey& secret, uint64_t& secret_id,
+ double& ttl) const
{
- map<uint32_t, RotatingSecrets>::const_iterator iter =
- rotating_secrets.find(service_id);
+ auto iter = rotating_secrets.find(service_id);
if (iter == rotating_secrets.end()) {
ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id) << " not found " << dendl;
return false;
const RotatingSecrets& secrets = iter->second;
// second to oldest, unless it's expired
- map<uint64_t, ExpiringCryptoKey>::const_iterator riter =
- secrets.secrets.begin();
+ auto riter = secrets.secrets.begin();
if (secrets.secrets.size() > 1)
++riter;
- if (riter->second.expiration < ceph_clock_now())
+ utime_t now = ceph_clock_now();
+ if (riter->second.expiration < now)
++riter; // "current" key has expired, use "next" key instead
secret_id = riter->first;
- secret = riter->second;
- ldout(cct, 30) << "get_service_secret service " << ceph_entity_type_name(service_id)
- << " id " << secret_id << " " << secret << dendl;
- return true;
-}
-
-bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
- CryptoKey& secret, uint64_t& secret_id) const
-{
- ExpiringCryptoKey e;
-
- if (!get_service_secret(cct, service_id, e, secret_id))
- return false;
+ secret = riter->second.key;
- secret = e.key;
+ // ttl may have just been increased by the user
+ // cap it by expiration of "next" key to prevent handing out a ticket
+ // with a bogus, possibly way into the future, validity
+ ttl = service_id == CEPH_ENTITY_TYPE_AUTH ?
+ cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl;
+ ttl = std::min(ttl, static_cast<double>(
+ secrets.secrets.rbegin()->second.expiration - now));
+
+ ldout(cct, 30) << __func__ << " service "
+ << ceph_entity_type_name(service_id) << " secret_id "
+ << secret_id << " " << riter->second << " ttl " << ttl
+ << dendl;
return true;
}
bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
uint64_t secret_id, CryptoKey& secret) const
{
- map<uint32_t, RotatingSecrets>::const_iterator iter =
- rotating_secrets.find(service_id);
- if (iter == rotating_secrets.end())
+ auto iter = rotating_secrets.find(service_id);
+ if (iter == rotating_secrets.end()) {
+ ldout(cct, 10) << __func__ << " no rotating_secrets for service " << service_id
+ << " " << ceph_entity_type_name(service_id) << dendl;
return false;
+ }
const RotatingSecrets& secrets = iter->second;
- map<uint64_t, ExpiringCryptoKey>::const_iterator riter =
- secrets.secrets.find(secret_id);
+ auto riter = secrets.secrets.find(secret_id);
if (riter == secrets.secrets.end()) {
ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id)
<< " secret " << secret_id << " not found" << dendl;
ldout(cct, 30) << " I have:" << dendl;
- for (map<uint64_t, ExpiringCryptoKey>::const_iterator iter =
- secrets.secrets.begin();
- iter != secrets.secrets.end();
- ++iter)
+ for (auto iter = secrets.secrets.begin();
+ iter != secrets.secrets.end();
+ ++iter)
ldout(cct, 30) << " id " << iter->first << " " << iter->second << dendl;
return false;
}
return true;
}
bool KeyServerData::get_auth(const EntityName& name, EntityAuth& auth) const {
- map<EntityName, EntityAuth>::const_iterator iter = secrets.find(name);
+ auto iter = secrets.find(name);
if (iter != secrets.end()) {
auth = iter->second;
return true;
}
bool KeyServerData::get_secret(const EntityName& name, CryptoKey& secret) const {
- map<EntityName, EntityAuth>::const_iterator iter = secrets.find(name);
+ auto iter = secrets.find(name);
if (iter != secrets.end()) {
secret = iter->second.key;
return true;
caps_info.allow_all = false;
ldout(cct, 10) << "get_caps: name=" << name.to_str() << dendl;
- map<EntityName, EntityAuth>::const_iterator iter = secrets.find(name);
+ auto iter = secrets.find(name);
if (iter != secrets.end()) {
ldout(cct, 10) << "get_secret: num of caps=" << iter->second.caps.size() << dendl;
- map<string, bufferlist>::const_iterator capsiter = iter->second.caps.find(type);
+ auto capsiter = iter->second.caps.find(type);
if (capsiter != iter->second.caps.end()) {
caps_info.caps = capsiter->second;
}
KeyServer::KeyServer(CephContext *cct_, KeyRing *extra_secrets)
: cct(cct_),
data(extra_secrets),
- lock("KeyServer::lock")
+ lock{ceph::make_mutex("KeyServer::lock")}
{
}
int KeyServer::start_server()
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
- _check_rotating_secrets();
_dump_rotating_secrets();
return 0;
}
-bool KeyServer::_check_rotating_secrets()
+void KeyServer::dump()
{
- ldout(cct, 10) << "_check_rotating_secrets" << dendl;
-
- int added = 0;
- added += _rotate_secret(CEPH_ENTITY_TYPE_AUTH);
- added += _rotate_secret(CEPH_ENTITY_TYPE_MON);
- added += _rotate_secret(CEPH_ENTITY_TYPE_OSD);
- added += _rotate_secret(CEPH_ENTITY_TYPE_MDS);
- added += _rotate_secret(CEPH_ENTITY_TYPE_MGR);
-
- if (added) {
- ldout(cct, 10) << __func__ << " added " << added << dendl;
- data.rotating_ver++;
- //data.next_rotating_time = ceph_clock_now(cct);
- //data.next_rotating_time += MIN(cct->_conf->auth_mon_ticket_ttl, cct->_conf->auth_service_ticket_ttl);
- _dump_rotating_secrets();
- return true;
- }
- return false;
+ _dump_rotating_secrets();
}
void KeyServer::_dump_rotating_secrets()
{
ldout(cct, 30) << "_dump_rotating_secrets" << dendl;
- for (map<uint32_t, RotatingSecrets>::iterator iter = data.rotating_secrets.begin();
+ for (auto iter = data.rotating_secrets.begin();
iter != data.rotating_secrets.end();
++iter) {
RotatingSecrets& key = iter->second;
- for (map<uint64_t, ExpiringCryptoKey>::iterator mapiter = key.secrets.begin();
+ for (auto mapiter = key.secrets.begin();
mapiter != key.secrets.end();
++mapiter)
ldout(cct, 30) << "service " << ceph_entity_type_name(iter->first)
}
}
-int KeyServer::_rotate_secret(uint32_t service_id)
+int KeyServer::_rotate_secret(uint32_t service_id, KeyServerData &pending_data)
{
- RotatingSecrets& r = data.rotating_secrets[service_id];
+ RotatingSecrets& r = pending_data.rotating_secrets[service_id];
int added = 0;
utime_t now = ceph_clock_now();
double ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl;
} else {
utime_t next_ttl = now;
next_ttl += ttl;
- ek.expiration = MAX(next_ttl, r.next().expiration);
+ ek.expiration = std::max(next_ttl, r.next().expiration);
}
ek.expiration += ttl;
uint64_t secret_id = r.add(ek);
bool KeyServer::get_secret(const EntityName& name, CryptoKey& secret) const
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
return data.get_secret(name, secret);
}
bool KeyServer::get_auth(const EntityName& name, EntityAuth& auth) const
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
return data.get_auth(name, auth);
}
bool KeyServer::get_caps(const EntityName& name, const string& type,
AuthCapsInfo& caps_info) const
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
return data.get_caps(cct, name, type, caps_info);
}
-bool KeyServer::get_service_secret(uint32_t service_id,
- ExpiringCryptoKey& secret, uint64_t& secret_id) const
-{
- Mutex::Locker l(lock);
-
- return data.get_service_secret(cct, service_id, secret, secret_id);
-}
-
-bool KeyServer::get_service_secret(uint32_t service_id,
- CryptoKey& secret, uint64_t& secret_id) const
+bool KeyServer::get_service_secret(uint32_t service_id, CryptoKey& secret,
+ uint64_t& secret_id, double& ttl) const
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
- return data.get_service_secret(cct, service_id, secret, secret_id);
+ return data.get_service_secret(cct, service_id, secret, secret_id, ttl);
}
bool KeyServer::get_service_secret(uint32_t service_id,
uint64_t secret_id, CryptoKey& secret) const
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
return data.get_service_secret(cct, service_id, secret_id, secret);
}
if (!crypto)
return false;
- if (crypto->create(bp) < 0)
+ if (crypto->create(cct->random(), bp) < 0)
return false;
secret.set_secret(CEPH_CRYPTO_AES, bp, ceph_clock_now());
if (!generate_secret(secret))
return false;
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
EntityAuth auth;
auth.key = secret;
bool KeyServer::contains(const EntityName& name) const
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
return data.contains(name);
}
int KeyServer::encode_secrets(Formatter *f, stringstream *ds) const
{
- Mutex::Locker l(lock);
- map<EntityName, EntityAuth>::const_iterator mapiter = data.secrets_begin();
+ std::scoped_lock l{lock};
+ auto mapiter = data.secrets_begin();
if (mapiter == data.secrets_end())
return -ENOENT;
if (ds) {
*ds << name.to_str() << std::endl;
*ds << "\tkey: " << mapiter->second.key << std::endl;
- if (mapiter->second.auid != CEPH_AUTH_UID_DEFAULT)
- *ds << "\tauid: " << mapiter->second.auid << std::endl;
}
if (f) {
f->open_object_section("auth_entities");
f->dump_string("entity", name.to_str());
f->dump_stream("key") << mapiter->second.key;
- if (mapiter->second.auid != CEPH_AUTH_UID_DEFAULT)
- f->dump_int("auid", mapiter->second.auid);
f->open_object_section("caps");
}
- map<string, bufferlist>::const_iterator capsiter =
- mapiter->second.caps.begin();
+ auto capsiter = mapiter->second.caps.begin();
for (; capsiter != mapiter->second.caps.end(); ++capsiter) {
// FIXME: need a const_iterator for bufferlist, but it doesn't exist yet.
bufferlist *bl = const_cast<bufferlist*>(&capsiter->second);
- bufferlist::iterator dataiter = bl->begin();
+ auto dataiter = bl->cbegin();
string caps;
- ::decode(caps, dataiter);
+ using ceph::decode;
+ decode(caps, dataiter);
if (ds)
*ds << "\tcaps: [" << capsiter->first << "] " << caps << std::endl;
if (f)
void KeyServer::encode_formatted(string label, Formatter *f, bufferlist &bl)
{
- assert(f != NULL);
+ ceph_assert(f != NULL);
f->open_object_section(label.c_str());
encode_secrets(f, NULL);
f->close_section();
bl.append(os.str());
}
-bool KeyServer::updated_rotating(bufferlist& rotating_bl, version_t& rotating_ver)
+bool KeyServer::prepare_rotating_update(bufferlist& rotating_bl)
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
+ ldout(cct, 20) << __func__ << " before: data.rotating_ver=" << data.rotating_ver
+ << dendl;
- _check_rotating_secrets();
+ KeyServerData pending_data(nullptr);
+ pending_data.rotating_ver = data.rotating_ver + 1;
+ pending_data.rotating_secrets = data.rotating_secrets;
- if (data.rotating_ver <= rotating_ver)
+ int added = 0;
+ added += _rotate_secret(CEPH_ENTITY_TYPE_AUTH, pending_data);
+ added += _rotate_secret(CEPH_ENTITY_TYPE_MON, pending_data);
+ added += _rotate_secret(CEPH_ENTITY_TYPE_OSD, pending_data);
+ added += _rotate_secret(CEPH_ENTITY_TYPE_MDS, pending_data);
+ added += _rotate_secret(CEPH_ENTITY_TYPE_MGR, pending_data);
+ if (!added) {
return false;
-
- data.encode_rotating(rotating_bl);
-
- rotating_ver = data.rotating_ver;
+ }
+ ldout(cct, 20) << __func__ << " after: pending_data.rotating_ver="
+ << pending_data.rotating_ver
+ << dendl;
+ pending_data.encode_rotating(rotating_bl);
return true;
}
bool KeyServer::get_rotating_encrypted(const EntityName& name,
bufferlist& enc_bl) const
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
- map<EntityName, EntityAuth>::const_iterator mapiter = data.find_name(name);
+ auto mapiter = data.find_name(name);
if (mapiter == data.secrets_end())
return false;
const CryptoKey& specific_key = mapiter->second.key;
- map<uint32_t, RotatingSecrets>::const_iterator rotate_iter =
- data.rotating_secrets.find(name.get_type());
+ auto rotate_iter = data.rotating_secrets.find(name.get_type());
if (rotate_iter == data.rotating_secrets.end())
return false;
bool KeyServer::get_service_caps(const EntityName& name, uint32_t service_id,
AuthCapsInfo& caps_info) const
{
- Mutex::Locker l(lock);
+ std::scoped_lock l{lock};
return _get_service_caps(name, service_id, caps_info);
}
-int KeyServer::_build_session_auth_info(uint32_t service_id, CephXServiceTicketInfo& auth_ticket_info,
- CephXSessionAuthInfo& info)
+int KeyServer::_build_session_auth_info(uint32_t service_id,
+ const AuthTicket& parent_ticket,
+ CephXSessionAuthInfo& info,
+ double ttl)
{
info.service_id = service_id;
- info.ticket = auth_ticket_info.ticket;
- info.ticket.init_timestamps(ceph_clock_now(), cct->_conf->auth_service_ticket_ttl);
+ info.ticket = parent_ticket;
+ info.ticket.init_timestamps(ceph_clock_now(), ttl);
+ info.validity.set_from_double(ttl);
generate_secret(info.session_key);
return 0;
}
-int KeyServer::build_session_auth_info(uint32_t service_id, CephXServiceTicketInfo& auth_ticket_info,
+int KeyServer::build_session_auth_info(uint32_t service_id,
+ const AuthTicket& parent_ticket,
CephXSessionAuthInfo& info)
{
- if (!get_service_secret(service_id, info.service_secret, info.secret_id)) {
- return -EPERM;
+ double ttl;
+ if (!get_service_secret(service_id, info.service_secret, info.secret_id,
+ ttl)) {
+ return -EACCES;
}
- Mutex::Locker l(lock);
-
- return _build_session_auth_info(service_id, auth_ticket_info, info);
+ std::scoped_lock l{lock};
+ return _build_session_auth_info(service_id, parent_ticket, info, ttl);
}
-int KeyServer::build_session_auth_info(uint32_t service_id, CephXServiceTicketInfo& auth_ticket_info, CephXSessionAuthInfo& info,
- CryptoKey& service_secret, uint64_t secret_id)
+int KeyServer::build_session_auth_info(uint32_t service_id,
+ const AuthTicket& parent_ticket,
+ const CryptoKey& service_secret,
+ uint64_t secret_id,
+ CephXSessionAuthInfo& info)
{
info.service_secret = service_secret;
info.secret_id = secret_id;
- Mutex::Locker l(lock);
- return _build_session_auth_info(service_id, auth_ticket_info, info);
+ std::scoped_lock l{lock};
+ return _build_session_auth_info(service_id, parent_ticket, info,
+ cct->_conf->auth_service_ticket_ttl);
}