X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=ceph%2Fsrc%2Fauth%2Fcephx%2FCephxKeyServer.cc;h=86ccc1ca2fbb78e8c3da6da5f4597df742326ba4;hb=20effc670b57271cb089376d6d0800990e5218d5;hp=a59bac4a14eb4f45a859957eb360ef777641a89e;hpb=c5c27e9ad7c8c7ee69d70ae204283b6295ff03ac;p=ceph.git

diff --git a/ceph/src/auth/cephx/CephxKeyServer.cc b/ceph/src/auth/cephx/CephxKeyServer.cc
index a59bac4a1..86ccc1ca2 100644
--- a/ceph/src/auth/cephx/CephxKeyServer.cc
+++ b/ceph/src/auth/cephx/CephxKeyServer.cc
@@ -21,12 +21,19 @@
 #undef dout_prefix
 #define dout_prefix *_dout << "cephx keyserverdata: "
 
+using std::ostringstream;
+using std::string;
+using std::stringstream;
+
+using ceph::bufferptr;
+using ceph::bufferlist;
+using ceph::Formatter;
+
 bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
 				       CryptoKey& secret, uint64_t& secret_id,
 				       double& ttl) const
 {
-  map<uint32_t, RotatingSecrets>::const_iterator iter =
-	rotating_secrets.find(service_id);
+  auto iter = rotating_secrets.find(service_id);
   if (iter == rotating_secrets.end()) { 
     ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id) << " not found " << dendl;
     return false;
@@ -35,8 +42,7 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
   const RotatingSecrets& secrets = iter->second;
 
   // second to oldest, unless it's expired
-  map<uint64_t, ExpiringCryptoKey>::const_iterator riter =
-	secrets.secrets.begin();
+  auto riter = secrets.secrets.begin();
   if (secrets.secrets.size() > 1)
     ++riter;
 
@@ -52,7 +58,7 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
   // with a bogus, possibly way into the future, validity
   ttl = service_id == CEPH_ENTITY_TYPE_AUTH ?
       cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl;
-  ttl = min(ttl, static_cast<double>(
+  ttl = std::min(ttl, static_cast<double>(
 		     secrets.secrets.rbegin()->second.expiration - now));
 
   ldout(cct, 30) << __func__ << " service "
@@ -65,23 +71,23 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
 bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
 				uint64_t secret_id, CryptoKey& secret) const
 {
-  map<uint32_t, RotatingSecrets>::const_iterator iter =
-      rotating_secrets.find(service_id);
-  if (iter == rotating_secrets.end())
+  auto iter = rotating_secrets.find(service_id);
+  if (iter == rotating_secrets.end()) {
+    ldout(cct, 10) << __func__ << " no rotating_secrets for service " << service_id
+		   << " " << ceph_entity_type_name(service_id) << dendl;
     return false;
+  }
 
   const RotatingSecrets& secrets = iter->second;
-  map<uint64_t, ExpiringCryptoKey>::const_iterator riter = 
-      secrets.secrets.find(secret_id);
+  auto riter = secrets.secrets.find(secret_id);
 
   if (riter == secrets.secrets.end()) {
     ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id)
 	     << " secret " << secret_id << " not found" << dendl;
     ldout(cct, 30) << " I have:" << dendl;
-    for (map<uint64_t, ExpiringCryptoKey>::const_iterator iter =
-	     secrets.secrets.begin();
-        iter != secrets.secrets.end();
-        ++iter)
+    for (auto iter = secrets.secrets.begin();
+	 iter != secrets.secrets.end();
+	 ++iter)
       ldout(cct, 30) << " id " << iter->first << " " << iter->second << dendl;
     return false;
   }
@@ -91,7 +97,7 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
   return true;
 }
 bool KeyServerData::get_auth(const EntityName& name, EntityAuth& auth) const {
-  map<EntityName, EntityAuth>::const_iterator iter = secrets.find(name);
+  auto iter = secrets.find(name);
   if (iter != secrets.end()) {
     auth = iter->second;
     return true;
@@ -100,7 +106,7 @@ bool KeyServerData::get_auth(const EntityName& name, EntityAuth& auth) const {
 }
 
 bool KeyServerData::get_secret(const EntityName& name, CryptoKey& secret) const {
-  map<EntityName, EntityAuth>::const_iterator iter = secrets.find(name);
+  auto iter = secrets.find(name);
   if (iter != secrets.end()) {
     secret = iter->second.key;
     return true;
@@ -114,10 +120,10 @@ bool KeyServerData::get_caps(CephContext *cct, const EntityName& name,
   caps_info.allow_all = false;
 
   ldout(cct, 10) << "get_caps: name=" << name.to_str() << dendl;
-  map<EntityName, EntityAuth>::const_iterator iter = secrets.find(name);
+  auto iter = secrets.find(name);
   if (iter != secrets.end()) {
     ldout(cct, 10) << "get_secret: num of caps=" << iter->second.caps.size() << dendl;
-    map<string, bufferlist>::const_iterator capsiter = iter->second.caps.find(type);
+    auto capsiter = iter->second.caps.find(type);
     if (capsiter != iter->second.caps.end()) {
       caps_info.caps = capsiter->second;
     }
@@ -143,41 +149,23 @@ int KeyServer::start_server()
 {
   std::scoped_lock l{lock};
 
-  _check_rotating_secrets();
   _dump_rotating_secrets();
   return 0;
 }
 
-bool KeyServer::_check_rotating_secrets()
+void KeyServer::dump()
 {
-  ldout(cct, 10) << "_check_rotating_secrets" << dendl;
-
-  int added = 0;
-  added += _rotate_secret(CEPH_ENTITY_TYPE_AUTH);
-  added += _rotate_secret(CEPH_ENTITY_TYPE_MON);
-  added += _rotate_secret(CEPH_ENTITY_TYPE_OSD);
-  added += _rotate_secret(CEPH_ENTITY_TYPE_MDS);
-  added += _rotate_secret(CEPH_ENTITY_TYPE_MGR);
-
-  if (added) {
-    ldout(cct, 10) << __func__ << " added " << added << dendl;
-    data.rotating_ver++;
-    //data.next_rotating_time = ceph_clock_now(cct);
-    //data.next_rotating_time += std::min(cct->_conf->auth_mon_ticket_ttl, cct->_conf->auth_service_ticket_ttl);
-    _dump_rotating_secrets();
-    return true;
-  }
-  return false;
+  _dump_rotating_secrets();
 }
 
 void KeyServer::_dump_rotating_secrets()
 {
   ldout(cct, 30) << "_dump_rotating_secrets" << dendl;
-  for (map<uint32_t, RotatingSecrets>::iterator iter = data.rotating_secrets.begin();
+  for (auto iter = data.rotating_secrets.begin();
        iter != data.rotating_secrets.end();
        ++iter) {
     RotatingSecrets& key = iter->second;
-    for (map<uint64_t, ExpiringCryptoKey>::iterator mapiter = key.secrets.begin();
+    for (auto mapiter = key.secrets.begin();
 	 mapiter != key.secrets.end();
 	 ++mapiter)
       ldout(cct, 30) << "service " << ceph_entity_type_name(iter->first)
@@ -186,9 +174,9 @@ void KeyServer::_dump_rotating_secrets()
   }
 }
 
-int KeyServer::_rotate_secret(uint32_t service_id)
+int KeyServer::_rotate_secret(uint32_t service_id, KeyServerData &pending_data)
 {
-  RotatingSecrets& r = data.rotating_secrets[service_id];
+  RotatingSecrets& r = pending_data.rotating_secrets[service_id];
   int added = 0;
   utime_t now = ceph_clock_now();
   double ttl = service_id == CEPH_ENTITY_TYPE_AUTH ? cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl;
@@ -290,7 +278,7 @@ bool KeyServer::contains(const EntityName& name) const
 int KeyServer::encode_secrets(Formatter *f, stringstream *ds) const
 {
   std::scoped_lock l{lock};
-  map<EntityName, EntityAuth>::const_iterator mapiter = data.secrets_begin();
+  auto mapiter = data.secrets_begin();
 
   if (mapiter == data.secrets_end())
     return -ENOENT;
@@ -311,8 +299,7 @@ int KeyServer::encode_secrets(Formatter *f, stringstream *ds) const
       f->open_object_section("caps");
     }
 
-    map<string, bufferlist>::const_iterator capsiter =
-        mapiter->second.caps.begin();
+    auto capsiter = mapiter->second.caps.begin();
     for (; capsiter != mapiter->second.caps.end(); ++capsiter) {
       // FIXME: need a const_iterator for bufferlist, but it doesn't exist yet.
       bufferlist *bl = const_cast<bufferlist*>(&capsiter->second);
@@ -354,19 +341,30 @@ void KeyServer::encode_plaintext(bufferlist &bl)
   bl.append(os.str());
 }
 
-bool KeyServer::updated_rotating(bufferlist& rotating_bl, version_t& rotating_ver)
+bool KeyServer::prepare_rotating_update(bufferlist& rotating_bl)
 {
   std::scoped_lock l{lock};
+  ldout(cct, 20) << __func__ << " before: data.rotating_ver=" << data.rotating_ver
+		 << dendl;
 
-  _check_rotating_secrets(); 
+  KeyServerData pending_data(nullptr);
+  pending_data.rotating_ver = data.rotating_ver + 1;
+  pending_data.rotating_secrets = data.rotating_secrets;
 
-  if (data.rotating_ver <= rotating_ver)
+  int added = 0;
+  added += _rotate_secret(CEPH_ENTITY_TYPE_AUTH, pending_data);
+  added += _rotate_secret(CEPH_ENTITY_TYPE_MON, pending_data);
+  added += _rotate_secret(CEPH_ENTITY_TYPE_OSD, pending_data);
+  added += _rotate_secret(CEPH_ENTITY_TYPE_MDS, pending_data);
+  added += _rotate_secret(CEPH_ENTITY_TYPE_MGR, pending_data);
+  if (!added) {
     return false;
- 
-  data.encode_rotating(rotating_bl);
-
-  rotating_ver = data.rotating_ver;
+  }
 
+  ldout(cct, 20) << __func__ << " after: pending_data.rotating_ver="
+		 << pending_data.rotating_ver
+		 << dendl;
+  pending_data.encode_rotating(rotating_bl);
   return true;
 }
 
@@ -375,14 +373,13 @@ bool KeyServer::get_rotating_encrypted(const EntityName& name,
 {
   std::scoped_lock l{lock};
 
-  map<EntityName, EntityAuth>::const_iterator mapiter = data.find_name(name);
+  auto mapiter = data.find_name(name);
   if (mapiter == data.secrets_end())
     return false;
 
   const CryptoKey& specific_key = mapiter->second.key;
 
-  map<uint32_t, RotatingSecrets>::const_iterator rotate_iter =
-    data.rotating_secrets.find(name.get_type());
+  auto rotate_iter = data.rotating_secrets.find(name.get_type());
   if (rotate_iter == data.rotating_secrets.end())
     return false;