ceph/src/auth/Auth.h

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3 /*
   4  * Ceph - scalable distributed file system
   5  *
   6  * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
   7  *
   8  * This is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public
  10  * License version 2.1, as published by the Free Software
  11  * Foundation.  See file COPYING.
  12  *
  13  */
  14
  15 #ifndef CEPH_AUTHTYPES_H
  16 #define CEPH_AUTHTYPES_H
  17
  18 #include "Crypto.h"
  19 #include "common/entity_name.h"
  20
  21 class Cond;
  22
  23 struct EntityAuth {
  24   uint64_t auid;
  25   CryptoKey key;
  26   map<string, bufferlist> caps;
  27
  28   EntityAuth() : auid(CEPH_AUTH_UID_DEFAULT) {}
  29
  30   void encode(bufferlist& bl) const {
  31     __u8 struct_v = 2;
  32     ::encode(struct_v, bl);
  33     ::encode(auid, bl);
  34     ::encode(key, bl);
  35     ::encode(caps, bl);
  36   }
  37   void decode(bufferlist::iterator& bl) {
  38     __u8 struct_v;
  39     ::decode(struct_v, bl);
  40     if (struct_v >= 2)
  41       ::decode(auid, bl);
  42     else auid = CEPH_AUTH_UID_DEFAULT;
  43     ::decode(key, bl);
  44     ::decode(caps, bl);
  45   }
  46 };
  47 WRITE_CLASS_ENCODER(EntityAuth)
  48
  49 static inline ostream& operator<<(ostream& out, const EntityAuth& a) {
  50   return out << "auth(auid = " << a.auid << " key=" << a.key << " with " << a.caps.size() << " caps)";
  51 }
  52
  53 struct AuthCapsInfo {
  54   bool allow_all;
  55   bufferlist caps;
  56
  57   AuthCapsInfo() : allow_all(false) {}
  58
  59   void encode(bufferlist& bl) const {
  60     __u8 struct_v = 1;
  61     ::encode(struct_v, bl);
  62     __u8 a = (__u8)allow_all;
  63     ::encode(a, bl);
  64     ::encode(caps, bl);
  65   }
  66   void decode(bufferlist::iterator& bl) {
  67     __u8 struct_v;
  68     ::decode(struct_v, bl);
  69     __u8 a;
  70     ::decode(a, bl);
  71     allow_all = (bool)a;
  72     ::decode(caps, bl);
  73   }
  74 };
  75 WRITE_CLASS_ENCODER(AuthCapsInfo)
  76
  77 /*
  78  * The ticket (if properly validated) authorizes the principal use
  79  * services as described by 'caps' during the specified validity
  80  * period.
  81  */
  82 struct AuthTicket {
  83   EntityName name;
  84   uint64_t global_id; /* global instance id */
  85   uint64_t auid;
  86   utime_t created, renew_after, expires;
  87   AuthCapsInfo caps;
  88   __u32 flags;
  89
  90   AuthTicket() : global_id(0), auid(CEPH_AUTH_UID_DEFAULT), flags(0){}
  91
  92   void init_timestamps(utime_t now, double ttl) {
  93     created = now;
  94     expires = now;
  95     expires += ttl;
  96     renew_after = now;
  97     renew_after += ttl / 2.0;
  98   }
  99
 100   void encode(bufferlist& bl) const {
 101     __u8 struct_v = 2;
 102     ::encode(struct_v, bl);
 103     ::encode(name, bl);
 104     ::encode(global_id, bl);
 105     ::encode(auid, bl);
 106     ::encode(created, bl);
 107     ::encode(expires, bl);
 108     ::encode(caps, bl);
 109     ::encode(flags, bl);
 110   }
 111   void decode(bufferlist::iterator& bl) {
 112     __u8 struct_v;
 113     ::decode(struct_v, bl);
 114     ::decode(name, bl);
 115     ::decode(global_id, bl);
 116     if (struct_v >= 2)
 117       ::decode(auid, bl);
 118     else auid = CEPH_AUTH_UID_DEFAULT;
 119     ::decode(created, bl);
 120     ::decode(expires, bl);
 121     ::decode(caps, bl);
 122     ::decode(flags, bl);
 123   }
 124 };
 125 WRITE_CLASS_ENCODER(AuthTicket)
 126
 127
 128 /*
 129  * abstract authorizer class
 130  */
 131 struct AuthAuthorizer {
 132   __u32 protocol;
 133   bufferlist bl;
 134   CryptoKey session_key;
 135
 136   explicit AuthAuthorizer(__u32 p) : protocol(p) {}
 137   virtual ~AuthAuthorizer() {}
 138   virtual bool verify_reply(bufferlist::iterator& reply) = 0;
 139   virtual bool add_challenge(CephContext *cct, bufferlist& challenge) = 0;
 140 };
 141
 142 struct AuthAuthorizerChallenge {
 143   virtual ~AuthAuthorizerChallenge() {}
 144 };
 145
 146
 147 /*
 148  * Key management
 149  */
 150 #define KEY_ROTATE_NUM 3   /* prev, current, next */
 151
 152 struct ExpiringCryptoKey {
 153   CryptoKey key;
 154   utime_t expiration;
 155
 156   void encode(bufferlist& bl) const {
 157     __u8 struct_v = 1;
 158     ::encode(struct_v, bl);
 159     ::encode(key, bl);
 160     ::encode(expiration, bl);
 161   }
 162   void decode(bufferlist::iterator& bl) {
 163     __u8 struct_v;
 164     ::decode(struct_v, bl);
 165     ::decode(key, bl);
 166     ::decode(expiration, bl);
 167   }
 168 };
 169 WRITE_CLASS_ENCODER(ExpiringCryptoKey)
 170
 171 static inline ostream& operator<<(ostream& out, const ExpiringCryptoKey& c)
 172 {
 173   return out << c.key << " expires " << c.expiration;
 174 }
 175
 176 struct RotatingSecrets {
 177   map<uint64_t, ExpiringCryptoKey> secrets;
 178   version_t max_ver;
 179
 180   RotatingSecrets() : max_ver(0) {}
 181
 182   void encode(bufferlist& bl) const {
 183     __u8 struct_v = 1;
 184     ::encode(struct_v, bl);
 185     ::encode(secrets, bl);
 186     ::encode(max_ver, bl);
 187   }
 188   void decode(bufferlist::iterator& bl) {
 189     __u8 struct_v;
 190     ::decode(struct_v, bl);
 191     ::decode(secrets, bl);
 192     ::decode(max_ver, bl);
 193   }
 194
 195   uint64_t add(ExpiringCryptoKey& key) {
 196     secrets[++max_ver] = key;
 197     while (secrets.size() > KEY_ROTATE_NUM)
 198       secrets.erase(secrets.begin());
 199     return max_ver;
 200   }
 201
 202   bool need_new_secrets() const {
 203     return secrets.size() < KEY_ROTATE_NUM;
 204   }
 205   bool need_new_secrets(utime_t now) const {
 206     return secrets.size() < KEY_ROTATE_NUM || current().expiration <= now;
 207   }
 208
 209   ExpiringCryptoKey& previous() {
 210     return secrets.begin()->second;
 211   }
 212   ExpiringCryptoKey& current() {
 213     map<uint64_t, ExpiringCryptoKey>::iterator p = secrets.begin();
 214     ++p;
 215     return p->second;
 216   }
 217   const ExpiringCryptoKey& current() const {
 218     map<uint64_t, ExpiringCryptoKey>::const_iterator p = secrets.begin();
 219     ++p;
 220     return p->second;
 221   }
 222   ExpiringCryptoKey& next() {
 223     return secrets.rbegin()->second;
 224   }
 225   bool empty() {
 226     return secrets.empty();
 227   }
 228
 229   void dump();
 230 };
 231 WRITE_CLASS_ENCODER(RotatingSecrets)
 232
 233
 234
 235 class KeyStore {
 236 public:
 237   virtual ~KeyStore() {}
 238   virtual bool get_secret(const EntityName& name, CryptoKey& secret) const = 0;
 239   virtual bool get_service_secret(uint32_t service_id, uint64_t secret_id,
 240                                   CryptoKey& secret) const = 0;
 241 };
 242
 243 static inline bool auth_principal_needs_rotating_keys(EntityName& name)
 244 {
 245   uint32_t ty(name.get_type());
 246   return ((ty == CEPH_ENTITY_TYPE_OSD)
 247       || (ty == CEPH_ENTITY_TYPE_MDS)
 248       || (ty == CEPH_ENTITY_TYPE_MGR));
 249 }
 250
 251 #endif