]>
git.proxmox.com Git - ceph.git/blob - ceph/src/auth/Auth.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
15 #ifndef CEPH_AUTHTYPES_H
16 #define CEPH_AUTHTYPES_H
19 #include "common/entity_name.h"
26 map
<string
, bufferlist
> caps
;
28 EntityAuth() : auid(CEPH_AUTH_UID_DEFAULT
) {}
30 void encode(bufferlist
& bl
) const {
32 ::encode(struct_v
, bl
);
37 void decode(bufferlist::iterator
& bl
) {
39 ::decode(struct_v
, bl
);
42 else auid
= CEPH_AUTH_UID_DEFAULT
;
47 WRITE_CLASS_ENCODER(EntityAuth
)
49 static inline ostream
& operator<<(ostream
& out
, const EntityAuth
& a
) {
50 return out
<< "auth(auid = " << a
.auid
<< " key=" << a
.key
<< " with " << a
.caps
.size() << " caps)";
57 AuthCapsInfo() : allow_all(false) {}
59 void encode(bufferlist
& bl
) const {
61 ::encode(struct_v
, bl
);
62 __u8 a
= (__u8
)allow_all
;
66 void decode(bufferlist::iterator
& bl
) {
68 ::decode(struct_v
, bl
);
75 WRITE_CLASS_ENCODER(AuthCapsInfo
)
78 * The ticket (if properly validated) authorizes the principal use
79 * services as described by 'caps' during the specified validity
84 uint64_t global_id
; /* global instance id */
86 utime_t created
, renew_after
, expires
;
90 AuthTicket() : global_id(0), auid(CEPH_AUTH_UID_DEFAULT
), flags(0){}
92 void init_timestamps(utime_t now
, double ttl
) {
97 renew_after
+= ttl
/ 2.0;
100 void encode(bufferlist
& bl
) const {
102 ::encode(struct_v
, bl
);
104 ::encode(global_id
, bl
);
106 ::encode(created
, bl
);
107 ::encode(expires
, bl
);
111 void decode(bufferlist::iterator
& bl
) {
113 ::decode(struct_v
, bl
);
115 ::decode(global_id
, bl
);
118 else auid
= CEPH_AUTH_UID_DEFAULT
;
119 ::decode(created
, bl
);
120 ::decode(expires
, bl
);
125 WRITE_CLASS_ENCODER(AuthTicket
)
129 * abstract authorizer class
131 struct AuthAuthorizer
{
134 CryptoKey session_key
;
136 explicit AuthAuthorizer(__u32 p
) : protocol(p
) {}
137 virtual ~AuthAuthorizer() {}
138 virtual bool verify_reply(bufferlist::iterator
& reply
) = 0;
139 virtual bool add_challenge(CephContext
*cct
, bufferlist
& challenge
) = 0;
142 struct AuthAuthorizerChallenge
{
143 virtual ~AuthAuthorizerChallenge() {}
150 #define KEY_ROTATE_NUM 3 /* prev, current, next */
152 struct ExpiringCryptoKey
{
156 void encode(bufferlist
& bl
) const {
158 ::encode(struct_v
, bl
);
160 ::encode(expiration
, bl
);
162 void decode(bufferlist::iterator
& bl
) {
164 ::decode(struct_v
, bl
);
166 ::decode(expiration
, bl
);
169 WRITE_CLASS_ENCODER(ExpiringCryptoKey
)
171 static inline ostream
& operator<<(ostream
& out
, const ExpiringCryptoKey
& c
)
173 return out
<< c
.key
<< " expires " << c
.expiration
;
176 struct RotatingSecrets
{
177 map
<uint64_t, ExpiringCryptoKey
> secrets
;
180 RotatingSecrets() : max_ver(0) {}
182 void encode(bufferlist
& bl
) const {
184 ::encode(struct_v
, bl
);
185 ::encode(secrets
, bl
);
186 ::encode(max_ver
, bl
);
188 void decode(bufferlist::iterator
& bl
) {
190 ::decode(struct_v
, bl
);
191 ::decode(secrets
, bl
);
192 ::decode(max_ver
, bl
);
195 uint64_t add(ExpiringCryptoKey
& key
) {
196 secrets
[++max_ver
] = key
;
197 while (secrets
.size() > KEY_ROTATE_NUM
)
198 secrets
.erase(secrets
.begin());
202 bool need_new_secrets() const {
203 return secrets
.size() < KEY_ROTATE_NUM
;
205 bool need_new_secrets(utime_t now
) const {
206 return secrets
.size() < KEY_ROTATE_NUM
|| current().expiration
<= now
;
209 ExpiringCryptoKey
& previous() {
210 return secrets
.begin()->second
;
212 ExpiringCryptoKey
& current() {
213 map
<uint64_t, ExpiringCryptoKey
>::iterator p
= secrets
.begin();
217 const ExpiringCryptoKey
& current() const {
218 map
<uint64_t, ExpiringCryptoKey
>::const_iterator p
= secrets
.begin();
222 ExpiringCryptoKey
& next() {
223 return secrets
.rbegin()->second
;
226 return secrets
.empty();
231 WRITE_CLASS_ENCODER(RotatingSecrets
)
237 virtual ~KeyStore() {}
238 virtual bool get_secret(const EntityName
& name
, CryptoKey
& secret
) const = 0;
239 virtual bool get_service_secret(uint32_t service_id
, uint64_t secret_id
,
240 CryptoKey
& secret
) const = 0;
243 static inline bool auth_principal_needs_rotating_keys(EntityName
& name
)
245 uint32_t ty(name
.get_type());
246 return ((ty
== CEPH_ENTITY_TYPE_OSD
)
247 || (ty
== CEPH_ENTITY_TYPE_MDS
)
248 || (ty
== CEPH_ENTITY_TYPE_MGR
));