1
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2
// vim: ts=8 sw=2 smarttab
4
* Ceph - scalable distributed file system
6
* Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
8
* This is free software; you can redistribute it and/or
9
* modify it under the terms of the GNU Lesser General Public
10
* License version 2.1, as published by the Free Software
11
* Foundation. See file COPYING.
15
#ifndef CEPH_KEYSSERVER_H
16
#define CEPH_KEYSSERVER_H
20
#include "auth/KeyRing.h"
21
#include "CephxProtocol.h"
23
#include "common/Timer.h"
25
struct KeyServerData {
29
map<EntityName, EntityAuth> secrets;
31
/* for each service type */
32
version_t rotating_ver;
33
map<uint32_t, RotatingSecrets> rotating_secrets;
35
KeyServerData() : version(0), rotating_ver(0) {}
37
void encode(bufferlist& bl) const {
39
::encode(struct_v, bl);
40
::encode(version, bl);
41
::encode(rotating_ver, bl);
42
::encode(secrets, bl);
43
::encode(rotating_secrets, bl);
45
void decode(bufferlist::iterator& bl) {
47
::decode(struct_v, bl);
48
::decode(version, bl);
49
::decode(rotating_ver, bl);
50
::decode(secrets, bl);
51
::decode(rotating_secrets, bl);
54
void encode_rotating(bufferlist& bl) {
56
::encode(struct_v, bl);
57
::encode(rotating_ver, bl);
58
::encode(rotating_secrets, bl);
60
void decode_rotating(bufferlist& rotating_bl) {
61
bufferlist::iterator iter = rotating_bl.begin();
63
::decode(struct_v, iter);
64
::decode(rotating_ver, iter);
65
::decode(rotating_secrets, iter);
68
bool contains(EntityName& name) {
69
return (secrets.find(name) != secrets.end());
72
void add_auth(const EntityName& name, EntityAuth& auth) {
76
void remove_secret(const EntityName& name) {
77
map<EntityName, EntityAuth>::iterator iter = secrets.find(name);
78
if (iter == secrets.end())
83
bool get_service_secret(uint32_t service_id, ExpiringCryptoKey& secret, uint64_t& secret_id);
84
bool get_service_secret(uint32_t service_id, CryptoKey& secret, uint64_t& secret_id);
85
bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret);
86
bool get_auth(EntityName& name, EntityAuth& auth);
87
bool get_secret(EntityName& name, CryptoKey& secret);
88
bool get_caps(EntityName& name, string& type, AuthCapsInfo& caps);
90
map<EntityName, EntityAuth>::iterator secrets_begin() { return secrets.begin(); }
91
map<EntityName, EntityAuth>::iterator secrets_end() { return secrets.end(); }
92
map<EntityName, EntityAuth>::iterator find_name(EntityName& name) { return secrets.find(name); }
95
// -- incremental updates --
100
AUTH_INC_SET_ROTATING,
105
bufferlist rotating_bl; // if SET_ROTATING. otherwise,
109
void encode(bufferlist& bl) const {
111
::encode(struct_v, bl);
112
__u32 _op = (__u32)op;
114
if (op == AUTH_INC_SET_ROTATING) {
115
::encode(rotating_bl, bl);
121
void decode(bufferlist::iterator& bl) {
123
::decode(struct_v, bl);
126
op = (IncrementalOp)_op;
127
assert(op >= AUTH_INC_NOP && op <= AUTH_INC_SET_ROTATING);
128
if (op == AUTH_INC_SET_ROTATING) {
129
::decode(rotating_bl, bl);
137
void apply_incremental(Incremental& inc) {
140
add_auth(inc.name, inc.auth);
144
remove_secret(inc.name);
147
case AUTH_INC_SET_ROTATING:
148
decode_rotating(inc.rotating_bl);
160
WRITE_CLASS_ENCODER(KeyServerData);
161
WRITE_CLASS_ENCODER(KeyServerData::Incremental);
166
class KeyServer : public KeyStore {
171
int _rotate_secret(uint32_t service_id);
172
bool _check_rotating_secrets();
173
void _dump_rotating_secrets();
174
int _build_session_auth_info(uint32_t service_id, CephXServiceTicketInfo& auth_ticket_info, CephXSessionAuthInfo& info);
175
bool _get_service_caps(EntityName& name, uint32_t service_id, AuthCapsInfo& caps);
179
bool generate_secret(CryptoKey& secret);
181
bool get_secret(EntityName& name, CryptoKey& secret);
182
bool get_auth(EntityName& name, EntityAuth& auth);
183
bool get_caps(EntityName& name, string& type, AuthCapsInfo& caps);
184
bool get_active_rotating_secret(EntityName& name, CryptoKey& secret);
186
void rotate_timeout(double timeout);
188
int build_session_auth_info(uint32_t service_id, CephXServiceTicketInfo& auth_ticket_info, CephXSessionAuthInfo& info);
189
int build_session_auth_info(uint32_t service_id, CephXServiceTicketInfo& auth_ticket_info, CephXSessionAuthInfo& info,
190
CryptoKey& service_secret, uint64_t secret_id);
192
/* get current secret for specific service type */
193
bool get_service_secret(uint32_t service_id, ExpiringCryptoKey& service_key, uint64_t& secret_id);
194
bool get_service_secret(uint32_t service_id, CryptoKey& service_key, uint64_t& secret_id);
195
bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret);
197
bool generate_secret(EntityName& name, CryptoKey& secret);
199
void encode(bufferlist& bl) const {
202
void decode(bufferlist::iterator& bl) {
203
Mutex::Locker l(lock);
206
bool contains(EntityName& name);
207
void list_secrets(stringstream& ss);
208
version_t get_ver() {
209
Mutex::Locker l(lock);
213
void apply_data_incremental(KeyServerData::Incremental& inc) {
214
data.apply_incremental(inc);
216
void set_ver(version_t ver) {
217
Mutex::Locker l(lock);
221
void add_auth(const EntityName& name, EntityAuth& auth) {
222
Mutex::Locker l(lock);
223
data.add_auth(name, auth);
226
void remove_secret(const EntityName& name) {
227
Mutex::Locker l(lock);
228
data.remove_secret(name);
231
/*void add_rotating_secret(uint32_t service_id, ExpiringCryptoKey& key) {
232
Mutex::Locker l(lock);
233
data.add_rotating_secret(service_id, key);
236
void clone_to(KeyServerData& dst) {
237
Mutex::Locker l(lock);
240
void export_keyring(KeyRing& keyring) {
241
for (map<EntityName, EntityAuth>::iterator p = data.secrets.begin();
242
p != data.secrets.end();
244
keyring.add(p->first, p->second);
248
bool updated_rotating(bufferlist& rotating_bl, version_t& rotating_ver);
250
bool get_rotating_encrypted(EntityName& name, bufferlist& enc_bl);
252
Mutex& get_lock() { return lock; }
253
bool get_service_caps(EntityName& name, uint32_t service_id, AuthCapsInfo& caps);
255
WRITE_CLASS_ENCODER(KeyServer);