430
431
if (m->cmd.size() > 1) {
431
432
if (m->cmd[1] == "add" ||
432
433
m->cmd[1] == "del" ||
433
m->cmd[1] == "caps" ||
434
m->cmd[1] == "list") {
434
m->cmd[1] == "get-or-create" ||
435
m->cmd[1] == "get-or-create-key" ||
436
m->cmd[1] == "caps") {
437
else if (m->cmd[1] == "export") {
440
MonSession *session = m->get_session();
442
(!session->caps.get_allow_all() &&
443
!mon->_allowed_command(session, m->cmd))) {
444
mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
448
if (m->cmd[1] == "export") {
439
450
export_keyring(keyring);
440
451
if (m->cmd.size() > 2) {
476
487
keyring.add(entity, entity_auth);
477
::encode(keyring, rdata);
488
keyring.encode_plaintext(rdata);
478
489
ss << "exported keyring for " << m->cmd[2];
483
else if ((m->cmd[1] == "print-key" || m->cmd[1] == "print_key") &&
494
else if ((m->cmd[1] == "print-key" || m->cmd[1] == "print_key" || m->cmd[1] == "get-key") &&
484
495
m->cmd.size() == 3) {
485
496
EntityName ename;
486
497
if (!ename.from_str(m->cmd[2])) {
535
551
bool AuthMonitor::prepare_command(MMonCommand *m)
539
556
int err = -EINVAL;
558
MonSession *session = m->get_session();
560
(!session->caps.get_allow_all() &&
561
!mon->_allowed_command(session, m->cmd))) {
562
mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
541
566
// nothing here yet
542
567
if (m->cmd.size() > 1) {
543
568
if (m->cmd[1] == "import") {
604
629
paxos->wait_for_commit(new Monitor::C_Command(mon, m, 0, rs, paxos->get_version()));
632
else if ((m->cmd[1] == "get-or-create-key" ||
633
m->cmd[1] == "get-or-create") &&
634
m->cmd.size() >= 3) {
635
// auth get-or-create <name> [mon osdcapa osd osdcapb ...]
637
if (!entity.from_str(m->cmd[2])) {
638
ss << "bad entity name";
644
EntityAuth entity_auth;
645
if (mon->key_server.get_auth(entity, entity_auth)) {
646
for (unsigned i=3; i + 1<m->cmd.size(); i += 2) {
647
string sys = m->cmd[i];
649
::encode(m->cmd[i+1], cap);
650
if (entity_auth.caps.count(sys) == 0 ||
651
!entity_auth.caps[sys].contents_equal(cap)) {
652
ss << "key for " << entity << " exists but cap " << sys << " does not match";
658
if (m->cmd[1] == "get-or-create-key") {
659
ss << entity_auth.key;
662
kr.add(entity, entity_auth.key);
663
kr.encode_plaintext(rdata);
669
// ...or are we about to?
670
for (vector<Incremental>::iterator p = pending_auth.begin();
671
p != pending_auth.end();
673
if (p->inc_type == AUTH_DATA) {
674
KeyServerData::Incremental auth_inc;
675
bufferlist::iterator q = p->auth_data.begin();
676
::decode(auth_inc, q);
677
if (auth_inc.op == KeyServerData::AUTH_INC_ADD &&
678
auth_inc.name == entity) {
679
paxos->wait_for_commit(new C_RetryMessage(this, m));
686
KeyServerData::Incremental auth_inc;
687
auth_inc.op = KeyServerData::AUTH_INC_ADD;
688
auth_inc.name = entity;
689
auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
690
for (unsigned i=3; i + 1<m->cmd.size(); i += 2)
691
::encode(m->cmd[i+1], auth_inc.auth.caps[m->cmd[i]]);
693
push_cephx_inc(auth_inc);
695
if (m->cmd[1] == "get-or-create-key") {
696
ss << auth_inc.auth.key;
699
kr.add(entity, auth_inc.auth.key);
700
kr.encode_plaintext(rdata);
704
paxos->wait_for_commit(new Monitor::C_Command(mon, m, 0, rs, rdata, paxos->get_version()));
607
707
else if (m->cmd[1] == "caps" && m->cmd.size() >= 3) {
608
708
KeyServerData::Incremental auth_inc;
609
709
if (!auth_inc.name.from_str(m->cmd[2])) {