auth: re-add auid to EntityAuth and AuthTicket.

att · Mar 5, 2010 · 1d2516d · 1d2516d
1 parent d4c9453
commit 1d2516d
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 15 deletions.
diff --git a/src/auth/Auth.h b/src/auth/Auth.h
@@ -22,6 +22,8 @@
 
 #include <errno.h>
 
+#define CEPH_AUTH_UID_DEFAULT (__u64) -1
+
 class Cond;
 
 struct EntityName {
@@ -105,26 +107,33 @@ static inline ostream& operator<<(ostream& out, const EntityName& n) {
 
 
 struct EntityAuth {
+  __u64 auid;
   CryptoKey key;
   map<string, bufferlist> caps;
 
+  EntityAuth() : auid(CEPH_AUTH_UID_DEFAULT) {}
+
   void encode(bufferlist& bl) const {
-    __u8 struct_v = 1;
+    __u8 struct_v = 2;
     ::encode(struct_v, bl);
+    ::encode(auid, bl);
     ::encode(key, bl);
     ::encode(caps, bl);
   }
   void decode(bufferlist::iterator& bl) {
     __u8 struct_v;
     ::decode(struct_v, bl);
+    if (struct_v >= 2)
+      ::decode(auid, bl);
+    else auid = CEPH_AUTH_UID_DEFAULT;
     ::decode(key, bl);
     ::decode(caps, bl);
   }
 };
 WRITE_CLASS_ENCODER(EntityAuth)
 
 static inline ostream& operator<<(ostream& out, const EntityAuth& a) {
-  return out << "auth(key=" << a.key << " with " << a.caps.size() << " caps)";
+  return out << "auth(auid = " << a.auid << " key=" << a.key << " with " << a.caps.size() << " caps)";
 }
 
 struct AuthCapsInfo {
@@ -159,11 +168,12 @@ WRITE_CLASS_ENCODER(AuthCapsInfo)
 struct AuthTicket {
   EntityName name;
   uint64_t global_id; /* global instance id */
+  uint64_t auid;
   utime_t created, renew_after, expires;
   AuthCapsInfo caps;
   __u32 flags;
 
-  AuthTicket() : global_id(0), flags(0) {}
+  AuthTicket() : global_id(0), auid(CEPH_AUTH_UID_DEFAULT), flags(0){}
 
   void init_timestamps(utime_t now, double ttl) {
     created = now;
@@ -174,20 +184,24 @@ struct AuthTicket {
   }
 
   void encode(bufferlist& bl) const {
-    __u8 v = 1;
-    ::encode(v, bl);
+    __u8 struct_v = 2;
+    ::encode(struct_v, bl);
     ::encode(name, bl);
     ::encode(global_id, bl);
+    ::encode(auid, bl);
     ::encode(created, bl);
     ::encode(expires, bl);
     ::encode(caps, bl);
     ::encode(flags, bl);
   }
   void decode(bufferlist::iterator& bl) {
-    __u8 v;
-    ::decode(v, bl);
+    __u8 struct_v;
+    ::decode(struct_v, bl);
     ::decode(name, bl);
     ::decode(global_id, bl);
+    if (struct_v >= 2)
+      ::decode(auid, bl);
+    else auid = CEPH_AUTH_UID_DEFAULT;
     ::decode(created, bl);
     ::decode(expires, bl);
     ::decode(caps, bl);

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
@@ -82,15 +82,19 @@ bool KeyServerData::get_service_secret(uint32_t service_id, uint64_t secret_id,
 
   return true;
 }
-
-bool KeyServerData::get_secret(EntityName& name, CryptoKey& secret)
-{
+bool KeyServerData::get_auth(EntityName& name, EntityAuth& auth) {
   map<EntityName, EntityAuth>::iterator iter = secrets.find(name);
   if (iter == secrets.end())
     return false;
+  auth = iter->second;
+  return true;
+}
 
+bool KeyServerData::get_secret(EntityName& name, CryptoKey& secret) {
+  map<EntityName, EntityAuth>::iterator iter = secrets.find(name);
+  if (iter == secrets.end())
+    return false;
   secret = iter->second.key;
-
   return true;
 }
 
@@ -194,10 +198,15 @@ int KeyServer::_rotate_secret(uint32_t service_id)
 bool KeyServer::get_secret(EntityName& name, CryptoKey& secret)
 {
   Mutex::Locker l(lock);
-
   return data.get_secret(name, secret);
 }
 
+bool KeyServer::get_auth(EntityName& name, EntityAuth& auth)
+{
+  Mutex::Locker l(lock);
+  return data.get_auth(name, auth);
+}
+
 bool KeyServer::get_caps(EntityName& name, string& type, AuthCapsInfo& caps_info)
 {
   Mutex::Locker l(lock);

diff --git a/src/auth/cephx/CephxKeyServer.h b/src/auth/cephx/CephxKeyServer.h
@@ -83,6 +83,7 @@ struct KeyServerData {
   bool get_service_secret(uint32_t service_id, ExpiringCryptoKey& secret, uint64_t& secret_id);
   bool get_service_secret(uint32_t service_id, CryptoKey& secret, uint64_t& secret_id);
   bool get_service_secret(uint32_t service_id, uint64_t secret_id, CryptoKey& secret);
+  bool get_auth(EntityName& name, EntityAuth& auth);
   bool get_secret(EntityName& name, CryptoKey& secret);
   bool get_caps(EntityName& name, string& type, AuthCapsInfo& caps);
 
@@ -178,6 +179,7 @@ class KeyServer : public KeyStore {
   bool generate_secret(CryptoKey& secret);
 
   bool get_secret(EntityName& name, CryptoKey& secret);
+  bool get_auth(EntityName& name, EntityAuth& auth);
   bool get_caps(EntityName& name, string& type, AuthCapsInfo& caps);
   bool get_active_rotating_secret(EntityName& name, CryptoKey& secret);
   int start_server();

diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc
@@ -88,8 +88,8 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist
       CephXSessionAuthInfo info;
       bool should_enc_ticket = false;
 
-      CryptoKey principal_secret;
-      if (key_server->get_secret(entity_name, principal_secret) < 0) {
+      EntityAuth eauth;
+      if (key_server->get_auth(entity_name, eauth) < 0) {
 	ret = -EPERM;
 	break;
       }
@@ -104,6 +104,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist
       info.ticket.init_timestamps(g_clock.now(), g_conf.auth_mon_ticket_ttl);
       info.ticket.name = entity_name;
       info.ticket.global_id = global_id;
+      info.ticket.auid = eauth.auid;
       info.validity += g_conf.auth_mon_ticket_ttl;
 
       key_server->generate_secret(session_key);
@@ -120,7 +121,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist
       info_vec.push_back(info);
 
       build_cephx_response_header(cephx_header.request_type, 0, result_bl);
-      if (!cephx_build_service_ticket_reply(principal_secret, info_vec, should_enc_ticket, old_ticket_info.session_key, result_bl)) {
+      if (!cephx_build_service_ticket_reply(eauth.key, info_vec, should_enc_ticket, old_ticket_info.session_key, result_bl)) {
         ret = -EIO;
         break;
       }