mon/MonClient: add 'rotate-key' asok command

Rotate the live auth key for a running daemon without restarting. Signed-off-by: Sage Weil <[email protected]>
mitsu-ko · Sep 12, 2022 · 5cf7944 · 5cf7944
1 parent 07ad8df
commit 5cf7944
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 1 deletion.
diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc
@@ -517,12 +517,20 @@ int MonClient::init()
   timer.init();
   schedule_tick();
 
+  cct->get_admin_socket()->register_command(
+    "rotate-key",
+    this,
+    "rotate live authentication key");
+
   return 0;
 }
 
 void MonClient::shutdown()
 {
   ldout(cct, 10) << __func__ << dendl;
+
+  cct->get_admin_socket()->unregister_commands(this);
+
   monc_lock.lock();
   stopping = true;
   while (!version_requests.empty()) {
@@ -603,6 +611,33 @@ int MonClient::authenticate(double timeout)
   return authenticate_err;
 }
 
+int MonClient::call(
+    std::string_view command,
+    const cmdmap_t& cmdmap,
+    const ceph::buffer::list &inbl,
+    ceph::Formatter *f,
+    std::ostream& errss,
+    ceph::buffer::list& out)
+{
+  if (command == "rotate-key") {
+    CryptoKey key;
+    try {
+      key.decode_base64(inbl.to_str());
+    } catch (buffer::error& e) {
+      errss << "error decoding key: " << e.what();
+      return -EINVAL;
+    }
+    if (keyring) {
+      ldout(cct, 1) << "rotate live key for " << entity_name << dendl;
+      keyring->add(entity_name, key);
+    } else {
+      errss << "cephx not enabled; no key to rotate";
+      return -EINVAL;
+    }
+  }
+  return 0;
+}
+
 void MonClient::handle_auth(MAuthReply *m)
 {
   ceph_assert(ceph_mutex_is_locked(monc_lock));

diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h
@@ -27,6 +27,7 @@
 #include "MonMap.h"
 #include "MonSub.h"
 
+#include "common/admin_socket.h"
 #include "common/async/completion.h"
 #include "common/Timer.h"
 #include "common/config.h"
@@ -269,7 +270,8 @@ const boost::system::error_category& monc_category() noexcept;
 
 class MonClient : public Dispatcher,
 		  public AuthClient,
-		  public AuthServer /* for mgr, osd, mds */ {
+		  public AuthServer, /* for mgr, osd, mds */
+		  public AdminSocketHook {
   static constexpr auto dout_subsys = ceph_subsys_monc;
 public:
   // Error, Newest, Oldest
@@ -315,6 +317,14 @@ class MonClient : public Dispatcher,
 
   void handle_auth(MAuthReply *m);
 
+  int call(
+    std::string_view command,
+    const cmdmap_t& cmdmap,
+    const ceph::buffer::list &inbl,
+    ceph::Formatter *f,
+    std::ostream& errss,
+    ceph::buffer::list& out) override;
+
   // monitor session
   utime_t last_keepalive;
   utime_t last_send_log;