From 5cf7944d36190a45ab27aec779593bf47a71be1b Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Mon, 25 Oct 2021 14:26:05 -0400 Subject: [PATCH] mon/MonClient: add 'rotate-key' asok command Rotate the live auth key for a running daemon without restarting. Signed-off-by: Sage Weil --- src/mon/MonClient.cc | 35 +++++++++++++++++++++++++++++++++++ src/mon/MonClient.h | 12 +++++++++++- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index 53c2e16174db1..39fbf44883c47 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -517,12 +517,20 @@ int MonClient::init() timer.init(); schedule_tick(); + cct->get_admin_socket()->register_command( + "rotate-key", + this, + "rotate live authentication key"); + return 0; } void MonClient::shutdown() { ldout(cct, 10) << __func__ << dendl; + + cct->get_admin_socket()->unregister_commands(this); + monc_lock.lock(); stopping = true; while (!version_requests.empty()) { @@ -603,6 +611,33 @@ int MonClient::authenticate(double timeout) return authenticate_err; } +int MonClient::call( + std::string_view command, + const cmdmap_t& cmdmap, + const ceph::buffer::list &inbl, + ceph::Formatter *f, + std::ostream& errss, + ceph::buffer::list& out) +{ + if (command == "rotate-key") { + CryptoKey key; + try { + key.decode_base64(inbl.to_str()); + } catch (buffer::error& e) { + errss << "error decoding key: " << e.what(); + return -EINVAL; + } + if (keyring) { + ldout(cct, 1) << "rotate live key for " << entity_name << dendl; + keyring->add(entity_name, key); + } else { + errss << "cephx not enabled; no key to rotate"; + return -EINVAL; + } + } + return 0; +} + void MonClient::handle_auth(MAuthReply *m) { ceph_assert(ceph_mutex_is_locked(monc_lock)); diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h index de6bba574ff1a..b72bf1f65749f 100644 --- a/src/mon/MonClient.h +++ b/src/mon/MonClient.h @@ -27,6 +27,7 @@ #include "MonMap.h" #include "MonSub.h" +#include "common/admin_socket.h" #include "common/async/completion.h" #include "common/Timer.h" #include "common/config.h" @@ -269,7 +270,8 @@ const boost::system::error_category& monc_category() noexcept; class MonClient : public Dispatcher, public AuthClient, - public AuthServer /* for mgr, osd, mds */ { + public AuthServer, /* for mgr, osd, mds */ + public AdminSocketHook { static constexpr auto dout_subsys = ceph_subsys_monc; public: // Error, Newest, Oldest @@ -315,6 +317,14 @@ class MonClient : public Dispatcher, void handle_auth(MAuthReply *m); + int call( + std::string_view command, + const cmdmap_t& cmdmap, + const ceph::buffer::list &inbl, + ceph::Formatter *f, + std::ostream& errss, + ceph::buffer::list& out) override; + // monitor session utime_t last_keepalive; utime_t last_send_log;