1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
15 #ifndef CEPH_AUTHTYPES_H
16 #define CEPH_AUTHTYPES_H
19 #include "common/entity_name.h"
26 map<string, bufferlist> caps;
28 EntityAuth() : auid(CEPH_AUTH_UID_DEFAULT) {}
30 void encode(bufferlist& bl) const {
32 ::encode(struct_v, bl);
37 void decode(bufferlist::iterator& bl) {
39 ::decode(struct_v, bl);
42 else auid = CEPH_AUTH_UID_DEFAULT;
47 WRITE_CLASS_ENCODER(EntityAuth)
49 static inline ostream& operator<<(ostream& out, const EntityAuth& a) {
50 return out << "auth(auid = " << a.auid << " key=" << a.key << " with " << a.caps.size() << " caps)";
57 AuthCapsInfo() : allow_all(false) {}
59 void encode(bufferlist& bl) const {
61 ::encode(struct_v, bl);
62 __u8 a = (__u8)allow_all;
66 void decode(bufferlist::iterator& bl) {
68 ::decode(struct_v, bl);
75 WRITE_CLASS_ENCODER(AuthCapsInfo)
78 * The ticket (if properly validated) authorizes the principal use
79 * services as described by 'caps' during the specified validity
84 uint64_t global_id; /* global instance id */
86 utime_t created, renew_after, expires;
90 AuthTicket() : global_id(0), auid(CEPH_AUTH_UID_DEFAULT), flags(0){}
92 void init_timestamps(utime_t now, double ttl) {
97 renew_after += ttl / 2.0;
100 void encode(bufferlist& bl) const {
102 ::encode(struct_v, bl);
104 ::encode(global_id, bl);
106 ::encode(created, bl);
107 ::encode(expires, bl);
111 void decode(bufferlist::iterator& bl) {
113 ::decode(struct_v, bl);
115 ::decode(global_id, bl);
118 else auid = CEPH_AUTH_UID_DEFAULT;
119 ::decode(created, bl);
120 ::decode(expires, bl);
125 WRITE_CLASS_ENCODER(AuthTicket)
129 * abstract authorizer class
131 struct AuthAuthorizer {
134 CryptoKey session_key;
136 explicit AuthAuthorizer(__u32 p) : protocol(p) {}
137 virtual ~AuthAuthorizer() {}
138 virtual bool verify_reply(bufferlist::iterator& reply) = 0;
145 #define KEY_ROTATE_NUM 3 /* prev, current, next */
147 struct ExpiringCryptoKey {
151 void encode(bufferlist& bl) const {
153 ::encode(struct_v, bl);
155 ::encode(expiration, bl);
157 void decode(bufferlist::iterator& bl) {
159 ::decode(struct_v, bl);
161 ::decode(expiration, bl);
164 WRITE_CLASS_ENCODER(ExpiringCryptoKey)
166 static inline ostream& operator<<(ostream& out, const ExpiringCryptoKey& c)
168 return out << c.key << " expires " << c.expiration;
171 struct RotatingSecrets {
172 map<uint64_t, ExpiringCryptoKey> secrets;
175 RotatingSecrets() : max_ver(0) {}
177 void encode(bufferlist& bl) const {
179 ::encode(struct_v, bl);
180 ::encode(secrets, bl);
181 ::encode(max_ver, bl);
183 void decode(bufferlist::iterator& bl) {
185 ::decode(struct_v, bl);
186 ::decode(secrets, bl);
187 ::decode(max_ver, bl);
190 uint64_t add(ExpiringCryptoKey& key) {
191 secrets[++max_ver] = key;
192 while (secrets.size() > KEY_ROTATE_NUM)
193 secrets.erase(secrets.begin());
197 bool need_new_secrets() const {
198 return secrets.size() < KEY_ROTATE_NUM;
200 bool need_new_secrets(utime_t now) const {
201 return secrets.size() < KEY_ROTATE_NUM || current().expiration <= now;
204 ExpiringCryptoKey& previous() {
205 return secrets.begin()->second;
207 ExpiringCryptoKey& current() {
208 map<uint64_t, ExpiringCryptoKey>::iterator p = secrets.begin();
212 const ExpiringCryptoKey& current() const {
213 map<uint64_t, ExpiringCryptoKey>::const_iterator p = secrets.begin();
217 ExpiringCryptoKey& next() {
218 return secrets.rbegin()->second;
221 return secrets.empty();
226 WRITE_CLASS_ENCODER(RotatingSecrets)
232 virtual ~KeyStore() {}
233 virtual bool get_secret(const EntityName& name, CryptoKey& secret) const = 0;
234 virtual bool get_service_secret(uint32_t service_id, uint64_t secret_id,
235 CryptoKey& secret) const = 0;
238 static inline bool auth_principal_needs_rotating_keys(EntityName& name)
240 uint32_t ty(name.get_type());
241 return ((ty == CEPH_ENTITY_TYPE_OSD)
242 || (ty == CEPH_ENTITY_TYPE_MDS)
243 || (ty == CEPH_ENTITY_TYPE_MGR));