X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fceph%2Fsrc%2Fauth%2Fscheme.txt;fp=src%2Fceph%2Fsrc%2Fauth%2Fscheme.txt;h=0df00addc3da5fbc8670b890c4fd206e7bd9be51;hb=812ff6ca9fcd3e629e49d4328905f33eee8ca3f5;hp=0000000000000000000000000000000000000000;hpb=15280273faafb77777eab341909a3f495cf248d9;p=stor4nfv.git

diff --git a/src/ceph/src/auth/scheme.txt b/src/ceph/src/auth/scheme.txt
new file mode 100644
index 0000000..0df00ad
--- /dev/null
+++ b/src/ceph/src/auth/scheme.txt
@@ -0,0 +1,87 @@
+
+client_name = foo   (mon has some corresponding shared secret)
+client_addr = ip address, port, pid
+
+
+monitor has:
+
+client_auth {
+       client_name;
+       client capabilities;
+       client secret;
+};
+map<client_name, client_auth> users;
+
+struct secret {
+        bufferlist secret;
+        utime_t created;
+};
+map<entity_name, secret> entity_secrets;
+
+struct service_secret_set {
+       secret[3];
+};
+map<string, service_secret_set> svc_secrets;
+
+/*
+svcsecret will be a rotating key.  we regenerate every time T, and keep
+keys for 3*T.  client always get the second-newest key.  all 3 are
+considered valid.  clients and services renew/reverify key at least one
+every time T.
+*/
+
+
+client_ticket {
+       client_addr;
+       map<svc name or type, blob> client_capabilities;
+};
+
+
+
+authenticate principle:
+
+C->M : client_name, client_addr.  authenticate me.
+ ...monitor does lookup in database...
+M->C : A= {client/mon session key, validity}^clientsecret
+       B= {client ticket, validity, client/mon session key}^monsecret
+
+
+authorize principle to do something on monitor:
+
+C->M : B, {client_addr, timestamp}^client/mon session key.  do foo (assign id)
+M->C : result.  and {timestamp+1}^client/mon session key
+
+
+authorize for service:
+
+C->M : B, {client_addr, timestamp}^client/mon session key.  authorize me!
+M->C : E= {svc ticket}^svcsecret
+       F= {svc session key, validity}^client/mon session key
+
+svc ticket = (client addr, validity, svc session key)
+
+
+on opening session to service:
+
+C->O : E + {client_addr, timestamp}^svc session key
+O->C : {timestamp+1}^svc session key
+
+
+
+
+
+To authenticate:
+
+ client -> auth:
+   {client_name, client_addr}^client_secret
+ auth -> client:
+   {session key, validity, nonce}^client_secret
+   {client_ticket, session key}^service_secret  ... "enc_ticket"
+
+where client_ticket is { client_addr, created, expires, none, capabilities }.
+
+To gain access using our ticket:
+
+
+   
+