1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2004-2006 Sage Weil <sage@newdream.net>
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
17 #include "mon/AuthMonitor.h"
18 #include "mon/Monitor.h"
19 #include "mon/MonitorDBStore.h"
20 #include "mon/ConfigKeyService.h"
21 #include "mon/OSDMonitor.h"
22 #include "mon/MDSMonitor.h"
24 #include "messages/MMonCommand.h"
25 #include "messages/MAuth.h"
26 #include "messages/MAuthReply.h"
27 #include "messages/MMonGlobalID.h"
28 #include "msg/Messenger.h"
30 #include "auth/AuthServiceHandler.h"
31 #include "auth/KeyRing.h"
32 #include "include/stringify.h"
33 #include "include/assert.h"
35 #define dout_subsys ceph_subsys_mon
37 #define dout_prefix _prefix(_dout, mon, get_last_committed())
38 static ostream& _prefix(std::ostream *_dout, Monitor *mon, version_t v) {
39 return *_dout << "mon." << mon->name << "@" << mon->rank
40 << "(" << mon->get_state_name()
41 << ").auth v" << v << " ";
44 ostream& operator<<(ostream &out, const AuthMonitor &pm)
49 bool AuthMonitor::check_rotate()
51 KeyServerData::Incremental rot_inc;
52 rot_inc.op = KeyServerData::AUTH_INC_SET_ROTATING;
53 if (!mon->key_server.updated_rotating(rot_inc.rotating_bl, last_rotating_ver))
55 dout(10) << __func__ << " updated rotating" << dendl;
56 push_cephx_inc(rot_inc);
61 Tick function to update the map based on performance every N seconds
64 void AuthMonitor::tick()
66 if (!is_active()) return;
68 dout(10) << *this << dendl;
70 if (!mon->is_leader()) return;
76 void AuthMonitor::on_active()
78 dout(10) << "AuthMonitor::on_active()" << dendl;
80 if (!mon->is_leader())
82 mon->key_server.start_server();
85 void AuthMonitor::create_initial()
87 dout(10) << "create_initial -- creating initial map" << dendl;
89 // initialize rotating keys
90 last_rotating_ver = 0;
92 assert(pending_auth.size() == 1);
94 if (mon->is_keyring_required()) {
97 int ret = mon->store->get("mkfs", "keyring", bl);
98 // fail hard only if there's an error we're not expecting to see
99 assert((ret == 0) || (ret == -ENOENT));
101 // try importing only if there's a key
104 bufferlist::iterator p = bl.begin();
106 ::decode(keyring, p);
107 import_keyring(keyring);
111 max_global_id = MIN_GLOBAL_ID;
114 inc.inc_type = GLOBAL_ID;
115 inc.max_global_id = max_global_id;
116 pending_auth.push_back(inc);
121 void AuthMonitor::update_from_paxos(bool *need_bootstrap)
123 dout(10) << __func__ << dendl;
124 version_t version = get_last_committed();
125 version_t keys_ver = mon->key_server.get_ver();
126 if (version == keys_ver)
128 assert(version > keys_ver);
130 version_t latest_full = get_version_latest_full();
132 dout(10) << __func__ << " version " << version << " keys ver " << keys_ver
133 << " latest " << latest_full << dendl;
135 if ((latest_full > 0) && (latest_full > keys_ver)) {
136 bufferlist latest_bl;
137 int err = get_version_full(latest_full, latest_bl);
139 assert(latest_bl.length() != 0);
140 dout(7) << __func__ << " loading summary e " << latest_full << dendl;
141 dout(7) << __func__ << " latest length " << latest_bl.length() << dendl;
142 bufferlist::iterator p = latest_bl.begin();
144 ::decode(struct_v, p);
145 ::decode(max_global_id, p);
146 ::decode(mon->key_server, p);
147 mon->key_server.set_ver(latest_full);
148 keys_ver = latest_full;
151 dout(10) << __func__ << " key server version " << mon->key_server.get_ver() << dendl;
153 // walk through incrementals
154 while (version > keys_ver) {
156 int ret = get_version(keys_ver+1, bl);
160 // reset if we are moving to initial state. we will normally have
161 // keys in here temporarily for bootstrapping that we need to
164 mon->key_server.clear_secrets();
166 dout(20) << __func__ << " walking through version " << (keys_ver+1)
167 << " len " << bl.length() << dendl;
169 bufferlist::iterator p = bl.begin();
175 switch (inc.inc_type) {
177 max_global_id = inc.max_global_id;
182 KeyServerData::Incremental auth_inc;
183 bufferlist::iterator iter = inc.auth_data.begin();
184 ::decode(auth_inc, iter);
185 mon->key_server.apply_data_incremental(auth_inc);
192 mon->key_server.set_ver(keys_ver);
194 if (keys_ver == 1 && mon->is_keyring_required()) {
195 auto t(std::make_shared<MonitorDBStore::Transaction>());
196 t->erase("mkfs", "keyring");
197 mon->store->apply_transaction(t);
201 if (last_allocated_id == 0)
202 last_allocated_id = max_global_id;
204 dout(10) << "update_from_paxos() last_allocated_id=" << last_allocated_id
205 << " max_global_id=" << max_global_id
206 << " format_version " << format_version
210 void AuthMonitor::increase_max_global_id()
212 assert(mon->is_leader());
214 max_global_id += g_conf->mon_globalid_prealloc;
215 dout(10) << "increasing max_global_id to " << max_global_id << dendl;
217 inc.inc_type = GLOBAL_ID;
218 inc.max_global_id = max_global_id;
219 pending_auth.push_back(inc);
222 bool AuthMonitor::should_propose(double& delay)
224 return (!pending_auth.empty());
227 void AuthMonitor::create_pending()
229 pending_auth.clear();
230 dout(10) << "create_pending v " << (get_last_committed() + 1) << dendl;
233 void AuthMonitor::encode_pending(MonitorDBStore::TransactionRef t)
235 dout(10) << __func__ << " v " << (get_last_committed() + 1) << dendl;
241 vector<Incremental>::iterator p;
242 for (p = pending_auth.begin(); p != pending_auth.end(); ++p)
243 p->encode(bl, mon->get_quorum_con_features());
245 version_t version = get_last_committed() + 1;
246 put_version(t, version, bl);
247 put_last_committed(t, version);
250 void AuthMonitor::encode_full(MonitorDBStore::TransactionRef t)
252 version_t version = mon->key_server.get_ver();
253 // do not stash full version 0 as it will never be removed nor read
257 dout(10) << __func__ << " auth v " << version << dendl;
258 assert(get_last_committed() == version);
261 Mutex::Locker l(mon->key_server.get_lock());
262 dout(20) << __func__ << " key server has "
263 << (mon->key_server.has_secrets() ? "" : "no ")
264 << "secrets!" << dendl;
266 ::encode(v, full_bl);
267 ::encode(max_global_id, full_bl);
268 ::encode(mon->key_server, full_bl);
270 put_version_full(t, version, full_bl);
271 put_version_latest_full(t, version);
274 version_t AuthMonitor::get_trim_to()
276 unsigned max = g_conf->paxos_max_join_drift * 2;
277 version_t version = get_last_committed();
278 if (mon->is_leader() && (version > max))
279 return version - max;
283 bool AuthMonitor::preprocess_query(MonOpRequestRef op)
285 PaxosServiceMessage *m = static_cast<PaxosServiceMessage*>(op->get_req());
286 dout(10) << "preprocess_query " << *m << " from " << m->get_orig_source_inst() << dendl;
287 switch (m->get_type()) {
288 case MSG_MON_COMMAND:
289 return preprocess_command(op);
292 return prep_auth(op, false);
294 case MSG_MON_GLOBAL_ID:
303 bool AuthMonitor::prepare_update(MonOpRequestRef op)
305 PaxosServiceMessage *m = static_cast<PaxosServiceMessage*>(op->get_req());
306 dout(10) << "prepare_update " << *m << " from " << m->get_orig_source_inst() << dendl;
307 switch (m->get_type()) {
308 case MSG_MON_COMMAND:
309 return prepare_command(op);
310 case MSG_MON_GLOBAL_ID:
311 return prepare_global_id(op);
313 return prep_auth(op, true);
320 uint64_t AuthMonitor::assign_global_id(MonOpRequestRef op, bool should_increase_max)
322 MAuth *m = static_cast<MAuth*>(op->get_req());
323 int total_mon = mon->monmap->size();
324 dout(10) << "AuthMonitor::assign_global_id m=" << *m << " mon=" << mon->rank << "/" << total_mon
325 << " last_allocated=" << last_allocated_id << " max_global_id=" << max_global_id << dendl;
327 uint64_t next_global_id = last_allocated_id + 1;
328 int remainder = next_global_id % total_mon;
330 remainder = total_mon - remainder;
331 next_global_id += remainder + mon->rank;
332 dout(10) << "next_global_id should be " << next_global_id << dendl;
334 // if we can't bump the max, bail out now on an out-of-bounds gid
335 if (next_global_id > max_global_id &&
336 (!mon->is_leader() || !should_increase_max)) {
340 // can we return a gid?
341 bool return_next = (next_global_id <= max_global_id);
344 while (mon->is_leader() &&
345 (max_global_id < g_conf->mon_globalid_prealloc ||
346 next_global_id >= max_global_id - g_conf->mon_globalid_prealloc / 2)) {
347 increase_max_global_id();
351 last_allocated_id = next_global_id;
352 return next_global_id;
359 bool AuthMonitor::prep_auth(MonOpRequestRef op, bool paxos_writable)
361 MAuth *m = static_cast<MAuth*>(op->get_req());
362 dout(10) << "prep_auth() blob_size=" << m->get_auth_payload().length() << dendl;
364 MonSession *s = op->get_session();
366 dout(10) << "no session, dropping" << dendl;
371 AuthCapsInfo caps_info;
373 bufferlist response_bl;
374 bufferlist::iterator indata = m->auth_payload.begin();
375 __u32 proto = m->protocol;
377 EntityName entity_name;
380 if (m->protocol == 0 && !s->auth_handler) {
381 set<__u32> supported;
385 ::decode(struct_v, indata);
386 ::decode(supported, indata);
387 ::decode(entity_name, indata);
388 ::decode(s->global_id, indata);
389 } catch (const buffer::error &e) {
390 dout(10) << "failed to decode initial auth message" << dendl;
395 // do we require cephx signatures?
397 if (!m->get_connection()->has_feature(CEPH_FEATURE_MSG_AUTH)) {
398 if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
399 entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
400 entity_name.get_type() == CEPH_ENTITY_TYPE_MDS ||
401 entity_name.get_type() == CEPH_ENTITY_TYPE_MGR) {
402 if (g_conf->cephx_cluster_require_signatures ||
403 g_conf->cephx_require_signatures) {
404 dout(1) << m->get_source_inst()
405 << " supports cephx but not signatures and"
406 << " 'cephx [cluster] require signatures = true';"
407 << " disallowing cephx" << dendl;
408 supported.erase(CEPH_AUTH_CEPHX);
411 if (g_conf->cephx_service_require_signatures ||
412 g_conf->cephx_require_signatures) {
413 dout(1) << m->get_source_inst()
414 << " supports cephx but not signatures and"
415 << " 'cephx [service] require signatures = true';"
416 << " disallowing cephx" << dendl;
417 supported.erase(CEPH_AUTH_CEPHX);
423 if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
424 entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
425 entity_name.get_type() == CEPH_ENTITY_TYPE_MDS ||
426 entity_name.get_type() == CEPH_ENTITY_TYPE_MGR)
427 type = mon->auth_cluster_required.pick(supported);
429 type = mon->auth_service_required.pick(supported);
431 s->auth_handler = get_auth_service_handler(type, g_ceph_context, &mon->key_server);
432 if (!s->auth_handler) {
433 dout(1) << "client did not provide supported auth type" << dendl;
438 } else if (!s->auth_handler) {
439 dout(10) << "protocol specified but no s->auth_handler" << dendl;
444 /* assign a new global_id? we assume this should only happen on the first
445 request. If a client tries to send it later, it'll screw up its auth
448 s->global_id = assign_global_id(op, paxos_writable);
451 delete s->auth_handler;
452 s->auth_handler = NULL;
454 if (mon->is_leader() && paxos_writable) {
455 dout(10) << "increasing global id, waitlisting message" << dendl;
456 wait_for_active(op, new C_RetryMessage(this, op));
460 if (!mon->is_leader()) {
461 dout(10) << "not the leader, requesting more ids from leader" << dendl;
462 int leader = mon->get_leader();
463 MMonGlobalID *req = new MMonGlobalID();
464 req->old_max_id = max_global_id;
465 mon->messenger->send_message(req, mon->monmap->get_inst(leader));
466 wait_for_finished_proposal(op, new C_RetryMessage(this, op));
470 assert(!paxos_writable);
480 // always send the latest monmap.
481 if (m->monmap_epoch < mon->monmap->get_epoch())
482 mon->send_latest_monmap(m->get_connection().get());
484 proto = s->auth_handler->start_session(entity_name, indata, response_bl, caps_info);
486 if (caps_info.allow_all)
487 s->caps.set_allow_all();
490 ret = s->auth_handler->handle_request(indata, response_bl, s->global_id, caps_info, &auid);
493 wait_for_active(op, new C_RetryMessage(this,op));
496 if (caps_info.caps.length()) {
497 bufferlist::iterator p = caps_info.caps.begin();
501 } catch (const buffer::error &err) {
502 derr << "corrupt cap data for " << entity_name << " in auth db" << dendl;
505 s->caps.parse(str, NULL);
508 } catch (const buffer::error &err) {
510 dout(0) << "caught error when trying to handle auth request, probably malformed request" << dendl;
514 reply = new MAuthReply(proto, &response_bl, ret, s->global_id);
515 mon->send_reply(op, reply);
520 bool AuthMonitor::preprocess_command(MonOpRequestRef op)
522 MMonCommand *m = static_cast<MMonCommand*>(op->get_req());
527 map<string, cmd_vartype> cmdmap;
528 if (!cmdmap_from_json(m->cmd, &cmdmap, ss)) {
529 // ss has reason for failure
530 string rs = ss.str();
531 mon->reply_command(op, -EINVAL, rs, rdata, get_last_committed());
536 cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
537 if (prefix == "auth add" ||
538 prefix == "auth del" ||
539 prefix == "auth rm" ||
540 prefix == "auth get-or-create" ||
541 prefix == "auth get-or-create-key" ||
542 prefix == "fs authorize" ||
543 prefix == "auth import" ||
544 prefix == "auth caps") {
548 MonSession *session = m->get_session();
550 mon->reply_command(op, -EACCES, "access denied", rdata, get_last_committed());
554 // entity might not be supplied, but if it is, it should be valid
556 cmd_getval(g_ceph_context, cmdmap, "entity", entity_name);
558 if (!entity_name.empty() && !entity.from_str(entity_name)) {
559 ss << "invalid entity_auth " << entity_name;
560 mon->reply_command(op, -EINVAL, ss.str(), get_last_committed());
565 cmd_getval(g_ceph_context, cmdmap, "format", format, string("plain"));
566 boost::scoped_ptr<Formatter> f(Formatter::create(format));
568 if (prefix == "auth export") {
570 export_keyring(keyring);
571 if (!entity_name.empty()) {
573 if (keyring.get_auth(entity, eauth)) {
575 kr.add(entity, eauth);
577 kr.encode_formatted("auth", f.get(), rdata);
579 kr.encode_plaintext(rdata);
580 ss << "export " << eauth;
583 ss << "no key for " << eauth;
588 keyring.encode_formatted("auth", f.get(), rdata);
590 keyring.encode_plaintext(rdata);
592 ss << "exported master keyring";
595 } else if (prefix == "auth get" && !entity_name.empty()) {
597 EntityAuth entity_auth;
598 if(!mon->key_server.get_auth(entity, entity_auth)) {
599 ss << "failed to find " << entity_name << " in keyring";
602 keyring.add(entity, entity_auth);
604 keyring.encode_formatted("auth", f.get(), rdata);
606 keyring.encode_plaintext(rdata);
607 ss << "exported keyring for " << entity_name;
610 } else if (prefix == "auth print-key" ||
611 prefix == "auth print_key" ||
612 prefix == "auth get-key") {
614 if (!mon->key_server.get_auth(entity, auth)) {
615 ss << "don't have " << entity;
620 auth.key.encode_formatted("auth", f.get(), rdata);
622 auth.key.encode_plaintext(rdata);
625 } else if (prefix == "auth list" ||
626 prefix == "auth ls") {
628 mon->key_server.encode_formatted("auth", f.get(), rdata);
630 mon->key_server.encode_plaintext(rdata);
631 if (rdata.length() > 0)
632 ss << "installed auth entries:" << std::endl;
634 ss << "no installed auth entries!" << std::endl;
639 ss << "invalid command";
646 getline(ss, rs, '\0');
647 mon->reply_command(op, r, rs, rdata, get_last_committed());
651 void AuthMonitor::export_keyring(KeyRing& keyring)
653 mon->key_server.export_keyring(keyring);
656 int AuthMonitor::import_keyring(KeyRing& keyring)
658 for (map<EntityName, EntityAuth>::iterator p = keyring.get_keys().begin();
659 p != keyring.get_keys().end();
661 if (p->second.caps.empty()) {
662 dout(0) << "import: no caps supplied" << dendl;
665 int err = add_entity(p->first, p->second);
671 int AuthMonitor::remove_entity(const EntityName &entity)
673 dout(10) << __func__ << " " << entity << dendl;
674 if (!mon->key_server.contains(entity))
677 KeyServerData::Incremental auth_inc;
678 auth_inc.name = entity;
679 auth_inc.op = KeyServerData::AUTH_INC_DEL;
680 push_cephx_inc(auth_inc);
685 bool AuthMonitor::entity_is_pending(EntityName& entity)
687 // are we about to have it?
688 for (auto& p : pending_auth) {
689 if (p.inc_type == AUTH_DATA) {
690 KeyServerData::Incremental inc;
691 bufferlist::iterator q = p.auth_data.begin();
693 if (inc.op == KeyServerData::AUTH_INC_ADD &&
694 inc.name == entity) {
702 int AuthMonitor::exists_and_matches_entity(
703 const auth_entity_t& entity,
707 return exists_and_matches_entity(entity.name, entity.auth,
708 entity.auth.caps, has_secret, ss);
711 int AuthMonitor::exists_and_matches_entity(
712 const EntityName& name,
713 const EntityAuth& auth,
714 const map<string,bufferlist>& caps,
719 dout(20) << __func__ << " entity " << name << " auth " << auth
720 << " caps " << caps << " has_secret " << has_secret << dendl;
722 EntityAuth existing_auth;
723 // does entry already exist?
724 if (mon->key_server.get_auth(name, existing_auth)) {
727 if (existing_auth.key.get_secret().cmp(auth.key.get_secret())) {
728 ss << "entity " << name << " exists but key does not match";
734 if (caps.size() != existing_auth.caps.size()) {
735 ss << "entity " << name << " exists but caps do not match";
738 for (auto& it : caps) {
739 if (existing_auth.caps.count(it.first) == 0 ||
740 !existing_auth.caps[it.first].contents_equal(it.second)) {
741 ss << "entity " << name << " exists but cap "
742 << it.first << " does not match";
753 int AuthMonitor::add_entity(
754 const EntityName& name,
755 const EntityAuth& auth)
759 KeyServerData::Incremental auth_inc;
760 auth_inc.op = KeyServerData::AUTH_INC_ADD;
761 auth_inc.name = name;
762 auth_inc.auth = auth;
764 dout(10) << " importing " << auth_inc.name << dendl;
765 dout(30) << " " << auth_inc.auth << dendl;
766 push_cephx_inc(auth_inc);
770 int AuthMonitor::validate_osd_destroy(
773 EntityName& cephx_entity,
774 EntityName& lockbox_entity,
777 assert(paxos->is_plugged());
779 dout(10) << __func__ << " id " << id << " uuid " << uuid << dendl;
781 string cephx_str = "osd." + stringify(id);
782 string lockbox_str = "client.osd-lockbox." + stringify(uuid);
784 if (!cephx_entity.from_str(cephx_str)) {
785 dout(10) << __func__ << " invalid cephx entity '"
786 << cephx_str << "'" << dendl;
787 ss << "invalid cephx key entity '" << cephx_str << "'";
791 if (!lockbox_entity.from_str(lockbox_str)) {
792 dout(10) << __func__ << " invalid lockbox entity '"
793 << lockbox_str << "'" << dendl;
794 ss << "invalid lockbox key entity '" << lockbox_str << "'";
798 if (!mon->key_server.contains(cephx_entity) &&
799 !mon->key_server.contains(lockbox_entity)) {
806 int AuthMonitor::do_osd_destroy(
807 const EntityName& cephx_entity,
808 const EntityName& lockbox_entity)
810 assert(paxos->is_plugged());
812 dout(10) << __func__ << " cephx " << cephx_entity
813 << " lockbox " << lockbox_entity << dendl;
815 bool removed = false;
817 int err = remove_entity(cephx_entity);
818 if (err == -ENOENT) {
819 dout(10) << __func__ << " " << cephx_entity << " does not exist" << dendl;
824 err = remove_entity(lockbox_entity);
825 if (err == -ENOENT) {
826 dout(10) << __func__ << " " << lockbox_entity << " does not exist" << dendl;
832 dout(10) << __func__ << " entities do not exist -- no-op." << dendl;
836 // given we have paxos plugged, this will not result in a proposal
837 // being triggered, but it will still be needed so that we get our
838 // pending state encoded into the paxos' pending transaction.
843 bufferlist _encode_cap(const string& cap)
853 const map<string,bufferlist>& caps)
858 auth.key.decode_base64(key);
859 } catch (buffer::error& e) {
866 int AuthMonitor::validate_osd_new(
869 const string& cephx_secret,
870 const string& lockbox_secret,
871 auth_entity_t& cephx_entity,
872 auth_entity_t& lockbox_entity,
876 dout(10) << __func__ << " osd." << id << " uuid " << uuid << dendl;
878 map<string,bufferlist> cephx_caps = {
879 { "osd", _encode_cap("allow *") },
880 { "mon", _encode_cap("allow profile osd") },
881 { "mgr", _encode_cap("allow profile osd") }
883 map<string,bufferlist> lockbox_caps = {
884 { "mon", _encode_cap("allow command \"config-key get\" "
885 "with key=\"dm-crypt/osd/" +
890 bool has_lockbox = !lockbox_secret.empty();
892 string cephx_name = "osd." + stringify(id);
893 string lockbox_name = "client.osd-lockbox." + stringify(uuid);
895 if (!cephx_entity.name.from_str(cephx_name)) {
896 dout(10) << __func__ << " invalid cephx entity '"
897 << cephx_name << "'" << dendl;
898 ss << "invalid cephx key entity '" << cephx_name << "'";
903 if (!lockbox_entity.name.from_str(lockbox_name)) {
904 dout(10) << __func__ << " invalid cephx lockbox entity '"
905 << lockbox_name << "'" << dendl;
906 ss << "invalid cephx lockbox entity '" << lockbox_name << "'";
911 if (entity_is_pending(cephx_entity.name) ||
912 (has_lockbox && entity_is_pending(lockbox_entity.name))) {
913 // If we have pending entities for either the cephx secret or the
914 // lockbox secret, then our safest bet is to retry the command at
915 // a later time. These entities may be pending because an `osd new`
916 // command has been run (which is unlikely, due to the nature of
917 // the operation, which will force a paxos proposal), or (more likely)
918 // because a competing client created those entities before we handled
919 // the `osd new` command. Regardless, let's wait and see.
923 if (!is_valid_cephx_key(cephx_secret)) {
924 ss << "invalid cephx secret.";
928 if (has_lockbox && !is_valid_cephx_key(lockbox_secret)) {
929 ss << "invalid cephx lockbox secret.";
933 int err = _create_auth(cephx_entity.auth, cephx_secret, cephx_caps);
936 bool cephx_is_idempotent = false, lockbox_is_idempotent = false;
937 err = exists_and_matches_entity(cephx_entity, true, ss);
939 if (err != -ENOENT) {
944 cephx_is_idempotent = true;
948 err = _create_auth(lockbox_entity.auth, lockbox_secret, lockbox_caps);
950 err = exists_and_matches_entity(lockbox_entity, true, ss);
951 if (err != -ENOENT) {
956 lockbox_is_idempotent = true;
960 if (cephx_is_idempotent && (!has_lockbox || lockbox_is_idempotent)) {
967 int AuthMonitor::do_osd_new(
968 const auth_entity_t& cephx_entity,
969 const auth_entity_t& lockbox_entity,
972 assert(paxos->is_plugged());
974 dout(10) << __func__ << " cephx " << cephx_entity.name
977 *_dout << lockbox_entity.name;
983 // we must have validated before reaching this point.
984 // if keys exist, then this means they also match; otherwise we would
985 // have failed before calling this function.
986 bool cephx_exists = mon->key_server.contains(cephx_entity.name);
989 int err = add_entity(cephx_entity.name, cephx_entity.auth);
994 !mon->key_server.contains(lockbox_entity.name)) {
995 int err = add_entity(lockbox_entity.name, lockbox_entity.auth);
999 // given we have paxos plugged, this will not result in a proposal
1000 // being triggered, but it will still be needed so that we get our
1001 // pending state encoded into the paxos' pending transaction.
1006 bool AuthMonitor::prepare_command(MonOpRequestRef op)
1008 MMonCommand *m = static_cast<MMonCommand*>(op->get_req());
1009 stringstream ss, ds;
1014 map<string, cmd_vartype> cmdmap;
1015 if (!cmdmap_from_json(m->cmd, &cmdmap, ss)) {
1016 // ss has reason for failure
1017 string rs = ss.str();
1018 mon->reply_command(op, -EINVAL, rs, rdata, get_last_committed());
1023 vector<string>caps_vec;
1027 cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
1030 cmd_getval(g_ceph_context, cmdmap, "format", format, string("plain"));
1031 boost::scoped_ptr<Formatter> f(Formatter::create(format));
1033 MonSession *session = m->get_session();
1035 mon->reply_command(op, -EACCES, "access denied", rdata, get_last_committed());
1039 cmd_getval(g_ceph_context, cmdmap, "caps", caps_vec);
1040 if ((caps_vec.size() % 2) != 0) {
1041 ss << "bad capabilities request; odd number of arguments";
1046 cmd_getval(g_ceph_context, cmdmap, "entity", entity_name);
1047 if (!entity_name.empty() && !entity.from_str(entity_name)) {
1048 ss << "bad entity name";
1053 if (prefix == "auth import") {
1054 bufferlist bl = m->get_data();
1055 if (bl.length() == 0) {
1056 ss << "auth import: no data supplied";
1058 mon->reply_command(op, -EINVAL, rs, get_last_committed());
1061 bufferlist::iterator iter = bl.begin();
1064 ::decode(keyring, iter);
1065 } catch (const buffer::error &ex) {
1066 ss << "error decoding keyring" << " " << ex.what();
1070 err = import_keyring(keyring);
1072 ss << "auth import: no caps supplied";
1074 mon->reply_command(op, -EINVAL, rs, get_last_committed());
1077 ss << "imported keyring";
1080 wait_for_finished_proposal(op, new Monitor::C_Command(mon, op, 0, rs,
1081 get_last_committed() + 1));
1083 } else if (prefix == "auth add" && !entity_name.empty()) {
1084 /* expected behavior:
1085 * - if command reproduces current state, return 0.
1086 * - if command adds brand new entity, handle it.
1087 * - if command adds new state to existing entity, return error.
1089 KeyServerData::Incremental auth_inc;
1090 auth_inc.name = entity;
1091 bufferlist bl = m->get_data();
1092 bool has_keyring = (bl.length() > 0);
1093 map<string,bufferlist> new_caps;
1095 KeyRing new_keyring;
1097 bufferlist::iterator iter = bl.begin();
1099 ::decode(new_keyring, iter);
1100 } catch (const buffer::error &ex) {
1101 ss << "error decoding keyring";
1107 // are we about to have it?
1108 if (entity_is_pending(entity)) {
1109 wait_for_finished_proposal(op,
1110 new Monitor::C_Command(mon, op, 0, rs, get_last_committed() + 1));
1114 // build new caps from provided arguments (if available)
1115 for (vector<string>::iterator it = caps_vec.begin();
1116 it != caps_vec.end() && (it + 1) != caps_vec.end();
1120 ::encode(*(it+1), cap);
1121 new_caps[sys] = cap;
1124 // pull info out of provided keyring
1127 if (!new_keyring.get_auth(auth_inc.name, new_inc)) {
1128 ss << "key for " << auth_inc.name
1129 << " not found in provided keyring";
1133 if (!new_caps.empty() && !new_inc.caps.empty()) {
1134 ss << "caps cannot be specified both in keyring and in command";
1138 if (new_caps.empty()) {
1139 new_caps = new_inc.caps;
1143 err = exists_and_matches_entity(auth_inc.name, new_inc,
1144 new_caps, has_keyring, ss);
1145 // if entity/key/caps do not exist in the keyring, just fall through
1146 // and add the entity; otherwise, make sure everything matches (in
1147 // which case it's a no-op), because if not we must fail.
1148 if (err != -ENOENT) {
1160 dout(10) << "AuthMonitor::prepare_command generating random key for "
1161 << auth_inc.name << dendl;
1162 new_inc.key.create(g_ceph_context, CEPH_CRYPTO_AES);
1164 new_inc.caps = new_caps;
1166 err = add_entity(auth_inc.name, new_inc);
1169 ss << "added key for " << auth_inc.name;
1171 wait_for_finished_proposal(op, new Monitor::C_Command(mon, op, 0, rs,
1172 get_last_committed() + 1));
1174 } else if ((prefix == "auth get-or-create-key" ||
1175 prefix == "auth get-or-create") &&
1176 !entity_name.empty()) {
1177 // auth get-or-create <name> [mon osdcapa osd osdcapb ...]
1179 if (!valid_caps(caps_vec, &ss)) {
1184 // Parse the list of caps into a map
1185 std::map<std::string, bufferlist> wanted_caps;
1186 for (vector<string>::const_iterator it = caps_vec.begin();
1187 it != caps_vec.end() && (it + 1) != caps_vec.end();
1189 const std::string &sys = *it;
1191 ::encode(*(it+1), cap);
1192 wanted_caps[sys] = cap;
1196 EntityAuth entity_auth;
1197 if (mon->key_server.get_auth(entity, entity_auth)) {
1198 for (const auto &sys_cap : wanted_caps) {
1199 if (entity_auth.caps.count(sys_cap.first) == 0 ||
1200 !entity_auth.caps[sys_cap.first].contents_equal(sys_cap.second)) {
1201 ss << "key for " << entity << " exists but cap " << sys_cap.first
1202 << " does not match";
1208 if (prefix == "auth get-or-create-key") {
1210 entity_auth.key.encode_formatted("auth", f.get(), rdata);
1212 ds << entity_auth.key;
1216 kr.add(entity, entity_auth.key);
1218 kr.set_caps(entity, entity_auth.caps);
1219 kr.encode_formatted("auth", f.get(), rdata);
1221 kr.encode_plaintext(rdata);
1228 // ...or are we about to?
1229 for (vector<Incremental>::iterator p = pending_auth.begin();
1230 p != pending_auth.end();
1232 if (p->inc_type == AUTH_DATA) {
1233 KeyServerData::Incremental auth_inc;
1234 bufferlist::iterator q = p->auth_data.begin();
1235 ::decode(auth_inc, q);
1236 if (auth_inc.op == KeyServerData::AUTH_INC_ADD &&
1237 auth_inc.name == entity) {
1238 wait_for_finished_proposal(op, new Monitor::C_Command(mon, op, 0, rs,
1239 get_last_committed() + 1));
1246 KeyServerData::Incremental auth_inc;
1247 auth_inc.op = KeyServerData::AUTH_INC_ADD;
1248 auth_inc.name = entity;
1249 auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
1250 auth_inc.auth.caps = wanted_caps;
1252 push_cephx_inc(auth_inc);
1254 if (prefix == "auth get-or-create-key") {
1256 auth_inc.auth.key.encode_formatted("auth", f.get(), rdata);
1258 ds << auth_inc.auth.key;
1262 kr.add(entity, auth_inc.auth.key);
1264 kr.set_caps(entity, wanted_caps);
1265 kr.encode_formatted("auth", f.get(), rdata);
1267 kr.encode_plaintext(rdata);
1273 wait_for_finished_proposal(op, new Monitor::C_Command(mon, op, 0, rs, rdata,
1274 get_last_committed() + 1));
1276 } else if (prefix == "fs authorize") {
1278 cmd_getval(g_ceph_context, cmdmap, "filesystem", filesystem);
1279 string mds_cap_string, osd_cap_string;
1280 string osd_cap_wanted = "r";
1282 for (auto it = caps_vec.begin();
1283 it != caps_vec.end() && (it + 1) != caps_vec.end();
1285 const string &path = *it;
1286 const string &cap = *(it+1);
1287 if (cap != "r" && cap != "rw" && cap != "rwp") {
1288 ss << "Only 'r', 'rw', and 'rwp' permissions are allowed for filesystems.";
1292 if (cap.find('w') != string::npos) {
1293 osd_cap_wanted = "rw";
1296 mds_cap_string += mds_cap_string.empty() ? "" : ", ";
1297 mds_cap_string += "allow " + cap;
1299 mds_cap_string += " path=" + path;
1303 auto fs = mon->mdsmon()->get_fsmap().get_filesystem(filesystem);
1305 ss << "filesystem " << filesystem << " does not exist.";
1310 auto data_pools = fs->mds_map.get_data_pools();
1311 for (auto p : data_pools) {
1312 const string &pool_name = mon->osdmon()->osdmap.get_pool_name(p);
1313 osd_cap_string += osd_cap_string.empty() ? "" : ", ";
1314 osd_cap_string += "allow " + osd_cap_wanted + " pool=" + pool_name;
1317 std::map<string, bufferlist> wanted_caps = {
1318 { "mon", _encode_cap("allow r") },
1319 { "osd", _encode_cap(osd_cap_string) },
1320 { "mds", _encode_cap(mds_cap_string) }
1323 EntityAuth entity_auth;
1324 if (mon->key_server.get_auth(entity, entity_auth)) {
1325 for (const auto &sys_cap : wanted_caps) {
1326 if (entity_auth.caps.count(sys_cap.first) == 0 ||
1327 !entity_auth.caps[sys_cap.first].contents_equal(sys_cap.second)) {
1328 ss << "key for " << entity << " exists but cap " << sys_cap.first
1329 << " does not match";
1336 kr.add(entity, entity_auth.key);
1338 kr.set_caps(entity, entity_auth.caps);
1339 kr.encode_formatted("auth", f.get(), rdata);
1341 kr.encode_plaintext(rdata);
1347 KeyServerData::Incremental auth_inc;
1348 auth_inc.op = KeyServerData::AUTH_INC_ADD;
1349 auth_inc.name = entity;
1350 auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
1351 auth_inc.auth.caps = wanted_caps;
1353 push_cephx_inc(auth_inc);
1355 kr.add(entity, auth_inc.auth.key);
1357 kr.set_caps(entity, wanted_caps);
1358 kr.encode_formatted("auth", f.get(), rdata);
1360 kr.encode_plaintext(rdata);
1365 wait_for_finished_proposal(op, new Monitor::C_Command(mon, op, 0, rs, rdata,
1366 get_last_committed() + 1));
1368 } else if (prefix == "auth caps" && !entity_name.empty()) {
1369 KeyServerData::Incremental auth_inc;
1370 auth_inc.name = entity;
1371 if (!mon->key_server.get_auth(auth_inc.name, auth_inc.auth)) {
1372 ss << "couldn't find entry " << auth_inc.name;
1377 if (!valid_caps(caps_vec, &ss)) {
1382 map<string,bufferlist> newcaps;
1383 for (vector<string>::iterator it = caps_vec.begin();
1384 it != caps_vec.end(); it += 2)
1385 ::encode(*(it+1), newcaps[*it]);
1387 auth_inc.op = KeyServerData::AUTH_INC_ADD;
1388 auth_inc.auth.caps = newcaps;
1389 push_cephx_inc(auth_inc);
1391 ss << "updated caps for " << auth_inc.name;
1393 wait_for_finished_proposal(op, new Monitor::C_Command(mon, op, 0, rs,
1394 get_last_committed() + 1));
1396 } else if ((prefix == "auth del" || prefix == "auth rm") &&
1397 !entity_name.empty()) {
1398 KeyServerData::Incremental auth_inc;
1399 auth_inc.name = entity;
1400 if (!mon->key_server.contains(auth_inc.name)) {
1401 ss << "entity " << entity << " does not exist";
1405 auth_inc.op = KeyServerData::AUTH_INC_DEL;
1406 push_cephx_inc(auth_inc);
1410 wait_for_finished_proposal(op, new Monitor::C_Command(mon, op, 0, rs,
1411 get_last_committed() + 1));
1416 getline(ss, rs, '\0');
1417 mon->reply_command(op, err, rs, rdata, get_last_committed());
1421 bool AuthMonitor::prepare_global_id(MonOpRequestRef op)
1423 dout(10) << "AuthMonitor::prepare_global_id" << dendl;
1424 increase_max_global_id();
1429 void AuthMonitor::upgrade_format()
1431 unsigned int current = 2;
1432 if (!mon->get_quorum_mon_features().contains_all(
1433 ceph::features::mon::FEATURE_LUMINOUS)) {
1436 if (format_version >= current) {
1437 dout(20) << __func__ << " format " << format_version << " is current" << dendl;
1441 bool changed = false;
1442 if (format_version == 0) {
1443 dout(1) << __func__ << " upgrading from format 0 to 1" << dendl;
1444 map<EntityName, EntityAuth>::iterator p;
1445 for (p = mon->key_server.secrets_begin();
1446 p != mon->key_server.secrets_end();
1448 // grab mon caps, if any
1450 if (p->second.caps.count("mon") == 0)
1453 bufferlist::iterator it = p->second.caps["mon"].begin();
1454 ::decode(mon_caps, it);
1456 catch (buffer::error) {
1457 dout(10) << __func__ << " unable to parse mon cap for "
1458 << p->first << dendl;
1462 string n = p->first.to_str();
1465 // set daemon profiles
1466 if ((p->first.is_osd() || p->first.is_mds()) &&
1467 mon_caps == "allow rwx") {
1468 new_caps = string("allow profile ") + string(p->first.get_type_name());
1471 // update bootstrap keys
1472 if (n == "client.bootstrap-osd") {
1473 new_caps = "allow profile bootstrap-osd";
1475 if (n == "client.bootstrap-mds") {
1476 new_caps = "allow profile bootstrap-mds";
1479 if (new_caps.length() > 0) {
1480 dout(5) << __func__ << " updating " << p->first << " mon cap from "
1481 << mon_caps << " to " << new_caps << dendl;
1484 ::encode(new_caps, bl);
1486 KeyServerData::Incremental auth_inc;
1487 auth_inc.name = p->first;
1488 auth_inc.auth = p->second;
1489 auth_inc.auth.caps["mon"] = bl;
1490 auth_inc.op = KeyServerData::AUTH_INC_ADD;
1491 push_cephx_inc(auth_inc);
1497 if (format_version == 1) {
1498 dout(1) << __func__ << " upgrading from format 1 to 2" << dendl;
1499 map<EntityName, EntityAuth>::iterator p;
1500 for (p = mon->key_server.secrets_begin();
1501 p != mon->key_server.secrets_end();
1503 string n = p->first.to_str();
1506 if (n == "client.admin") {
1507 // admin gets it all
1509 } else if (n.find("osd.") == 0 ||
1510 n.find("mds.") == 0 ||
1511 n.find("mon.") == 0) {
1512 // daemons follow their profile
1513 string type = n.substr(0, 3);
1514 newcap = "allow profile " + type;
1515 } else if (p->second.caps.count("mon")) {
1516 // if there are any mon caps, give them 'r' mgr caps
1520 if (newcap.length() > 0) {
1521 dout(5) << " giving " << n << " mgr '" << newcap << "'" << dendl;
1523 ::encode(newcap, bl);
1525 KeyServerData::Incremental auth_inc;
1526 auth_inc.name = p->first;
1527 auth_inc.auth = p->second;
1528 auth_inc.auth.caps["mgr"] = bl;
1529 auth_inc.op = KeyServerData::AUTH_INC_ADD;
1530 push_cephx_inc(auth_inc);
1533 if (n.find("mgr.") == 0 &&
1534 p->second.caps.count("mon")) {
1535 // the kraken ceph-mgr@.service set the mon cap to 'allow *'.
1536 auto blp = p->second.caps["mon"].begin();
1538 ::decode(oldcaps, blp);
1539 if (oldcaps == "allow *") {
1540 dout(5) << " fixing " << n << " mon cap to 'allow profile mgr'"
1543 ::encode("allow profile mgr", bl);
1544 KeyServerData::Incremental auth_inc;
1545 auth_inc.name = p->first;
1546 auth_inc.auth = p->second;
1547 auth_inc.auth.caps["mon"] = bl;
1548 auth_inc.op = KeyServerData::AUTH_INC_ADD;
1549 push_cephx_inc(auth_inc);
1554 // add bootstrap key if it does not already exist
1555 // (might have already been get-or-create'd by
1556 // ceph-create-keys)
1557 EntityName bootstrap_mgr_name;
1558 int r = bootstrap_mgr_name.from_str("client.bootstrap-mgr");
1560 if (!mon->key_server.contains(bootstrap_mgr_name)) {
1561 KeyServerData::Incremental auth_inc;
1562 auth_inc.name = bootstrap_mgr_name;
1563 ::encode("allow profile bootstrap-mgr", auth_inc.auth.caps["mon"]);
1564 auth_inc.op = KeyServerData::AUTH_INC_ADD;
1566 auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
1567 push_cephx_inc(auth_inc);
1574 dout(10) << __func__ << " proposing update from format " << format_version
1575 << " -> " << current << dendl;
1576 format_version = current;
1581 void AuthMonitor::dump_info(Formatter *f)
1583 /*** WARNING: do not include any privileged information here! ***/
1584 f->open_object_section("auth");
1585 f->dump_unsigned("first_committed", get_first_committed());
1586 f->dump_unsigned("last_committed", get_last_committed());
1587 f->dump_unsigned("num_secrets", mon->key_server.get_num_secrets());