Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
auth/cephx: cap ticket validity by expiration on "next" key
If auth_mon_ticket_ttl is increased by several times as done in commit 522a52e ("auth/cephx: rotate auth tickets less often"), active clients eventually get stuck because the monitor sends out an auth ticket with a bogus validity. The ticket is secured with the "current" secret that is scheduled to expire according to the old TTL, but the validity of the ticket is set to the new TTL. As a result, the client simply doesn't attempt to renew, letting the secrets rotate potentially more than once. When that happens, the client first hits auth authorizer errors as it tries to renew service tickets and when it finally gets to renewing the auth ticket, it hits the insecure global_id reclaim wall. Cap TTL by expiration of "next" key -- the "current" key may be milliseconds away from expiration and still be used, legitimately. Do it in KeyServerData alongside key rotation code and propagate the capped TTL to the upper layer. Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
- Loading branch information
Showing
3 changed files
with
45 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters