rgw: mfa support #19283
rgw: mfa support #19283
Conversation
yehudasa
commented
Dec 1, 2017
•
yehudasa
commented
- otp object class implementation
- rgw support for S3 mfa api
- rgw otp metadata provider to allow sync of otp data across zones
- sync token due to time skew
- support hex and base32 seeds
src/cls/otp/cls_otp.cc
Outdated
| int result = oath_hex2bin(otp.seed.c_str(), secret, &slen); | ||
| if (result != OATH_OK) { | ||
| CLS_LOG(20, "failed to parse seed"); | ||
| return result; |
There was a problem hiding this comment.
return false here - the conversion from int->bool would return true when result != OATH_OK
src/cls/otp/cls_otp.cc
Outdated
| ceph::real_time now = real_clock::now(); | ||
| trim_expired(now); | ||
|
|
||
| for (auto entry : boost::adaptors::reverse(last_checks)) { |
There was a problem hiding this comment.
prefer auto& in ranged-for loops to avoid copying each element
|
|
||
| struct cls_otp_set_otp_op | ||
| { | ||
| list<rados::cls::otp::otp_info_t> entries; |
There was a problem hiding this comment.
is there any reason to choose list over vector for any of these?
There was a problem hiding this comment.
@cbodley only iterating over it, never access entries via index. list.size() should be O(1) in c++11 (and it is in all relevant implementations).
There was a problem hiding this comment.
i worry about the complexity of allocations though, where list is linear and vector is logarithmic
There was a problem hiding this comment.
@cbodley it's pretty moot as the number of entries expected to be here are somewhere between zero and one, but I can change it to vector if you really insist.
src/cls/otp/cls_otp.cc
Outdated
| bufferlist bl; | ||
| string key = otp_key_prefix + id; | ||
|
|
||
| int r = cls_cxx_map_get_val(hctx, key.c_str(), &bl); |
There was a problem hiding this comment.
the cls_cxx_ apis all take std::string - so these are converting to const char* and back again
src/cls/otp/cls_otp_ops.h
Outdated
| { | ||
| list<rados::cls::otp::otp_info_t> entries; | ||
|
|
||
| cls_otp_set_otp_op() = default; |
There was a problem hiding this comment.
the compiler will generate this for you "if no other constructor is explicitly declared" - https://en.wikipedia.org/wiki/Special_member_functions
src/cls/otp/cls_otp.cc
Outdated
|
|
||
| void otp_instance::trim_expired(const ceph::real_time& now) | ||
| { | ||
| ceph::real_time window_start = now - make_timespan(otp.step_size); |
There was a problem hiding this comment.
make_timespan() takes a double, so this does an extra conversion. std::chrono::seconds(otp.step_size) may be more concise here?
|
looking good 👍 do you have plans to add some test coverage? |
|
@cbodley yes, although it's not clear to me which tool is the best one. Requires functional tests intermixed with admin stuff. |
CMakeLists.txt
Outdated
| @@ -368,6 +368,8 @@ if(WITH_RADOSGW) | |||
| endif() | |||
| endif(WITH_RADOSGW) | |||
|
|
|||
| find_package(liboath REQUIRED) | |||
There was a problem hiding this comment.
i'm guessing that we'll also need to express this dependency in install-deps.sh and the rpm/deb builds as well?
yehudasa
force-pushed
the
wip-rgw-mfa
branch
3 times, most recently
from
3e14ca6
to
2a64c83
Compare
| 1, | ||
| nullptr, | ||
| pins[1].c_str()); | ||
| if (rc != OATH_INVALID_OTP) { |
There was a problem hiding this comment.
from the oath reference manual on oath_totp_validate2:
Returns absolute value of position in OTP window (zero is first position), or OATH_INVALID_OTP if no OTP was found in OTP window, or an error code.
shouldn't this check for other errors codes as well?
and is there something we can do with the position it returns on success to calculate a more accurate offset?
|
|
||
| if (totp_pin.size() != 2) { | ||
| cerr << "ERROR: missing two --totp-pin params (--totp-pin=<first> --totp-pin=<second>)" << std::endl; | ||
| } |
There was a problem hiding this comment.
missing a return EINVAL? this would hit an assert in scan_totp()
| @@ -6203,7 +6295,7 @@ int main(int argc, const char **argv) | |||
| cerr << "ERROR: failed to read input: " << cpp_strerror(-ret) << std::endl; | |||
| return -ret; | |||
| } | |||
| ret = store->meta_mgr->put(metadata_key, bl, RGWMetadataHandler::APPLY_ALWAYS); | |||
| ret = store->meta_mgr->put(metadata_key, bl, RGWMetadataHandler::RGWMetadataHandler::APPLY_ALWAYS); | |||
|
@yehudasa can you please add some user docs to show how to set this up? |
yehudasa
force-pushed
the
wip-rgw-mfa
branch
4 times, most recently
from
b5dbc4c
to
f4b832b
Compare
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Currently checking for bogus results, still need to integrate with totp library. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
To allow transparent multisite sync Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Update header even if it might have existed. If running within a compound op we might not identify it correctly. Also don't use omap header api. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Still not there yet. Need to tie into objv_tracker, and metadata log tooling. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
still need to have the radosgw-admin mfa tools to go through meta instrumentation. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Unlike the regular user and bucket metadata that are plain raw rados objects, the otp info is controlled by object class operations. The metadata manager mutate operation will deal with the metadata related work that is needed to happen (objv_tracker, update meta log), and call to the operation that modifies the otp info. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
$ radosgw-admin mfa resync --uid=<uid> --totp=serial=<serial> \
--totp-pin=<pin1> --totp-pin=<pin2>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
add a new method to the otp objclass that returns the current time. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
