New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: mfa support #19283
rgw: mfa support #19283
Conversation
yehudasa
commented
Dec 1, 2017
•
edited
edited
- otp object class implementation
- rgw support for S3 mfa api
- rgw otp metadata provider to allow sync of otp data across zones
- sync token due to time skew
- support hex and base32 seeds
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
initial review of the cls bits
src/cls/otp/cls_otp.cc
Outdated
int result = oath_hex2bin(otp.seed.c_str(), secret, &slen); | ||
if (result != OATH_OK) { | ||
CLS_LOG(20, "failed to parse seed"); | ||
return result; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return false
here - the conversion from int->bool would return true when result != OATH_OK
src/cls/otp/cls_otp.cc
Outdated
ceph::real_time now = real_clock::now(); | ||
trim_expired(now); | ||
|
||
for (auto entry : boost::adaptors::reverse(last_checks)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
prefer auto&
in ranged-for loops to avoid copying each element
|
||
struct cls_otp_set_otp_op | ||
{ | ||
list<rados::cls::otp::otp_info_t> entries; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there any reason to choose list over vector for any of these?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cbodley only iterating over it, never access entries via index. list.size() should be O(1) in c++11 (and it is in all relevant implementations).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i worry about the complexity of allocations though, where list is linear and vector is logarithmic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cbodley it's pretty moot as the number of entries expected to be here are somewhere between zero and one, but I can change it to vector if you really insist.
src/cls/otp/cls_otp.cc
Outdated
bufferlist bl; | ||
string key = otp_key_prefix + id; | ||
|
||
int r = cls_cxx_map_get_val(hctx, key.c_str(), &bl); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the cls_cxx_
apis all take std::string
- so these are converting to const char*
and back again
src/cls/otp/cls_otp_ops.h
Outdated
{ | ||
list<rados::cls::otp::otp_info_t> entries; | ||
|
||
cls_otp_set_otp_op() = default; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the compiler will generate this for you "if no other constructor is explicitly declared" - https://en.wikipedia.org/wiki/Special_member_functions
src/cls/otp/cls_otp.cc
Outdated
|
||
void otp_instance::trim_expired(const ceph::real_time& now) | ||
{ | ||
ceph::real_time window_start = now - make_timespan(otp.step_size); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make_timespan()
takes a double, so this does an extra conversion. std::chrono::seconds(otp.step_size)
may be more concise here?
looking good 👍 do you have plans to add some test coverage? |
@cbodley yes, although it's not clear to me which tool is the best one. Requires functional tests intermixed with admin stuff. |
CMakeLists.txt
Outdated
@@ -368,6 +368,8 @@ if(WITH_RADOSGW) | |||
endif() | |||
endif(WITH_RADOSGW) | |||
|
|||
find_package(liboath REQUIRED) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'm guessing that we'll also need to express this dependency in install-deps.sh
and the rpm/deb builds as well?
3e14ca6
to
2a64c83
Compare
1, | ||
nullptr, | ||
pins[1].c_str()); | ||
if (rc != OATH_INVALID_OTP) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from the oath reference manual on oath_totp_validate2:
Returns absolute value of position in OTP window (zero is first position), or OATH_INVALID_OTP if no OTP was found in OTP window, or an error code.
shouldn't this check for other errors codes as well?
and is there something we can do with the position it returns on success to calculate a more accurate offset?
|
||
if (totp_pin.size() != 2) { | ||
cerr << "ERROR: missing two --totp-pin params (--totp-pin=<first> --totp-pin=<second>)" << std::endl; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing a return EINVAL
? this would hit an assert in scan_totp()
@@ -6203,7 +6295,7 @@ int main(int argc, const char **argv) | |||
cerr << "ERROR: failed to read input: " << cpp_strerror(-ret) << std::endl; | |||
return -ret; | |||
} | |||
ret = store->meta_mgr->put(metadata_key, bl, RGWMetadataHandler::APPLY_ALWAYS); | |||
ret = store->meta_mgr->put(metadata_key, bl, RGWMetadataHandler::RGWMetadataHandler::APPLY_ALWAYS); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^ this doesn't look right
@yehudasa can you please add some user docs to show how to set this up? |
b5dbc4c
to
f4b832b
Compare
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Currently checking for bogus results, still need to integrate with totp library. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
To allow transparent multisite sync Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Update header even if it might have existed. If running within a compound op we might not identify it correctly. Also don't use omap header api. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Still not there yet. Need to tie into objv_tracker, and metadata log tooling. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
still need to have the radosgw-admin mfa tools to go through meta instrumentation. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Unlike the regular user and bucket metadata that are plain raw rados objects, the otp info is controlled by object class operations. The metadata manager mutate operation will deal with the metadata related work that is needed to happen (objv_tracker, update meta log), and call to the operation that modifies the otp info. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
$ radosgw-admin mfa resync --uid=<uid> --totp=serial=<serial> \ --totp-pin=<pin1> --totp-pin=<pin2> Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
add a new method to the otp objclass that returns the current time. Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>