-
Notifications
You must be signed in to change notification settings - Fork 6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: add time skew check in function parse_v4_auth_header #19476
Conversation
src/rgw/rgw_auth_s3.cc
Outdated
@@ -408,6 +408,19 @@ static inline int parse_v4_auth_header(const req_info& info, /* in | |||
} | |||
date = d; | |||
|
|||
uint64_t req_sec = (uint64_t)internal_timegm(&t); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should be using new ceph::time primitives here; @adamemerson?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we should.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @mattbenjamin, thanks for your comments.
I copied "internal_timegm" from function parse_v4_query_string. Would you tell me what "new ceph::time" is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think the internal_timegm()
bit is fine. there is a common/ceph_time.h
header that's based on the std::chrono
library that could be used instead of the ceph_clock_now()
part. @adamemerson, do you see any advantages to using that here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cbodley I'd prefer we use that going forward.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @adamemerson @mattbenjamin @cbodley, do you mean change ceph_clock_now to ceph::real_clock::now?
hi @rzarzynski, @cbodley would you help to review this? Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cbodley All new code should use the new ceph_time.h stuff. Trying to migrate to it entirely is one of our Trello cards, I believe.
src/rgw/rgw_auth_s3.cc
Outdated
@@ -408,6 +408,19 @@ static inline int parse_v4_auth_header(const req_info& info, /* in | |||
} | |||
date = d; | |||
|
|||
uint64_t req_sec = (uint64_t)internal_timegm(&t); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we should.
As opposed to utime_t/ceph_clock_now() |
okay, no arguments there. just note that this block was copied from the v2 implementation, so we should probably move this logic into a helper function and fix both while we're at it. would you be willing to share some example code for @qrGitHub? since the resolution is currently in seconds, is |
Hi @adamemerson, would you be willing to share some example code? Thanks. |
Yes! Coarse real clock should be the one to use. |
As to timegm or internal_timegm, just use coarse_real_clock::from_time_t() to convert it to time point. |
0707006
to
4a819ce
Compare
Hi @cbodley @adamemerson would you help to review this? Thanks. |
src/rgw/rgw_auth_s3.cc
Outdated
auto req_tp = ceph::coarse_real_clock::from_time_t(internal_timegm(&t)); | ||
auto cur_tp = ceph::coarse_real_clock::now(); | ||
auto skew = std::chrono::duration_cast<std::chrono::seconds>(cur_tp - req_tp).count(); | ||
if (skew < -60*RGW_AUTH_GRACE_MINS || skew > 60*RGW_AUTH_GRACE_MINS) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there's a std::chrono::abs()
in c++17 that can simplify this a bit:
constexpr auto grace = std::chrono::minutes{RGW_AUTH_GRACE_MINS};
if (std::chrono::abs(cur_tp - req_tp) > grace) {
src/rgw/rgw_auth_s3.cc
Outdated
if (skew < -60*RGW_AUTH_GRACE_MINS || skew > 60*RGW_AUTH_GRACE_MINS) { | ||
dout(10) << "NOTICE: request time skew too big." << dendl; | ||
dout(10) << "req_tp=" << ceph::coarse_real_clock::to_time_t(req_tp) << | ||
", cur_tp=" << ceph::coarse_real_clock::to_time_t(cur_tp) << dendl; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these duration types can be output directly with:
using ceph::operator<<;
dout(10) << "req_tp=" << req_tp << ", cur_tp=" << cur_tp << dendl;
* In auth v4 http header request, RGW doesn't check time skew, while AWS * does. Fixes: http://tracker.ceph.com/issues/22418 Signed-off-by: Bingyin Zhang <zhangbingyin@cloudin.cn>
4a819ce
to
b4e2f32
Compare
Hi @cbodley, would you help to review this? |
@qrGitHub @tchaikov certainly does; I'm pretty sure we're sourcing gcc-7and/or clang from some repo in our builders to accomplish that, e.g., https://askubuntu.com/questions/859256/how-to-install-gcc-7-or-clang-4-0 |
@qrGitHub please see https://github.com/ceph/ceph#build-prerequisites . |
Thanks @mattbenjamin @tchaikov, after install-deps.sh, my machine can build the latest code now. |
Hi @cbodley, can this be merged? Thanks. |
Fixes: http://tracker.ceph.com/issues/22418
Signed-off-by: Bingyin Zhang zhangbingyin@cloudin.cn