Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth/cephx: cap ticket validity by expiration of "next" key #40870

Merged
merged 3 commits into from Apr 16, 2021
Merged

auth/cephx: cap ticket validity by expiration of "next" key #40870

merged 3 commits into from Apr 16, 2021

Conversation

idryomov
Copy link
Contributor

No description provided.

@idryomov
auth/cephx: drop redundant KeyServerData::get_service_secret() overload
3078af7 
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
@idryomov idryomov requested a review from liewegas April 15, 2021 09:26
@idryomov
auth/cephx: cap ticket validity by expiration of "next" key
370c9b1 
If auth_mon_ticket_ttl is increased by several times as done in
commit 522a52e ("auth/cephx: rotate auth tickets less often"),
active clients eventually get stuck because the monitor sends out an
auth ticket with a bogus validity.  The ticket is secured with the
"current" secret that is scheduled to expire according to the old TTL,
but the validity of the ticket is set to the new TTL.  As a result,
the client simply doesn't attempt to renew, letting the secrets rotate
potentially more than once.  When that happens, the client first hits
auth authorizer errors as it tries to renew service tickets and when
it finally gets to renewing the auth ticket, it hits the insecure
global_id reclaim wall.

Cap TTL by expiration of "next" key -- the "current" key may be
milliseconds away from expiration and still be used, legitimately.
Do it in KeyServerData alongside key rotation code and propagate the
capped TTL to the upper layer.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
@idryomov idryomov changed the title auth/cephx: cap ticket validity by expiration on "next" key auth/cephx: cap ticket validity by expiration of "next" key Apr 15, 2021
@epuertat
Copy link
Member

jenkins test api

@idryomov
auth/cephx: make KeyServer::build_session_auth_info() less confusing
6f12cd3 
The second KeyServer::build_session_auth_info() overload is used only
by the monitor, for mon <-> mon authentication.  The monitor passes in
service_secret (mon secret) and secret_id (-1).  The TTL is irrelevant
because there is no rotation.

However the signature doesn't make it obvious.  Clarify that
service_secret and secret_id are input parameters and info is the only
output parameter.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
@tchaikov
Copy link
Contributor

jenkins test api

@liewegas liewegas merged commit 4cfc002 into ceph:master Apr 16, 2021
@idryomov idryomov deleted the wip-cap-validity branch April 16, 2021 15:26
@idryomov
Copy link
Contributor Author

Cherry-picked to nautilus, octopus and pacific:

4a484de
90df5e6
ef44fe1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liewegas liewegas liewegas approved these changes

Assignees
No one assigned
Labels
bug-fix core mon wip-sage-testing
Projects
None yet
Milestone
No milestone
4 participants
@idryomov @epuertat @tchaikov @liewegas