Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth/cephx: cap ticket validity by expiration of "next" key #40870

Merged
merged 3 commits into from Apr 16, 2021
Merged

auth/cephx: cap ticket validity by expiration of "next" key #40870

merged 3 commits into from Apr 16, 2021

Commits on Apr 15, 2021

  1. auth/cephx: drop redundant KeyServerData::get_service_secret() overload 

    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    @idryomov
    idryomov committed Apr 15, 2021
    Copy the full SHA
    3078af7 View commit details
    Browse the repository at this point in the history

  2. auth/cephx: cap ticket validity by expiration of "next" key 

    If auth_mon_ticket_ttl is increased by several times as done in
commit 522a52e ("auth/cephx: rotate auth tickets less often"),
active clients eventually get stuck because the monitor sends out an
auth ticket with a bogus validity.  The ticket is secured with the
"current" secret that is scheduled to expire according to the old TTL,
but the validity of the ticket is set to the new TTL.  As a result,
the client simply doesn't attempt to renew, letting the secrets rotate
potentially more than once.  When that happens, the client first hits
auth authorizer errors as it tries to renew service tickets and when
it finally gets to renewing the auth ticket, it hits the insecure
global_id reclaim wall.

Cap TTL by expiration of "next" key -- the "current" key may be
milliseconds away from expiration and still be used, legitimately.
Do it in KeyServerData alongside key rotation code and propagate the
capped TTL to the upper layer.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    @idryomov
    idryomov committed Apr 15, 2021
    Copy the full SHA
    370c9b1 View commit details
    Browse the repository at this point in the history

  3. auth/cephx: make KeyServer::build_session_auth_info() less confusing 

    The second KeyServer::build_session_auth_info() overload is used only
by the monitor, for mon <-> mon authentication.  The monitor passes in
service_secret (mon secret) and secret_id (-1).  The TTL is irrelevant
because there is no rotation.

However the signature doesn't make it obvious.  Clarify that
service_secret and secret_id are input parameters and info is the only
output parameter.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    @idryomov
    idryomov committed Apr 15, 2021
    Copy the full SHA
    6f12cd3 View commit details
    Browse the repository at this point in the history