diff options
author | Sage Weil <sage@newdream.net> | 2010-02-02 19:25:35 -0500 |
---|---|---|
committer | Sage Weil <sage@newdream.net> | 2010-02-11 14:48:45 -0500 |
commit | ec0994e48ea2aebf62ff08376227f3a9ccf46262 (patch) | |
tree | fdfd595b36619507d25a6b06e14b86db0ee3849a /fs/ceph/auth_x.h | |
parent | 07c8739c521cb029d0f3549556aae2d304513978 (diff) |
ceph: add support for auth_x authentication protocol
The auth_x protocol implements support for a kerberos-like mutual
authentication infrastructure used by Ceph. We do not simply use vanilla
kerberos because of scalability and performance issues when dealing with
a large cluster of nodes providing a single logical service.
Auth_x provides mutual authentication of client and server and protects
against replay and man in the middle attacks. It does not encrypt
the full session over the wire, however, so data payload may still be
snooped.
Signed-off-by: Yehuda Sadeh <yehuda@hq.newdream.net>
Signed-off-by: Sage Weil <sage@newdream.net>
Diffstat (limited to 'fs/ceph/auth_x.h')
-rw-r--r-- | fs/ceph/auth_x.h | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/fs/ceph/auth_x.h b/fs/ceph/auth_x.h new file mode 100644 index 000000000000..ff6f8180e681 --- /dev/null +++ b/fs/ceph/auth_x.h | |||
@@ -0,0 +1,49 @@ | |||
1 | #ifndef _FS_CEPH_AUTH_X_H | ||
2 | #define _FS_CEPH_AUTH_X_H | ||
3 | |||
4 | #include <linux/rbtree.h> | ||
5 | |||
6 | #include "crypto.h" | ||
7 | #include "auth.h" | ||
8 | #include "auth_x_protocol.h" | ||
9 | |||
10 | /* | ||
11 | * Handle ticket for a single service. | ||
12 | */ | ||
13 | struct ceph_x_ticket_handler { | ||
14 | struct rb_node node; | ||
15 | unsigned service; | ||
16 | |||
17 | struct ceph_crypto_key session_key; | ||
18 | struct ceph_timespec validity; | ||
19 | |||
20 | u64 secret_id; | ||
21 | struct ceph_buffer *ticket_blob; | ||
22 | |||
23 | unsigned long renew_after, expires; | ||
24 | }; | ||
25 | |||
26 | |||
27 | struct ceph_x_authorizer { | ||
28 | struct ceph_buffer *buf; | ||
29 | unsigned service; | ||
30 | u64 nonce; | ||
31 | char reply_buf[128]; /* big enough for encrypted blob */ | ||
32 | }; | ||
33 | |||
34 | struct ceph_x_info { | ||
35 | struct ceph_crypto_key secret; | ||
36 | |||
37 | bool starting; | ||
38 | u64 server_challenge; | ||
39 | |||
40 | unsigned have_keys; | ||
41 | struct rb_root ticket_handlers; | ||
42 | |||
43 | struct ceph_x_authorizer auth_authorizer; | ||
44 | }; | ||
45 | |||
46 | extern int ceph_x_init(struct ceph_auth_client *ac); | ||
47 | |||
48 | #endif | ||
49 | |||