Merge PR ceph#58121 into main

batrick · batrick · commit 0efe88dd5d3d · 2024-06-23T14:32:00.000-04:00
* refs/pull/58121/head:
	doc: add documentation for `ceph auth rotate`
	PendingReleaseNotes: add note for new `auth rotate`
	qa: test `auth rotate`
	mon/AuthMonitor: add `ceph auth rotate` command

Reviewed-by: Radoslaw Zarzynski &lt;rzarzyns@redhat.com&gt;
diff --git a/PendingReleaseNotes b/PendingReleaseNotes
@@ -1,5 +1,7 @@
 >=19.0.0
 
+* cephx: key rotation is now possible using `ceph auth rotate`. Previously,
+  this was only possible by deleting and then recreating the key.
 * ceph: a new --daemon-output-file switch is available for `ceph tell` commands
   to dump output to a file local to the daemon. For commands which produce
   large amounts of output, this avoids a potential spike in memory usage on the
diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst
@@ -744,6 +744,20 @@ You may also :ref:`Modify user capabilities<modify-user-capabilities>` directly
 results to a keyring file, and then import the keyring into your main
 ``ceph.keyring`` file.
 
+
+Key rotation
+------------
+
+To rotate the secret for an entity, use:
+
+.. prompt:: bash #
+
+    ceph auth rotate <entity>
+
+This avoids the need to delete and recreate the entity when its key is
+compromised, lost, or scheduled for rotation.
+
+
 Command Line Usage
 ==================
 
diff --git a/qa/workunits/cephtool/test.sh b/qa/workunits/cephtool/test.sh
@@ -609,6 +609,26 @@ function test_auth()
   ceph auth del client.xx
   expect_false ceph auth get client.xx
 
+  # test rotation
+  ceph auth get-or-create client.admin2 mon 'allow *'
+  ceph auth get client.admin2 >> keyring1
+  env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth get client.admin2 >> keyring2
+  # they are the same:
+  expect_true diff -au keyring1 keyring2
+  # rotate itself
+  env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth rotate client.admin2 >> keyring3
+  # only the key has changed:
+  diff -au keyring1 keyring3 | grep -E '^[-+][^-+]' | expect_false grep -v key
+  # the key in keyring1 no longer works:
+  expect_false env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth get client.admin2
+  # the key in keyring3 should work:
+  expect_true env CEPH_KEYRING=keyring3 ceph -n client.admin2 auth get client.admin2
+  # now verify the key from `auth get` matches what rotate produced:
+  expect_true ceph auth get client.admin2 >> keyring4
+  expect_true diff -au keyring3 keyring4
+  expect_true ceph auth rm client.admin2
+  rm keyring[1234]
+
   # (almost) interactive mode
   echo -e 'auth add client.xx mon "allow *" osd "allow *"\n' | ceph
   ceph auth get client.xx
diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
@@ -858,6 +858,7 @@ bool AuthMonitor::preprocess_command(MonOpRequestRef op)
   string prefix;
   cmd_getval(cmdmap, "prefix", prefix);
   if (prefix == "auth add" ||
+      prefix == "auth rotate" ||
       prefix == "auth del" ||
       prefix == "auth rm" ||
       prefix == "auth get-or-create" ||
@@ -1825,6 +1826,32 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     wait_for_commit(op, new Monitor::C_Command(mon, op, 0, rs,
 					      get_last_committed() + 1));
     return true;
+  } else if (prefix == "auth rotate") {
+    if (entity_name.empty()) {
+      ss << "bad entity name";
+      err = -EINVAL;
+      goto done;
+    }
+
+    EntityAuth entity_auth;
+    if (!mon.key_server.get_auth(entity, entity_auth)) {
+      ss << "entity does not exist";
+      err = -ENOENT;
+      goto done;
+    }
+
+    entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+
+    KeyServerData::Incremental auth_inc;
+    auth_inc.op = KeyServerData::AUTH_INC_ADD;
+    auth_inc.name = entity;
+    auth_inc.auth = entity_auth;
+    push_cephx_inc(auth_inc);
+
+    _encode_auth(entity, entity_auth, rdata, f.get());
+    wait_for_commit(op, new Monitor::C_Command(mon, op, 0, rs, rdata,
+                                              get_last_committed() + 1));
+    return true;
   }
 done:
   rdata.append(ds);
diff --git a/src/mon/MonCommands.h b/src/mon/MonCommands.h
@@ -163,6 +163,10 @@ COMMAND("auth add "
 	"add auth info for <entity> from input file, or random key if no "
         "input is given, and/or any caps specified in the command",
 	"auth", "rwx")
+COMMAND("auth rotate "
+	"name=entity,type=CephString",
+	"rotate entity key",
+	"auth", "rwx")
 COMMAND("auth get-or-create-key "
 	"name=entity,type=CephString "
 	"name=caps,type=CephString,n=N,req=false",
