[pve-devel] r5354 - in pve-access-control/trunk: . PVE
svn-commits at proxmox.com
svn-commits at proxmox.com
Tue Jan 11 15:41:09 CET 2011
Author: dietmar
Date: 2011-01-11 15:41:09 +0100 (Tue, 11 Jan 2011)
New Revision: 5354
Modified:
pve-access-control/trunk/ChangeLog
pve-access-control/trunk/PVE/AccessControl.pm
pve-access-control/trunk/pveum
Log:
2011-01-11 root <root at maui.maurer-it.com>
* PVE/AccessControl.pm (read_pubkey, read_privkey): inotify does
not work on the cluster filesystem, so I removed that code. Also
moved lock files to /var/lock/pve-manager (cluster filesystem does
not support locks - we need to do cluster wide locks later)
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2011-01-11 13:05:23 UTC (rev 5353)
+++ pve-access-control/trunk/ChangeLog 2011-01-11 14:41:09 UTC (rev 5354)
@@ -1,3 +1,10 @@
+2011-01-11 root <root at maui.maurer-it.com>
+
+ * PVE/AccessControl.pm (read_pubkey, read_privkey): inotify does
+ not work on the cluster filesystem, so I removed that code. Also
+ moved lock files to /var/lock/pve-manager (cluster filesystem does
+ not support locks - we need to do cluster wide locks later)
+
2010-09-14 Proxmox Support Team <support at proxmox.com>
* PVE/API2/AccessControl.pm: moved from pve-manager
Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm 2011-01-11 13:05:23 UTC (rev 5353)
+++ pve-access-control/trunk/PVE/AccessControl.pm 2011-01-11 14:41:09 UTC (rev 5354)
@@ -14,29 +14,29 @@
use Data::Dumper; # fixme: remove
+# fixme: implement cluster wide locks
+
+my $lockdir = "/var/lock/pve-manager";
+mkdir $lockdir;
+
# $authdir must be writable by root only!
-my $authdir = "/etc/pve/auth";
my $confdir = "/etc/pve";
+my $authdir = "$confdir/priv";
+my $authprivkeyfn = "$authdir/authkey.key";
+my $authpubkeyfn = "$confdir/authkey.pub";
my $userconfigfile = "user.cfg";
my $userconfigpath = "$confdir/$userconfigfile";
-my $userconfiglock = "$confdir/.lock-$userconfigfile";
+my $userconfiglock = "$lockdir/.lock-$userconfigfile";
my $shadowconfigfile = "shadow.cfg";
my $shadowconfigpath = "$authdir/$shadowconfigfile";
-my $shadowconfiglock = "$authdir/.lock-$shadowconfigfile";
+my $shadowconfiglock = "$lockdir/.lock-$shadowconfigfile";
my $domainconfigfile = "domains.cfg";
my $domainconfigpath = "$authdir/$domainconfigfile";
-my $domainconfiglock = "$authdir/.lock-$domainconfigfile";
my $ticket_lifetime = 3600*2; # 2 hours
Crypt::OpenSSL::RSA->import_random_seed();
-
-register_file('authkeypub', "$authdir/authkey.pub",
- \&read_pubkey);
-register_file('authkeypriv', "$authdir/authkey.key",
- \&read_privkey);
-
register_file('usercfg', $userconfigpath,
\&parse_user_config, \&write_user_config);
@@ -46,8 +46,19 @@
register_file('domaincfg', $domainconfigpath, \&parse_domains);
-sub auth_data_dir {
- return $authdir;
+sub cond_create_auth_key {
+
+ return if -f "$authprivkeyfn";
+
+ (-l "$confdir/local" ) || die "pve configuration filesystem not mounted\n";
+
+ mkdir $authdir || die "unable to create dir '$authdir' - $!\n";
+
+ my $cmd = "openssl genrsa -out '$authprivkeyfn' 2048";
+ run_command($cmd);
+
+ $cmd = "openssl rsa -in '$authprivkeyfn' -pubout -out '$authpubkeyfn'";
+ run_command($cmd)
}
sub lock_user_config {
@@ -74,26 +85,34 @@
}
}
-sub read_pubkey {
- my ($filename, $fh) = @_;
-
- my $input = PVE::Tools::safe_read_from($fh);
+my $pve_auth_pub_key;
+sub get_pubkey {
- return Crypt::OpenSSL::RSA->new_public_key($input);
+ return $pve_auth_pub_key if $pve_auth_pub_key;
+
+ my $input = PVE::Tools::file_get_contents($authpubkeyfn);
+
+ $pve_auth_pub_key = Crypt::OpenSSL::RSA->new_public_key($input);
+
+ return $pve_auth_pub_key;
}
-sub read_privkey {
- my ($filename, $fh) = @_;
+my $pve_auth_priv_key;
+sub get_privkey {
- my $input = PVE::Tools::safe_read_from($fh);
+ return $pve_auth_priv_key if $pve_auth_priv_key;
- return Crypt::OpenSSL::RSA->new_private_key($input);
+ my $input = PVE::Tools::file_get_contents($authprivkeyfn);
+
+ $pve_auth_priv_key = Crypt::OpenSSL::RSA->new_private_key($input);
+
+ return $pve_auth_priv_key;
}
sub assemble_ticket {
my ($username) = @_;
- my $rsa_priv = read_file('authkeypriv');
+ my $rsa_priv = get_privkey();
my $timestamp = time();
@@ -107,7 +126,7 @@
sub verify_ticket {
my ($ticket, $noerr) = @_;
- my $rsa_pub = read_file('authkeypub');
+ my $rsa_pub = get_pubkey();
if ($ticket && $ticket =~ m/^(\S+)::([^:\s]+)$/) {
my $plain = $1;
Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum 2011-01-11 13:05:23 UTC (rev 5353)
+++ pve-access-control/trunk/pveum 2011-01-11 14:41:09 UTC (rev 5354)
@@ -23,8 +23,6 @@
#fixme: logging?
-# my $euid = $>; my $ruid = $<; print STDERR "EUID $euid UID $ruid\n";
-
die "please run as root\n" if $> != 0;
PVE::INotify::inotify_init();
@@ -36,15 +34,7 @@
$rpcenv->set_user('root');
# autmatically generate the private key if it does not already exists
-my $authdir = PVE::AccessControl::auth_data_dir();
-if (! -f "$authdir/authkey.key") {
- mkdir $authdir;
-
- my $cmd = "openssl genrsa -out '$authdir/authkey.key' 1024";
- run_command($cmd, umask => 0177);
- $cmd = "openssl rsa -in '$authdir/authkey.key' -pubout -out '$authdir/authkey.pub'";
- run_command($cmd, umask => 0133)
-}
+PVE::AccessControl::cond_create_auth_key();
my $read_password = sub {
More information about the pve-devel
mailing list