[pve-devel] [PATCH v2 access-control/cluster/manager 0/4] auth key rotation

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Mar 7 07:56:18 CET 2019

On 3/6/19 11:30 AM, Fabian Grünbichler wrote:> changes since v1:
> - add rotation in pvestatd
> - accept tickets signed with current key if cluster is not quorate (no rotation possible)
> - rotate once every 24h

again, for the record: The base idea looks now very good, only problem we found
was on upgrade to this, as then most Proxmox VE setups will receive an quite
immediate key rotation after pvestatd triggers (or if a new login happens).
The reason for this is the fact that most installations got setup <1 day before
upgrade and thus it's authkey mtime is old enough to trigger a rotation, but as
it's older as the grace period were the now old key is still accepted is
calculated from it's mtime it does not triggers here (but will in future
rotations) and so the user gets logged out, not pretty and depending on what
some users are doing it could be even problematic.

Further you get issues in clusters, if a single node is upgraded first,
rotates, but the others do not have the verify logic to handle this.

So the idea is:
* add the verification stuff now, to get all ready for this
* add the rotation stuff too, but early exit for now, remove that with PVE 6,
  were all those upgrading are *required* to have latest 5.X before upgrading
* on upgrade we "touch" the authkey at now - X hours (where X=2. or something
  therelike) in the configure step, this delays first rotation for 24 - X
  hours, ensuring that then the tickets generated can trigger the grace period,
  also that there's time for other hosts in the cluster to upgrade (although as
  they already have the verify stuff it should be that problematic for them

> pve-manager:
> Fabian Grünbichler (1):
>   pvestatd: rotate auth keys if necessary
>  PVE/Service/pvestatd.pm | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> pve-access-control:
> Fabian Grünbichler (1):
>   fix #2079: add periodic auth key rotation
>  PVE/AccessControl.pm | 215 +++++++++++++++++++++++++++++++++++++++----
>  1 file changed, 195 insertions(+), 20 deletions(-)
> pve-cluster:
> Fabian Grünbichler (2):
>   cluster: add cfs_lock_authkey
>   cluster: use lock for legacy authkey generation
>  data/PVE/Cluster.pm | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)

More information about the pve-devel mailing list