[pve-devel] [PATCH v3 access-control 1/2] fix #2079: add periodic auth key rotation

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Mar 14 10:49:36 CET 2019 

On 3/13/19 3:01 PM, Fabian Grünbichler wrote:
> and modify checks to accept still valid tickets generated using the
> previous auth key.
> 
> the slightly complicated caching mechanism is needed for reading the key and
> its modification timestamp in one go while only reading and parsing it again if
> it has changed.
> 
> the +- 300 seconds fuzzing is kept for slightly out-of-sync clusters, since the
> time encoded in the tickets is the result of time() on whichever node the
> ticket API call got forwarded to.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> Notes:
>     VERSIONED DEPENDENCY: on pve-cluster with cfs_lock_authkey needed
>     
>     changes since v2:
>     - make error handling more readable
>     - disable rotation until PVE 6.0
>     
>     changes since v1:
>     - only clamp current key if cluster is quorate, warn otherwise but accept tickets.
>     - bump auth key lifetime to 24h
>     - add some newlines to warn statements
> 
>  PVE/AccessControl.pm | 218 +++++++++++++++++++++++++++++++++++++++----
>  1 file changed, 198 insertions(+), 20 deletions(-)
> 
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index bdadfd2..19d008c 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -9,6 +9,8 @@ use Net::SSLeay;
>  use Net::IP;
>  use MIME::Base64;
>  use Digest::SHA;
> +use IO::File;
> +use File::stat;
>  
>  use PVE::OTP;
>  use PVE::Ticket;
> [snip]
>  
> -    return $pve_auth_pub_key if $pve_auth_pub_key;
> +sub rotate_authkey {
> +    return if $authkey_lifetime == 0;
>  
> -    my $input = PVE::Tools::file_get_contents($authpubkeyfn);
> +    cfs_lock_authkey(undef, sub {

in the previous version you still had the Perl module PVE::Cluster prefix,
here not - but the "cfs_lock_authkey" method is not in PVE::Cluster's EXPORT,
nor in its EXPORT_OK and here in the import list?

One gets a non-ideal:
"Undefined subroutine &PVE::AccessControl::cfs_lock_authkey" error if trying to
login with this enabled (authkey_lifetime changed to non-zero)...

Did some last-minute modifications sneak in here? ;-)

> +	# re-check with lock to avoid double rotation in clusters
> +	return if check_authkey();
>

More information about the pve-devel mailing list