[pve-devel] r5354 - in pve-access-control/trunk: . PVE

svn-commits at proxmox.com svn-commits at proxmox.com
Tue Jan 11 15:41:09 CET 2011


Author: dietmar
Date: 2011-01-11 15:41:09 +0100 (Tue, 11 Jan 2011)
New Revision: 5354

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/AccessControl.pm
   pve-access-control/trunk/pveum
Log:
2011-01-11  root  <root at maui.maurer-it.com>

        * PVE/AccessControl.pm (read_pubkey, read_privkey): inotify does
        not work on the cluster filesystem, so I removed that code. Also
        moved lock files to /var/lock/pve-manager (cluster filesystem does
        not support locks - we need to do cluster wide locks later)




Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-01-11 13:05:23 UTC (rev 5353)
+++ pve-access-control/trunk/ChangeLog	2011-01-11 14:41:09 UTC (rev 5354)
@@ -1,3 +1,10 @@
+2011-01-11  root  <root at maui.maurer-it.com>
+
+	* PVE/AccessControl.pm (read_pubkey, read_privkey): inotify does
+	not work on the cluster filesystem, so I removed that code. Also
+	moved lock files to /var/lock/pve-manager (cluster filesystem does
+	not support locks - we need to do cluster wide locks later)
+
 2010-09-14  Proxmox Support Team  <support at proxmox.com>
 
 	* PVE/API2/AccessControl.pm: moved from pve-manager

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-01-11 13:05:23 UTC (rev 5353)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-01-11 14:41:09 UTC (rev 5354)
@@ -14,29 +14,29 @@
 
 use Data::Dumper; # fixme: remove
 
+# fixme: implement cluster wide locks
+
+my $lockdir = "/var/lock/pve-manager";
+mkdir $lockdir;
+
 # $authdir must be writable by root only!
-my $authdir = "/etc/pve/auth";
 my $confdir = "/etc/pve";
+my $authdir = "$confdir/priv";
+my $authprivkeyfn = "$authdir/authkey.key";
+my $authpubkeyfn = "$confdir/authkey.pub";
 my $userconfigfile = "user.cfg";
 my $userconfigpath = "$confdir/$userconfigfile";
-my $userconfiglock = "$confdir/.lock-$userconfigfile";
+my $userconfiglock = "$lockdir/.lock-$userconfigfile";
 my $shadowconfigfile = "shadow.cfg";
 my $shadowconfigpath = "$authdir/$shadowconfigfile";
-my $shadowconfiglock = "$authdir/.lock-$shadowconfigfile";
+my $shadowconfiglock = "$lockdir/.lock-$shadowconfigfile";
 my $domainconfigfile = "domains.cfg";
 my $domainconfigpath = "$authdir/$domainconfigfile";
-my $domainconfiglock = "$authdir/.lock-$domainconfigfile";
 
 my $ticket_lifetime = 3600*2; # 2 hours
 
 Crypt::OpenSSL::RSA->import_random_seed();
- 
-register_file('authkeypub', "$authdir/authkey.pub",
-	      \&read_pubkey);
 
-register_file('authkeypriv', "$authdir/authkey.key",
-	      \&read_privkey);
-
 register_file('usercfg', $userconfigpath, 
 	      \&parse_user_config,  \&write_user_config);
 
@@ -46,8 +46,19 @@
 
 register_file('domaincfg', $domainconfigpath, \&parse_domains);
 
-sub auth_data_dir {
-    return $authdir;
+sub cond_create_auth_key {
+
+    return if -f "$authprivkeyfn";
+
+    (-l "$confdir/local" ) || die "pve configuration filesystem not mounted\n";
+
+    mkdir $authdir || die "unable to create dir '$authdir' - $!\n";
+ 
+    my $cmd = "openssl genrsa -out '$authprivkeyfn' 2048";
+    run_command($cmd);
+
+    $cmd = "openssl rsa -in '$authprivkeyfn' -pubout -out '$authpubkeyfn'";
+    run_command($cmd)
 }
 
 sub lock_user_config {
@@ -74,26 +85,34 @@
     }
 }
 
-sub read_pubkey {
-    my ($filename, $fh) = @_;
-    
-    my $input = PVE::Tools::safe_read_from($fh); 
+my $pve_auth_pub_key;
+sub get_pubkey {    
 
-    return Crypt::OpenSSL::RSA->new_public_key($input);
+    return $pve_auth_pub_key if $pve_auth_pub_key;
+
+    my $input = PVE::Tools::file_get_contents($authpubkeyfn); 
+
+    $pve_auth_pub_key = Crypt::OpenSSL::RSA->new_public_key($input);
+
+    return $pve_auth_pub_key;
 }
 
-sub read_privkey {
-    my ($filename, $fh) = @_;
+my $pve_auth_priv_key;
+sub get_privkey {
 
-    my $input = PVE::Tools::safe_read_from($fh); 
+    return $pve_auth_priv_key if $pve_auth_priv_key;
 
-    return Crypt::OpenSSL::RSA->new_private_key($input);
+    my $input = PVE::Tools::file_get_contents($authprivkeyfn); 
+
+    $pve_auth_priv_key = Crypt::OpenSSL::RSA->new_private_key($input);
+
+    return $pve_auth_priv_key;
 }
 
 sub assemble_ticket {
     my ($username) = @_;
 
-    my $rsa_priv = read_file('authkeypriv');
+    my $rsa_priv = get_privkey();
 
     my $timestamp = time();
 
@@ -107,7 +126,7 @@
 sub verify_ticket {
     my ($ticket, $noerr) = @_;
 
-    my $rsa_pub = read_file('authkeypub');
+    my $rsa_pub = get_pubkey();
 
     if ($ticket && $ticket =~ m/^(\S+)::([^:\s]+)$/) {
 	my $plain = $1;

Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	2011-01-11 13:05:23 UTC (rev 5353)
+++ pve-access-control/trunk/pveum	2011-01-11 14:41:09 UTC (rev 5354)
@@ -23,8 +23,6 @@
 
 #fixme: logging?
 
-# my $euid = $>; my $ruid = $<; print STDERR "EUID $euid UID $ruid\n";
-
 die "please run as root\n" if $> != 0;
 
 PVE::INotify::inotify_init();
@@ -36,15 +34,7 @@
 $rpcenv->set_user('root'); 
 
 # autmatically generate the private key if it does not already exists
-my $authdir = PVE::AccessControl::auth_data_dir();
-if (! -f "$authdir/authkey.key") {
-    mkdir $authdir;
- 
-    my $cmd = "openssl genrsa -out '$authdir/authkey.key' 1024";
-    run_command($cmd, umask => 0177);
-    $cmd = "openssl rsa -in '$authdir/authkey.key' -pubout -out '$authdir/authkey.pub'";
-    run_command($cmd, umask => 0133)
-}
+PVE::AccessControl::cond_create_auth_key();
 
 my $read_password = sub {
 




More information about the pve-devel mailing list