auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys

When handling CEPHX_GET_AUTH_SESSION_KEY requests from nautilus+
clients, ignore CEPH_ENTITY_TYPE_AUTH in CephXAuthenticate::other_keys.
Similarly, when handling CEPHX_GET_PRINCIPAL_SESSION_KEY requests,
ignore CEPH_ENTITY_TYPE_AUTH in CephXServiceTicketRequest::keys.
These fields are intended for requesting service tickets, the auth
ticket (which is really a ticket granting ticket) must not be shared
this way.

Otherwise we end up sharing an auth ticket that a) isn't encrypted
with the old session key even if needed (should_enc_ticket == true)
and b) has the wrong validity, namely auth_service_ticket_ttl instead
of auth_mon_ticket_ttl.  In the CEPHX_GET_AUTH_SESSION_KEY case, this
undue ticket immediately supersedes the actual auth ticket already
encoded in the same reply (the reply frame ends up containing two auth
tickets).

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 05772ab6127bdd9ed2f63fceef840f197ecd9ea8)

diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc
index cb5f9a796bcda24d00efb1abeced316e6a9205e8..82c964e47fa02d506d7b8a983ccba15d7693f743 100644 (file)
--- a/src/auth/cephx/CephxServiceHandler.cc
+++ b/src/auth/cephx/CephxServiceHandler.cc
@@ -273,11 +273,14 @@ int CephxServiceHandler::handle_request(
            }
          }
          encode(cbl, *result_bl);
-         // provite all of the other tickets at the same time
+         // provide requested service tickets at the same time
          vector<CephXSessionAuthInfo> info_vec;
          for (uint32_t service_id = 1; service_id <= req.other_keys;
               service_id <<= 1) {
-           if (req.other_keys & service_id) {
+           // skip CEPH_ENTITY_TYPE_AUTH: auth ticket is already encoded
+           // (possibly encrypted with the old session key)
+           if ((req.other_keys & service_id) &&
+               service_id != CEPH_ENTITY_TYPE_AUTH) {
              ldout(cct, 10) << " adding key for service "
                             << ceph_entity_type_name(service_id) << dendl;
              CephXSessionAuthInfo svc_info;
@@ -337,7 +340,10 @@ int CephxServiceHandler::handle_request(
       int service_err = 0;
       for (uint32_t service_id = 1; service_id <= ticket_req.keys;
           service_id <<= 1) {
-        if (ticket_req.keys & service_id) {
+        // skip CEPH_ENTITY_TYPE_AUTH: auth ticket must be obtained with
+        // CEPHX_GET_AUTH_SESSION_KEY
+        if ((ticket_req.keys & service_id) &&
+            service_id != CEPH_ENTITY_TYPE_AUTH) {
          ldout(cct, 10) << " adding key for service "
                         << ceph_entity_type_name(service_id) << dendl;
           CephXSessionAuthInfo info;