mon: provide emergency mechanism to use mon keyring

If they key is lost for the `mon.` credential, it's very inconvenient to get it
out of the "auth" database in the mon store. So, allow the operator to create a
new keyring for the mons and use it instead to get mons in quorum again.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/doc/man/8/ceph-mon.rst b/doc/man/8/ceph-mon.rst
index 640c842d605af22ccc8f8ac8d31aac5071836dd8..0166236438e1ee6a0dff42dc7d5c2904ae17ae42 100644 (file)
--- a/doc/man/8/ceph-mon.rst
+++ b/doc/man/8/ceph-mon.rst
@@ -77,6 +77,11 @@ Options
 
    Specify a keyring for use with ``--mkfs``.
 
+.. option:: --use-mon-keyring
+
+   Use the mon's keyring file as authoritative for the "mon." secret. Normally
+   the key in the mons' auth database is used.
+
 .. option:: --no-config-file
 
     Signal that we don't want to rely on a *ceph.conf*, either user provided

diff --git a/src/ceph_mon.cc b/src/ceph_mon.cc
index e2c261d477ece81a2849b0cad968e551e1f7c331..b30085585cff6098173ed579fea6766294c23382 100644 (file)
--- a/src/ceph_mon.cc
+++ b/src/ceph_mon.cc
@@ -219,6 +219,8 @@ static void usage()
        << "        write the <filename> monmap to the local monitor store and exit\n"
        << "  --extract-monmap <filename>\n"
        << "        extract the monmap from the local monitor store and exit\n"
+       << "  --use-mon-keyring\n"
+       << "        use the mon keyring as authoritative for the mon. secret\n"
        << "  --mon-data <directory>\n"
        << "        where the mon store and keyring are located\n"
        << "  --set-crush-location <bucket>=<foo>"
@@ -262,6 +264,7 @@ int main(int argc, const char **argv)
   bool compact = false;
   bool force_sync = false;
   bool yes_really = false;
+  bool use_mon_keyring = false;
   std::string osdmapfn, inject_monmap, extract_monmap, crush_loc;
 
   auto args = argv_to_vec(argc, argv);
@@ -327,6 +330,8 @@ int main(int argc, const char **argv)
       force_sync = true;
     } else if (ceph_argparse_flag(args, i, "--yes-i-really-mean-it", (char*)NULL)) {
       yes_really = true;
+    } else if (ceph_argparse_flag(args, i, "--use-mon-keyring", (char*)NULL)) {
+      use_mon_keyring = true;
     } else if (ceph_argparse_witharg(args, i, &val, "--osdmap", (char*)NULL)) {
       osdmapfn = val;
     } else if (ceph_argparse_witharg(args, i, &val, "--inject_monmap", (char*)NULL)) {
@@ -863,6 +868,10 @@ int main(int argc, const char **argv)
     *_dout << dendl;
   }
 
+  if (use_mon_keyring) {
+    mon->use_keyring_as_authoritative();
+  }
+
   err = mon->preinit();
   if (err < 0) {
     derr << "failed to initialize" << dendl;

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 745af40f86dc8ddd002d9c6721b6ffcfd04f3cc4..654383ee33fa6fc1017049485b217b8a732443a1 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -6497,7 +6497,7 @@ int Monitor::handle_auth_request(
     dout(20) << __func__ << ": verify authorizer was_challenge=" << was_challenge << dendl;
     bool isvalid = ah->verify_authorizer(
       cct,
-      key_server,
+      use_mon_keyring ? static_cast<KeyStore&>(keyring) : static_cast<KeyStore&>(key_server),
       payload,
       auth_meta->get_connection_secret_length(),
       reply,

diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h
index 4f54c729efe8b022413f51a9d19cd7fb1558b3ee..716a05abfd6ed6b83890c2188ba3174602aed17f 100644 (file)
--- a/src/mon/Monitor.h
+++ b/src/mon/Monitor.h
@@ -1130,6 +1130,13 @@ public:
     return std::chrono::duration_cast<std::chrono::milliseconds>(now-starttime);
   }
 
+private:
+  bool use_mon_keyring = false;
+public:
+  void use_keyring_as_authoritative() {
+    use_mon_keyring = true;
+  }
+
 private:
   ceph::coarse_mono_time const starttime = coarse_mono_clock::now();
   epoch_t probe_epoch = 0;