mon: provide emergency mechanism to rescue allowed_ciphers

If the administrator accidentally revokes auth to client.admin, they cannot fix
it because the setting is stored in the monmap. Provide a config to restore
access in such an emergency.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/src/common/options/mon.yaml.in b/src/common/options/mon.yaml.in
index 6f8f22732df21af7758fed4c6857f2dc01b08c5f..307ac0b8b1b1d4b57ca85d99169a47baf9b41a77 100644 (file)
--- a/src/common/options/mon.yaml.in
+++ b/src/common/options/mon.yaml.in
@@ -833,6 +833,15 @@ options:
   - mon
   flags:
   - runtime
+- name: mon_auth_emergency_allowed_ciphers
+  type: str
+  level: advanced
+  desc: set allowed ciphers to override mon map configuration
+  services:
+  - mon
+  flags:
+  - startup
+  - no_mon_update
 - name: mon_auth_validate_all_caps
   type: bool
   level: advanced

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 60ee673bd2dee9807b3af93bc8b8d18393464e17..20c0e0205e98aaaa52d4e7a57e69a07f2acb926f 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -510,6 +510,10 @@ bool AuthMonitor::check_health()
     next.add("AUTH_INSECURE_KEYS_CREATABLE", HEALTH_WARN, "Monitors are configured to allow creation of insecure key types", 1);
   }
 
+  if (auto c = cct->_conf.get_val<std::string>("mon_auth_emergency_allowed_ciphers"); !c.empty()) {
+    next.add("AUTH_EMERGENCY_CIPHERS_SET", HEALTH_WARN, "Monitors are configured to use emergency allowed ciphers", 1);
+  }
+
   {
     auto service_key_type = mon.monmap->auth_service_cipher;
     if (!secure_key_types.contains(service_key_type)) {

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 98b0b639f7f14bd495685e0b70e4dda115300cc7..f18b26d29063cf8b0c52f2814ea14356575945de 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -954,6 +954,23 @@ int Monitor::init()
   dout(2) << "init" << dendl;
   std::lock_guard l(lock);
 
+  auto emergency_ciphers = cct->_conf.get_val<std::string>("mon_auth_emergency_allowed_ciphers");
+  if (!emergency_ciphers.empty()) {
+    std::vector<std::string> v;
+    std::vector<int> ciphers;
+    get_str_vec(emergency_ciphers, ", ", v);
+    for (auto& cipher : v) {
+      int c = CryptoManager::get_key_type(cipher);
+      if (c < 0) {
+        lderr(cct) << "init: invalid cipher: " << cipher << dendl;
+        continue;
+      }
+      ciphers.push_back(c);
+    }
+    std::lock_guard lock{cipher_mutex};
+    my_allowed_ciphers = std::move(ciphers);
+  }
+
   finisher.start();
 
   // start ticker
@@ -6802,8 +6819,16 @@ void Monitor::notify_new_monmap(bool can_change_external_state, bool remove_rank
     std::lock_guard lock{cipher_mutex};
     my_service_cipher = monmap->auth_service_cipher;
     dout(20) << __func__ << ": my_service_cipher now " << my_service_cipher << dendl;
-    my_allowed_ciphers = monmap->auth_allowed_ciphers;
-    dout(20) << __func__ << ": auth_allowed_ciphers now " << my_allowed_ciphers << dendl;
+    auto emergency_ciphers = cct->_conf.get_val<std::string>("mon_auth_emergency_allowed_ciphers");
+    if (emergency_ciphers.empty()) {
+      my_allowed_ciphers = monmap->auth_allowed_ciphers;
+      dout(20) << __func__ << ": auth_allowed_ciphers now " << my_allowed_ciphers << dendl;
+    } else {
+      dout(20) << __func__
+               << ": mon_auth_emergency_allowed_ciphers (" << my_allowed_ciphers
+               << ") overrides MonMap::auth_allowed_ciphers (" << monmap->auth_allowed_ciphers << ")"
+               << dendl;
+    }
   }
 }