When commit
321548010578 ("mon/MonClient: skip CEPHX_V2 challenge
if client doesn't support it") was being ported to crimson, it got
adjusted incorrectly (but rather fortunately). While the original
always skips authorizer challenges, the port almost never skips
them. This is because it looks at the features of the monitor that
crimson-osd is connected to instead of the features of the peer that
is trying to authenticate. As a result, msgr1 peer would get the
challenge even if it legitimately doesn't support CEPHX_V2 and fault
on an unknown protocol tag.
To fix, port commit
4a82c72e3bdd ("mon/MonClient: bring back CEPHX_V2
authorizer challenges").
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
return -EOPNOTSUPP;
}
auto authorizer_challenge = &auth_meta->authorizer_challenge;
- if (!active_con) {
- logger().error("connection to monitors is down, abort connection for now");
- return -EBUSY;
- }
- if (!HAVE_FEATURE(active_con->get_conn()->get_features(), CEPHX_V2)) {
- if (local_conf().get_val<uint64_t>("cephx_service_require_version") >= 2) {
- return -EACCES;
- }
+ if (auth_meta->skip_authorizer_challenge) {
+ logger().info("skipping challenge on {}", con);
authorizer_challenge = nullptr;
}
bool was_challenge = (bool)auth_meta->authorizer_challenge;
bufferlist authorizer_reply;
auth_meta->auth_method = h.connect.authorizer_protocol;
+ if (!HAVE_FEATURE((uint64_t)h.connect.features, CEPHX_V2)) {
+ // peer doesn't support it and we won't get here if we require it
+ auth_meta->skip_authorizer_challenge = true;
+ }
auto more = static_cast<bool>(auth_meta->authorizer_challenge);
ceph_assert(messenger.get_auth_server());
int r = messenger.get_auth_server()->handle_auth_request(
projects / ceph.git / commitdiff