auth/cephx: tolerate missing rotating keys

During an upgrade, we may have a client requesting an
MGR service key but not have one in the database yet,
either because we *just* upgraded and haven't generated
one yet, or because the leader mon hasn't been upgraded
yet.

Fix this by silently tolerating a missing key as long as
one or more other service keys were present and we have
something to give to the client.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc
index 914fea712760ec327387f90991eab852ec6d9119..15d27f540c76776e9ead2be85c71e7a8b39d17f5 100644 (file)
--- a/src/auth/cephx/CephxServiceHandler.cc
+++ b/src/auth/cephx/CephxServiceHandler.cc
@@ -163,19 +163,32 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist
 
       ret = 0;
       vector<CephXSessionAuthInfo> info_vec;
-      for (uint32_t service_id = 1; service_id <= ticket_req.keys; service_id <<= 1) {
+      int found_services = 0;
+      int service_err = 0;
+      for (uint32_t service_id = 1; service_id <= ticket_req.keys;
+          service_id <<= 1) {
         if (ticket_req.keys & service_id) {
-         ldout(cct, 10) << " adding key for service " << ceph_entity_type_name(service_id) << dendl;
+         ldout(cct, 10) << " adding key for service "
+                        << ceph_entity_type_name(service_id) << dendl;
           CephXSessionAuthInfo info;
-          int r = key_server->build_session_auth_info(service_id, auth_ticket_info, info);
+          int r = key_server->build_session_auth_info(service_id,
+                                                     auth_ticket_info, info);
+         // tolerate missing MGR rotating key for the purposes of upgrades.
           if (r < 0) {
-            ret = r;
-            break;
-          }
+           ldout(cct, 10) << "   missing key for service "
+                          << ceph_entity_type_name(service_id) << dendl;
+           service_err = r;
+           continue;
+         }
           info.validity += cct->_conf->auth_service_ticket_ttl;
           info_vec.push_back(info);
+         ++found_services;
         }
       }
+      if (!found_services && service_err) {
+       ldout(cct, 10) << __func__ << " did not find any service keys" << dendl;
+       ret = service_err;
+      }
       CryptoKey no_key;
       build_cephx_response_header(cephx_header.request_type, ret, result_bl);
       cephx_build_service_ticket_reply(cct, auth_ticket_info.session_key, info_vec, false, no_key, result_bl);