auth,mon: add _exit config when auth fails

This is largely for testing: we want a client to exit immediately if auth
failures occur. Presently, those clients will try to reconnect forever.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in
index 24784139a3aaed0ab245f73f97c172e9a64d228e..f253bce11ecfc1dd44c85ee947423163db1b7c9c 100644 (file)
--- a/src/common/options/global.yaml.in
+++ b/src/common/options/global.yaml.in
@@ -2156,6 +2156,13 @@ options:
    each other. Valid settings are ``cephx`` or ``none``.
   default: cephx
   with_legacy: true
+- name: auth_exit_on_failure
+  type: int
+  level: dev
+  desc: call _exit with given error code when auth fails when non-negative
+  default: -1
+  flags:
+  - runtime
 # required by daemons of clients
 - name: auth_service_required
   type: str

diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc
index 253e77aa8f71687824101d3c6d2fd5922397486c..235472c7973e1c519a73bd73a5771843cc9a2738 100644 (file)
--- a/src/mon/MonClient.cc
+++ b/src/mon/MonClient.cc
@@ -60,6 +60,18 @@
 #include "auth/RotatingKeyRing.h"
 
 #define dout_subsys ceph_subsys_monc
+
+/* Used by both MonClient and MonConnection. */
+static int handle_auth_failure(CephContext* cct)
+{
+  int ecode = cct->_conf.get_val<int64_t>("auth_exit_on_failure");
+  if (ecode >= 0) {
+    lderr(cct) << __func__ << " exiting with " << ecode << " due to auth failure" << dendl;
+    _exit(ecode);
+  }
+  return -EACCES;
+}
+
 #undef dout_prefix
 #define dout_prefix *_dout << "monclient" << (_hunting() ? "(hunting)":"") << ": "
 
@@ -739,6 +751,8 @@ void MonClient::_finish_auth(int auth_err)
                   << " auth returned EAGAIN, reopening the session to try again"
                   << dendl;
     _reopen_session();
+  } else {
+    [[maybe_unused]] int rc = handle_auth_failure(cct);
   }
   auth_cond.notify_all();
 }
@@ -1658,7 +1672,7 @@ int MonClient::handle_auth_bad_method(
                  << " result " << cpp_strerror(result)
                  << " and auth is " << (auth ? auth->get_protocol() : 0)
                  << dendl;
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
 }
 
@@ -1678,12 +1692,12 @@ int MonClient::handle_auth_request(
         return 1;
       }
     }
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
   auth_meta->auth_mode = payload[0];
   if (auth_meta->auth_mode < AUTH_MODE_AUTHORIZER ||
       auth_meta->auth_mode > AUTH_MODE_AUTHORIZER_MAX) {
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
   AuthAuthorizeHandler *ah = get_auth_authorize_handler(con->get_peer_type(),
                                                        auth_method);
@@ -1716,7 +1730,7 @@ int MonClient::handle_auth_request(
     if (handle_authentication_dispatcher->ms_handle_fast_authentication(con)) {
       return 1;
     }
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
   if (!more && !was_challenge && auth_meta->authorizer_challenge) {
     ldout(cct,10) << __func__ << " added challenge on " << con << dendl;
@@ -1725,7 +1739,7 @@ int MonClient::handle_auth_request(
   ldout(cct,10) << __func__ << " bad authorizer on " << con << dendl;
   // discard old challenge
   auth_meta->authorizer_challenge.reset();
-  return -EACCES;
+  return handle_auth_failure(cct);
 }
 
 AuthAuthorizer* MonClient::build_authorizer(int service_id) const {
@@ -1810,7 +1824,7 @@ int MonConnection::get_auth_request(
     std::vector<uint32_t> as;
     auth_registry->get_supported_methods(con->get_peer_type(), &as);
     if (as.empty()) {
-      return -EACCES;
+      return handle_auth_failure(cct);
     }
     auth_method = as.front();
   }
@@ -1820,7 +1834,7 @@ int MonConnection::get_auth_request(
   ldout(cct,10) << __func__ << " method " << *method
                << " preferred_modes " << *preferred_modes << dendl;
   if (preferred_modes->empty()) {
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
 
   int r = _init_auth(*method, entity_name, want_keys, keyring, true);
@@ -1912,7 +1926,7 @@ int MonConnection::handle_auth_bad_method(
   if (p == auth_supported.end()) {
     lderr(cct) << __func__ << " server allowed_methods " << allowed_methods
               << " but i only support " << auth_supported << dendl;
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
   auth_method = *p;
   ldout(cct,10) << __func__ << " will try " << auth_method << " next" << dendl;