mon/AuthMonitor: shutdown session connection on auth failure

Currently the mons will allow the session to persist even though an auth
failure has occurred, probably while trying to obtain new tickets.

A sequence to easily trigger this:

    ceph auth rotate osd.0
    ceph auth wipe-rotating-service-keys

The osd.0 will continue interacting with the mons until restart or a network
interruption occurs.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index d69655cc6a446b418f4cf3a5dd3fbd009b17958d..d335e36ebbe84140183f1275b2c35171a9e91b9c 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -836,6 +836,11 @@ bool AuthMonitor::prep_auth(MonOpRequestRef op, bool paxos_writable)
 reply:
   reply = new MAuthReply(proto, &response_bl, ret, s->con->peer_global_id);
   mon.send_reply(op, reply);
+  if (ret < 0) {
+    /* auth has failed (key change?), close the session */
+    dout(1) << "stopping due to failed auth (" << cpp_strerror(ret) << "): " << *s << dendl;
+    s->con->shutdown();
+  }
   if (finished) {
     // always send the latest monmap.
     if (m->monmap_epoch < mon.monmap->get_epoch())