This was added in commit
9bcbc2a3621f ("mon,msg: implement
cephx_*_require_version options") and inadvertently dropped in
commit
e6f043f7d2dc ("msgr/async: huge refactoring of protocol V1").
As a result, service daemons don't enforce cephx_require_version
and cephx_cluster_require_version options and connections without
CEPH_FEATURE_CEPHX_V2 are allowed through.
(cephx_service_require_version enforcement was brought back a
year later in commit
321548010578 ("mon/MonClient: skip CEPHX_V2
challenge if client doesn't support it"), although the peer gets
TAG_BADAUTHORIZER instead of TAG_FEATURES.)
Resurrect the original behaviour: all cephx_*require_version
options are enforced and the peer gets TAG_FEATURES, signifying
that it is missing a required feature.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit
6f5c4152ca2c6423e665cde2196c6301f76043a2)
Conflicts:
src/msg/async/ProtocolV1.cc [ drop nautilus-only commit
89ffece49097 ("msg/async/ProtocolV1: require CEPHX_V2 if
cephx_service_require_version >= 2") ]
<< dendl;
connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;
}
+ if (cct->_conf->cephx_require_version >= 2 ||
+ cct->_conf->cephx_cluster_require_version >= 2) {
+ ldout(cct, 10)
+ << __func__
+ << " using cephx, requiring cephx v2 feature bit for cluster"
+ << dendl;
+ connection->policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+ }
} else {
if (cct->_conf->cephx_require_signatures ||
cct->_conf->cephx_service_require_signatures) {
<< dendl;
connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;
}
- }
- if (cct->_conf->cephx_service_require_version >= 2) {
- connection->policy.features_required |= CEPH_FEATURE_CEPHX_V2;
+ if (cct->_conf->cephx_require_version >= 2 ||
+ cct->_conf->cephx_service_require_version >= 2) {
+ ldout(cct, 10)
+ << __func__
+ << " using cephx, requiring cephx v2 feature bit for service"
+ << dendl;
+ connection->policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+ }
}
}
projects / ceph.git / commitdiff