auth,mon: add _exit config when auth fails

This is largely for testing: we want a client to exit immediately if auth
failures occur. Presently, those clients will try to reconnect forever.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in
index aa031a6a2ffdaf9a938ced00e68d89ded04c6a9f..e5ea60e79234258a51c378c490524d85ba960930 100644 (file)
--- a/src/common/options/global.yaml.in
+++ b/src/common/options/global.yaml.in
@@ -2153,6 +2153,13 @@ options:
    each other. Valid settings are ``cephx`` or ``none``.
   default: cephx
   with_legacy: true
+- name: auth_exit_on_failure
+  type: int
+  level: dev
+  desc: call _exit with given error code when auth fails when non-negative
+  default: -1
+  flags:
+  - runtime
 # required by daemons of clients
 - name: auth_service_required
   type: str

diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc
index 3c1b7c333e643995520c384c8c99a001e1c1cc47..bb33c4961883d029b5cf27cd5ba370eb705a360e 100644 (file)
--- a/src/mon/MonClient.cc
+++ b/src/mon/MonClient.cc
@@ -59,6 +59,18 @@
 #include "auth/RotatingKeyRing.h"
 
 #define dout_subsys ceph_subsys_monc
+
+/* Used by both MonClient and MonConnection. */
+static int handle_auth_failure(CephContext* cct)
+{
+  int ecode = cct->_conf.get_val<int64_t>("auth_exit_on_failure");
+  if (ecode >= 0) {
+    lderr(cct) << __func__ << " exiting with " << ecode << " due to auth failure" << dendl;
+    _exit(ecode);
+  }
+  return -EACCES;
+}
+
 #undef dout_prefix
 #define dout_prefix *_dout << "monclient" << (_hunting() ? "(hunting)":"") << ": "
 
@@ -738,6 +750,8 @@ void MonClient::_finish_auth(int auth_err)
                   << " auth returned EAGAIN, reopening the session to try again"
                   << dendl;
     _reopen_session();
+  } else {
+    [[maybe_unused]] int rc = handle_auth_failure(cct);
   }
   auth_cond.notify_all();
 }
@@ -1652,7 +1666,7 @@ int MonClient::handle_auth_bad_method(
                  << " result " << cpp_strerror(result)
                  << " and auth is " << (auth ? auth->get_protocol() : 0)
                  << dendl;
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
 }
 
@@ -1672,12 +1686,12 @@ int MonClient::handle_auth_request(
         return 1;
       }
     }
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
   auth_meta->auth_mode = payload[0];
   if (auth_meta->auth_mode < AUTH_MODE_AUTHORIZER ||
       auth_meta->auth_mode > AUTH_MODE_AUTHORIZER_MAX) {
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
   AuthAuthorizeHandler *ah = get_auth_authorize_handler(con->get_peer_type(),
                                                        auth_method);
@@ -1710,7 +1724,7 @@ int MonClient::handle_auth_request(
     if (handle_authentication_dispatcher->ms_handle_fast_authentication(con)) {
       return 1;
     }
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
   if (!more && !was_challenge && auth_meta->authorizer_challenge) {
     ldout(cct,10) << __func__ << " added challenge on " << con << dendl;
@@ -1719,7 +1733,7 @@ int MonClient::handle_auth_request(
   ldout(cct,10) << __func__ << " bad authorizer on " << con << dendl;
   // discard old challenge
   auth_meta->authorizer_challenge.reset();
-  return -EACCES;
+  return handle_auth_failure(cct);
 }
 
 AuthAuthorizer* MonClient::build_authorizer(int service_id) const {
@@ -1804,7 +1818,7 @@ int MonConnection::get_auth_request(
     std::vector<uint32_t> as;
     auth_registry->get_supported_methods(con->get_peer_type(), &as);
     if (as.empty()) {
-      return -EACCES;
+      return handle_auth_failure(cct);
     }
     auth_method = as.front();
   }
@@ -1814,7 +1828,7 @@ int MonConnection::get_auth_request(
   ldout(cct,10) << __func__ << " method " << *method
                << " preferred_modes " << *preferred_modes << dendl;
   if (preferred_modes->empty()) {
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
 
   int r = _init_auth(*method, entity_name, want_keys, keyring, true);
@@ -1906,7 +1920,7 @@ int MonConnection::handle_auth_bad_method(
   if (p == auth_supported.end()) {
     lderr(cct) << __func__ << " server allowed_methods " << allowed_methods
               << " but i only support " << auth_supported << dendl;
-    return -EACCES;
+    return handle_auth_failure(cct);
   }
   auth_method = *p;
   ldout(cct,10) << __func__ << " will try " << auth_method << " next" << dendl;