]> git.apps.os.sepia.ceph.com Git - ceph-ci.git/commitdiff
msg/async: msgr2: call verify authorizer when CEPH_AUTH_NONE is used
authorRicardo Dias <rdias@suse.com>
Fri, 23 Nov 2018 14:14:29 +0000 (14:14 +0000)
committerRicardo Dias <rdias@suse.com>
Wed, 23 Jan 2019 13:59:25 +0000 (13:59 +0000)
Signed-off-by: Ricardo Dias <rdias@suse.com>
src/msg/async/ProtocolV2.cc

index abaabd6fcc3529106cb05fbcfb34da968419a108..4d0fec26ee720157b95b175f97783740dcabc206 100644 (file)
@@ -2411,6 +2411,26 @@ CtPtr ProtocolV2::handle_auth_request(char *payload, uint32_t length) {
   if (auth_method == CEPH_AUTH_NONE) {
     ldout(cct, 1) << __func__ << " proceeding without authentication" << dendl;
 
+    // even with CEPH_AUTH_NONE we still need to call verify_authorizer to
+    // make sure that peer caps are set correctly, and code up in the stack
+    // runs ms_handle_authentication.
+    connection->lock.unlock();
+    bufferlist authorizer_reply;
+    bool authorizer_valid;
+    messenger->ms_deliver_verify_authorizer(
+        connection, connection->peer_type, auth_method,
+        auth_request.auth_payload(), authorizer_reply, authorizer_valid,
+        session_key, nullptr);
+    connection->lock.lock();
+
+    if (!authorizer_valid) {
+      ldout(cct, 0) << __func__ << " got bad authorizer, auth_reply_len="
+                    << authorizer_reply.length() << dendl;
+      session_security.reset();
+      AuthBadAuthFrame bad_auth(EPERM, "Bad Authorizer");
+      return WRITE(bad_auth.get_buffer(), "bad auth", read_frame);
+    }
+
     session_security.reset();
     bufferlist empty_bl;
     AuthDoneFrame auth_done(0, 0, empty_bl);
@@ -2713,6 +2733,7 @@ CtPtr ProtocolV2::reuse_connection(AsyncConnectionRef existing,
   exproto->replacing = true;
   exproto->session_security = session_security;
   exproto->auth_method = auth_method;
+  exproto->auth_flags = auth_flags;
   exproto->session_key = session_key;
   exproto->authorizer_challenge = std::move(authorizer_challenge);
   existing->state_offset = 0;