mon: enforce 'cephx require signatures' during negotiation

If we are negotiating which auth protocol to use, and the client does not
support the MSG_AUTH feature, and the server has 'cephx require signatures'
set to true, then remove cephx from the list of allowed protocols.

Also print something in the mon log so that we know wtf is going on.

Signed-off-by: Sage Weil <sage@inktank.com>

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 84585912be54802a207d34cd475f2009ff690a5b..1afc215fa785b4eac432391aba5681cac79d3793 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -336,14 +336,34 @@ bool AuthMonitor::prep_auth(MAuth *m, bool paxos_writable)
       goto reply;
     }
 
-    int type;
+    // do we require cephx signatures?
+
+    if (!m->get_connection()->has_feature(CEPH_FEATURE_MSG_AUTH)) {
+      if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_MDS) {
+       if (g_conf->cephx_cluster_require_signatures ||
+           g_conf->cephx_require_signatures) {
+         dout(1) << m->get_source_inst() << " supports cephx but not signatures and 'cephx [cluster] require signatures = true'; disallowing cephx" << dendl;
+         supported.erase(CEPH_AUTH_CEPHX);
+       }
+      } else {
+       if (g_conf->cephx_service_require_signatures ||
+           g_conf->cephx_require_signatures) {
+         dout(1) << m->get_source_inst() << " supports cephx but not signatures and 'cephx [service] require signatures = true'; disallowing cephx" << dendl;
+         supported.erase(CEPH_AUTH_CEPHX);
+       }
+      }
+    }
 
+    int type;
     if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
        entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
        entity_name.get_type() == CEPH_ENTITY_TYPE_MDS)
       type = mon->auth_cluster_required.pick(supported);
     else
       type = mon->auth_service_required.pick(supported);
+
     s->auth_handler = get_auth_service_handler(type, g_ceph_context, &mon->key_server);
     if (!s->auth_handler) {
       dout(1) << "client did not provide supported auth type" << dendl;