mon,msg: implement cephx_*_require_version options

Add a new set of options that are parallel to

 cephx_require_signatures
 cephx_cluster_require_signatures
 cephx_service_require_signatures

that indicate which version of cephx is required to be supported.

Signed-off-by: Sage Weil <sage@redhat.com>
(cherry picked from commit 9bcbc2a3621f9ee4558c9748ab7c73c6e1b22510)

diff --git a/src/common/legacy_config_opts.h b/src/common/legacy_config_opts.h
index f664c96e4f9ae5f350753d97b995af6d2add58e6..ed95281ce1b1ad9dc711a79291af6f2cb404c392 100644 (file)
--- a/src/common/legacy_config_opts.h
+++ b/src/common/legacy_config_opts.h
@@ -331,9 +331,12 @@ OPTION(auth_service_required, OPT_STR)   // required by daemons of clients
 OPTION(auth_client_required, OPT_STR)     // what clients require of daemons
 OPTION(auth_supported, OPT_STR)               // deprecated; default value for above if they are not defined.
 OPTION(max_rotating_auth_attempts, OPT_INT)
-OPTION(cephx_require_signatures, OPT_BOOL) //  If true, don't talk to Cephx partners if they don't support message signing; off by default
+OPTION(cephx_require_signatures, OPT_BOOL)
 OPTION(cephx_cluster_require_signatures, OPT_BOOL)
 OPTION(cephx_service_require_signatures, OPT_BOOL)
+OPTION(cephx_require_version, OPT_INT)
+OPTION(cephx_cluster_require_version, OPT_INT)
+OPTION(cephx_service_require_version, OPT_INT)
 OPTION(cephx_sign_messages, OPT_BOOL)  // Default to signing session messages if supported
 OPTION(auth_mon_ticket_ttl, OPT_DOUBLE)
 OPTION(auth_service_ticket_ttl, OPT_DOUBLE)

diff --git a/src/common/options.cc b/src/common/options.cc
index 5a81dda59ecdc4fb9897f02122954e5490b5278e..6c0254453e191308c69845afe46ca4b5e70f402b 100644 (file)
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -1479,14 +1479,26 @@ std::vector<Option> get_global_options() {
     .set_default(false)
     .set_description(""),
 
+    Option("cephx_require_version", Option::TYPE_INT, Option::LEVEL_ADVANCED)
+    .set_default(1)
+    .set_description("Cephx version required (1 = pre-mimic, 2 = mimic+)"),
+
     Option("cephx_cluster_require_signatures", Option::TYPE_BOOL, Option::LEVEL_ADVANCED)
     .set_default(false)
     .set_description(""),
 
+    Option("cephx_cluster_require_version", Option::TYPE_INT, Option::LEVEL_ADVANCED)
+    .set_default(1)
+    .set_description("Cephx version required by the cluster from clients (1 = pre-mimic, 2 = mimic+)"),
+
     Option("cephx_service_require_signatures", Option::TYPE_BOOL, Option::LEVEL_ADVANCED)
     .set_default(false)
     .set_description(""),
 
+    Option("cephx_service_require_version", Option::TYPE_INT, Option::LEVEL_ADVANCED)
+    .set_default(1)
+    .set_description("Cephx version required from ceph services (1 = pre-mimic, 2 = mimic+)"),
+
     Option("cephx_sign_messages", Option::TYPE_BOOL, Option::LEVEL_ADVANCED)
     .set_default(true)
     .set_description(""),

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 1f13145a6d929678b9f7d44cae453586f9a8d8d7..8698e75a8341c14ab381d7c744ded4355575a664 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -417,6 +417,29 @@ bool AuthMonitor::prep_auth(MonOpRequestRef op, bool paxos_writable)
          supported.erase(CEPH_AUTH_CEPHX);
        }
       }
+    } else if (!m->get_connection()->has_feature(CEPH_FEATURE_CEPHX_V2)) {
+      if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_MDS ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_MGR) {
+       if (g_conf->cephx_cluster_require_version >= 2 ||
+           g_conf->cephx_require_version >= 2) {
+         dout(1) << m->get_source_inst()
+                  << " supports cephx but not v2 and"
+                  << " 'cephx [cluster] require version >= 2';"
+                  << " disallowing cephx" << dendl;
+         supported.erase(CEPH_AUTH_CEPHX);
+       }
+      } else {
+       if (g_conf->cephx_service_require_version >= 2 ||
+           g_conf->cephx_require_version >= 2) {
+         dout(1) << m->get_source_inst()
+                  << " supports cephx but not v2 and"
+                  << " 'cephx [service] require version >= 2';"
+                  << " disallowing cephx" << dendl;
+         supported.erase(CEPH_AUTH_CEPHX);
+       }
+      }
     }
 
     int type;

diff --git a/src/msg/async/AsyncConnection.cc b/src/msg/async/AsyncConnection.cc
index 2ab23396e7738b54be35bb7b5d8925c1bf77eba9..37c9697004b060b8345def16819d809d7c7fd35e 100644 (file)
--- a/src/msg/async/AsyncConnection.cc
+++ b/src/msg/async/AsyncConnection.cc
@@ -1492,14 +1492,25 @@ ssize_t AsyncConnection::handle_connect_msg(ceph_msg_connect &connect, bufferlis
         ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring MSG_AUTH feature bit for cluster" << dendl;
         policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (async_msgr->cct->_conf->cephx_require_version >= 2 ||
+         async_msgr->cct->_conf->cephx_cluster_require_version >= 2) {
+        ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+        policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+      }
     } else {
       if (async_msgr->cct->_conf->cephx_require_signatures ||
           async_msgr->cct->_conf->cephx_service_require_signatures) {
         ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring MSG_AUTH feature bit for service" << dendl;
         policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (async_msgr->cct->_conf->cephx_require_version >= 2 ||
+         async_msgr->cct->_conf->cephx_service_require_version >= 2) {
+        ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring cephx v2 feature bit for service" << dendl;
+        policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+      }
     }
   }
+
   uint64_t feat_missing = policy.features_required & ~(uint64_t)connect.features;
   if (feat_missing) {
     ldout(async_msgr->cct, 1) << __func__ << " peer missing required features "

diff --git a/src/msg/simple/Pipe.cc b/src/msg/simple/Pipe.cc
index f2bd57bf26ce5151181c7257c8a76784007e0bea..d2d425f12cf69506692e1bef05edbf5928a1b832 100644 (file)
--- a/src/msg/simple/Pipe.cc
+++ b/src/msg/simple/Pipe.cc
@@ -484,12 +484,22 @@ int Pipe::accept()
          ldout(msgr->cct,10) << "using cephx, requiring MSG_AUTH feature bit for cluster" << dendl;
          policy.features_required |= CEPH_FEATURE_MSG_AUTH;
        }
+       if (msgr->cct->_conf->cephx_require_version >= 2 ||
+           msgr->cct->_conf->cephx_cluster_require_version >= 2) {
+         ldout(msgr->cct,10) << "using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+         policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+       }
       } else {
        if (msgr->cct->_conf->cephx_require_signatures ||
            msgr->cct->_conf->cephx_service_require_signatures) {
          ldout(msgr->cct,10) << "using cephx, requiring MSG_AUTH feature bit for service" << dendl;
          policy.features_required |= CEPH_FEATURE_MSG_AUTH;
        }
+       if (msgr->cct->_conf->cephx_require_version >= 2 ||
+           msgr->cct->_conf->cephx_service_require_version >= 2) {
+         ldout(msgr->cct,10) << "using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+         policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+       }
       }
     }