mon,msg: implement cephx_*_require_version options

Add a new set of options that are parallel to

 cephx_require_signatures
 cephx_cluster_require_signatures
 cephx_service_require_signatures

that indicate which version of cephx is required to be supported.

Signed-off-by: Sage Weil <sage@redhat.com>
(cherry picked from commit 9bcbc2a3621f9ee4558c9748ab7c73c6e1b22510)
(cherry picked from commit 94b1ca198115c867691babdae7e7ac046689a749)

# Conflicts:
#	src/common/legacy_config_opts.h
#	src/common/options.cc

- config_opts.h
- no MGR
- FEATURE not FEATUREMASK

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index 8b1268a30018ef6d3e179dda801b5b57d01ce060..5f9aee5988a3ab1b11966e5b8966a6208948b74f 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -353,6 +353,9 @@ OPTION(auth_supported, OPT_STR, "")               // deprecated; default value f
 OPTION(cephx_require_signatures, OPT_BOOL, false) //  If true, don't talk to Cephx partners if they don't support message signing; off by default
 OPTION(cephx_cluster_require_signatures, OPT_BOOL, false)
 OPTION(cephx_service_require_signatures, OPT_BOOL, false)
+OPTION(cephx_require_version, OPT_INT, 1)
+OPTION(cephx_cluster_require_version, OPT_INT, 1)
+OPTION(cephx_service_require_version, OPT_INT, 1)
 OPTION(cephx_sign_messages, OPT_BOOL, true)  // Default to signing session messages if supported
 OPTION(auth_mon_ticket_ttl, OPT_DOUBLE, 60*60*12)
 OPTION(auth_service_ticket_ttl, OPT_DOUBLE, 60*60)

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 094d93251614766cf20f5dce98c4a6778a8a4e04..d998e3afbf9e4c4edefdaf3c530810df96484908 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -419,6 +419,28 @@ bool AuthMonitor::prep_auth(MonOpRequestRef op, bool paxos_writable)
          supported.erase(CEPH_AUTH_CEPHX);
        }
       }
+    } else if (!m->get_connection()->has_feature(CEPH_FEATURE_CEPHX_V2)) {
+      if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_MDS) {
+       if (g_conf->cephx_cluster_require_version >= 2 ||
+           g_conf->cephx_require_version >= 2) {
+         dout(1) << m->get_source_inst()
+                  << " supports cephx but not v2 and"
+                  << " 'cephx [cluster] require version >= 2';"
+                  << " disallowing cephx" << dendl;
+         supported.erase(CEPH_AUTH_CEPHX);
+       }
+      } else {
+       if (g_conf->cephx_service_require_version >= 2 ||
+           g_conf->cephx_require_version >= 2) {
+         dout(1) << m->get_source_inst()
+                  << " supports cephx but not v2 and"
+                  << " 'cephx [service] require version >= 2';"
+                  << " disallowing cephx" << dendl;
+         supported.erase(CEPH_AUTH_CEPHX);
+       }
+      }
     }
 
     int type;

diff --git a/src/msg/async/AsyncConnection.cc b/src/msg/async/AsyncConnection.cc
index f3b66949b0ffe4280ed9637538676a54552e516b..b67452964c1875da4594b786b6690e02ec083ef8 100644 (file)
--- a/src/msg/async/AsyncConnection.cc
+++ b/src/msg/async/AsyncConnection.cc
@@ -1663,14 +1663,25 @@ ssize_t AsyncConnection::handle_connect_msg(ceph_msg_connect &connect, bufferlis
         ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring MSG_AUTH feature bit for cluster" << dendl;
         policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (async_msgr->cct->_conf->cephx_require_version >= 2 ||
+         async_msgr->cct->_conf->cephx_cluster_require_version >= 2) {
+        ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+        policy.features_required |= CEPH_FEATURE_CEPHX_V2;
+      }
     } else {
       if (async_msgr->cct->_conf->cephx_require_signatures ||
           async_msgr->cct->_conf->cephx_service_require_signatures) {
         ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring MSG_AUTH feature bit for service" << dendl;
         policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (async_msgr->cct->_conf->cephx_require_version >= 2 ||
+         async_msgr->cct->_conf->cephx_service_require_version >= 2) {
+        ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring cephx v2 feature bit for service" << dendl;
+        policy.features_required |= CEPH_FEATURE_CEPHX_V2;
+      }
     }
   }
+
   uint64_t feat_missing = policy.features_required & ~(uint64_t)connect.features;
   if (feat_missing) {
     ldout(async_msgr->cct, 1) << __func__ << " peer missing required features "

diff --git a/src/msg/simple/Pipe.cc b/src/msg/simple/Pipe.cc
index a26daadfa036ea0d6751e6109b1a0ff87e06e3fa..e65918954bbdd8569cec33cf7cbca2335fc7917f 100644 (file)
--- a/src/msg/simple/Pipe.cc
+++ b/src/msg/simple/Pipe.cc
@@ -418,12 +418,22 @@ int Pipe::accept()
          ldout(msgr->cct,10) << "using cephx, requiring MSG_AUTH feature bit for cluster" << dendl;
          policy.features_required |= CEPH_FEATURE_MSG_AUTH;
        }
+       if (msgr->cct->_conf->cephx_require_version >= 2 ||
+           msgr->cct->_conf->cephx_cluster_require_version >= 2) {
+         ldout(msgr->cct,10) << "using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+         policy.features_required |= CEPH_FEATURE_CEPHX_V2;
+       }
       } else {
        if (msgr->cct->_conf->cephx_require_signatures ||
            msgr->cct->_conf->cephx_service_require_signatures) {
          ldout(msgr->cct,10) << "using cephx, requiring MSG_AUTH feature bit for service" << dendl;
          policy.features_required |= CEPH_FEATURE_MSG_AUTH;
        }
+       if (msgr->cct->_conf->cephx_require_version >= 2 ||
+           msgr->cct->_conf->cephx_service_require_version >= 2) {
+         ldout(msgr->cct,10) << "using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+         policy.features_required |= CEPH_FEATURE_CEPHX_V2;
+       }
       }
     }