mon,msg: implement cephx_*_require_version options

Add a new set of options that are parallel to

 cephx_require_signatures
 cephx_cluster_require_signatures
 cephx_service_require_signatures

that indicate which version of cephx is required to be supported.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/common/legacy_config_opts.h b/src/common/legacy_config_opts.h
index 5597b625484955a83ca999c37e4dc84c1b9ff7fe..e758586fe5ca2d8802a252b922eb8b7c29cb9118 100644 (file)
--- a/src/common/legacy_config_opts.h
+++ b/src/common/legacy_config_opts.h
@@ -322,9 +322,12 @@ OPTION(auth_service_required, OPT_STR)   // required by daemons of clients
 OPTION(auth_client_required, OPT_STR)     // what clients require of daemons
 OPTION(auth_supported, OPT_STR)               // deprecated; default value for above if they are not defined.
 OPTION(max_rotating_auth_attempts, OPT_INT)
-OPTION(cephx_require_signatures, OPT_BOOL) //  If true, don't talk to Cephx partners if they don't support message signing; off by default
+OPTION(cephx_require_signatures, OPT_BOOL)
 OPTION(cephx_cluster_require_signatures, OPT_BOOL)
 OPTION(cephx_service_require_signatures, OPT_BOOL)
+OPTION(cephx_require_version, OPT_INT)
+OPTION(cephx_cluster_require_version, OPT_INT)
+OPTION(cephx_service_require_version, OPT_INT)
 OPTION(cephx_sign_messages, OPT_BOOL)  // Default to signing session messages if supported
 OPTION(auth_mon_ticket_ttl, OPT_DOUBLE)
 OPTION(auth_service_ticket_ttl, OPT_DOUBLE)

diff --git a/src/common/options.cc b/src/common/options.cc
index 5768f2755909e234e26864ce4cb3df1953b0a4ee..26157f2e0930fa4a7c12860572139876b00cdd34 100644 (file)
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -1795,14 +1795,26 @@ std::vector<Option> get_global_options() {
     .set_default(false)
     .set_description(""),
 
+    Option("cephx_require_version", Option::TYPE_INT, Option::LEVEL_ADVANCED)
+    .set_default(1)
+    .set_description("Cephx version required (1 = pre-mimic, 2 = mimic+)"),
+
     Option("cephx_cluster_require_signatures", Option::TYPE_BOOL, Option::LEVEL_ADVANCED)
     .set_default(false)
     .set_description(""),
 
+    Option("cephx_cluster_require_version", Option::TYPE_INT, Option::LEVEL_ADVANCED)
+    .set_default(1)
+    .set_description("Cephx version required by the cluster from clients (1 = pre-mimic, 2 = mimic+)"),
+
     Option("cephx_service_require_signatures", Option::TYPE_BOOL, Option::LEVEL_ADVANCED)
     .set_default(false)
     .set_description(""),
 
+    Option("cephx_service_require_version", Option::TYPE_INT, Option::LEVEL_ADVANCED)
+    .set_default(1)
+    .set_description("Cephx version required from ceph services (1 = pre-mimic, 2 = mimic+)"),
+
     Option("cephx_sign_messages", Option::TYPE_BOOL, Option::LEVEL_ADVANCED)
     .set_default(true)
     .set_description(""),

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 2d34a9b3b3135f7dde3ea7aebc87c1978e47b521..d23c87530c685d477f54073af4834ba69ce8c82c 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -495,6 +495,29 @@ bool AuthMonitor::prep_auth(MonOpRequestRef op, bool paxos_writable)
          supported.erase(CEPH_AUTH_CEPHX);
        }
       }
+    } else if (!m->get_connection()->has_feature(CEPH_FEATURE_CEPHX_V2)) {
+      if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_MDS ||
+         entity_name.get_type() == CEPH_ENTITY_TYPE_MGR) {
+       if (g_conf->cephx_cluster_require_version >= 2 ||
+           g_conf->cephx_require_version >= 2) {
+         dout(1) << m->get_source_inst()
+                  << " supports cephx but not v2 and"
+                  << " 'cephx [cluster] require version >= 2';"
+                  << " disallowing cephx" << dendl;
+         supported.erase(CEPH_AUTH_CEPHX);
+       }
+      } else {
+       if (g_conf->cephx_service_require_version >= 2 ||
+           g_conf->cephx_require_version >= 2) {
+         dout(1) << m->get_source_inst()
+                  << " supports cephx but not v2 and"
+                  << " 'cephx [service] require version >= 2';"
+                  << " disallowing cephx" << dendl;
+         supported.erase(CEPH_AUTH_CEPHX);
+       }
+      }
     }
 
     int type;

diff --git a/src/msg/async/AsyncConnection.cc b/src/msg/async/AsyncConnection.cc
index 66cc4003d8fbd96cb143bb0a9eba05da35fe2867..4036fba9b9adf793cbe47bf35a5b225492adea18 100644 (file)
--- a/src/msg/async/AsyncConnection.cc
+++ b/src/msg/async/AsyncConnection.cc
@@ -1479,14 +1479,25 @@ ssize_t AsyncConnection::handle_connect_msg(ceph_msg_connect &connect, bufferlis
         ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring MSG_AUTH feature bit for cluster" << dendl;
         policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (async_msgr->cct->_conf->cephx_require_version >= 2 ||
+         async_msgr->cct->_conf->cephx_cluster_require_version >= 2) {
+        ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+        policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+      }
     } else {
       if (async_msgr->cct->_conf->cephx_require_signatures ||
           async_msgr->cct->_conf->cephx_service_require_signatures) {
         ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring MSG_AUTH feature bit for service" << dendl;
         policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (async_msgr->cct->_conf->cephx_require_version >= 2 ||
+         async_msgr->cct->_conf->cephx_service_require_version >= 2) {
+        ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring cephx v2 feature bit for service" << dendl;
+        policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+      }
     }
   }
+
   uint64_t feat_missing = policy.features_required & ~(uint64_t)connect.features;
   if (feat_missing) {
     ldout(async_msgr->cct, 1) << __func__ << " peer missing required features "

diff --git a/src/msg/simple/Pipe.cc b/src/msg/simple/Pipe.cc
index 32077c0e743b76b6da98d5e8fc7ef4ecffd64e07..ff35b038bd53f299e39b4ddf403bfeff88a60530 100644 (file)
--- a/src/msg/simple/Pipe.cc
+++ b/src/msg/simple/Pipe.cc
@@ -485,12 +485,22 @@ int Pipe::accept()
          ldout(msgr->cct,10) << "using cephx, requiring MSG_AUTH feature bit for cluster" << dendl;
          policy.features_required |= CEPH_FEATURE_MSG_AUTH;
        }
+       if (msgr->cct->_conf->cephx_require_version >= 2 ||
+           msgr->cct->_conf->cephx_cluster_require_version >= 2) {
+         ldout(msgr->cct,10) << "using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+         policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+       }
       } else {
        if (msgr->cct->_conf->cephx_require_signatures ||
            msgr->cct->_conf->cephx_service_require_signatures) {
          ldout(msgr->cct,10) << "using cephx, requiring MSG_AUTH feature bit for service" << dendl;
          policy.features_required |= CEPH_FEATURE_MSG_AUTH;
        }
+       if (msgr->cct->_conf->cephx_require_version >= 2 ||
+           msgr->cct->_conf->cephx_service_require_version >= 2) {
+         ldout(msgr->cct,10) << "using cephx, requiring cephx v2 feature bit for cluster" << dendl;
+         policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+       }
       }
     }