msg/Messenger: pull authenticator validation into Messenger

This code is essentially identical across the OSD and MDS.  The
monitor is annoyingly different, but in a msgr1 specific way that
we can handle carrying here until msgr1 gets ripped out in a
couple years.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 484659e711fd5f3d1965109b32aa83f990ad4362..84036041214fad4465617c1bee2ed93d924e363e 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -5806,6 +5806,12 @@ KeyStore *Monitor::ms_get_auth1_authorizer_keystore()
 
 int Monitor::ms_handle_authentication(Connection *con)
 {
+  if (con->get_peer_type() == CEPH_ENTITY_TYPE_MON) {
+    // mon <-> mon connections need no Session, and setting one up
+    // creates an awkward ref cycle between Session and Connection.
+    return 1;
+  }
+
   auto priv = con->get_priv();
   MonSession *s = static_cast<MonSession*>(priv.get());
   if (!s) {

diff --git a/src/msg/Messenger.cc b/src/msg/Messenger.cc
index 2d2c68ae96f3d5ec89a1a704d1970f67cff942dd..875e2bc3942e18f822a62a011f3175e88dff7508 100644 (file)
--- a/src/msg/Messenger.cc
+++ b/src/msg/Messenger.cc
@@ -57,7 +57,20 @@ Messenger::Messenger(CephContext *cct_, entity_name_t w)
     magic(0),
     socket_priority(-1),
     cct(cct_),
-    crcflags(get_default_crc_flags(cct->_conf)) {}
+    crcflags(get_default_crc_flags(cct->_conf)),
+    auth_ah_service_registry(
+      new AuthAuthorizeHandlerRegistry(
+       cct,
+       cct->_conf->auth_supported.empty() ?
+       cct->_conf->auth_service_required :
+       cct->_conf->auth_supported)),
+    auth_ah_cluster_registry(
+      new AuthAuthorizeHandlerRegistry(
+       cct,
+       cct->_conf->auth_supported.empty() ?
+       cct->_conf->auth_cluster_required :
+       cct->_conf->auth_supported))
+{}
 
 void Messenger::set_endpoint_addr(const entity_addr_t& a,
                                   const entity_name_t &name)
@@ -106,17 +119,56 @@ int Messenger::bindv(const entity_addrvec_t& addrs)
 }
 
 bool Messenger::ms_deliver_verify_authorizer(
-  Connection *con, int peer_type,
-  int protocol, bufferlist& authorizer, bufferlist& authorizer_reply,
-  bool& isvalid, CryptoKey& session_key,
+  Connection *con,
+  int peer_type,
+  int protocol,
+  bufferlist& authorizer,
+  bufferlist& authorizer_reply,
+  bool& isvalid,
+  CryptoKey& session_key,
   std::unique_ptr<AuthAuthorizerChallenge> *challenge)
 {
-  for (const auto& dispatcher : dispatchers) {
-    if (dispatcher->ms_verify_authorizer(con, peer_type, protocol,
-                                        authorizer,
-                                        authorizer_reply,
-                                        isvalid, session_key, challenge))
+  AuthAuthorizeHandler *ah = 0;
+  switch (peer_type) {
+  case CEPH_ENTITY_TYPE_MDS:
+  case CEPH_ENTITY_TYPE_MON:
+  case CEPH_ENTITY_TYPE_OSD:
+    ah = auth_ah_cluster_registry->get_handler(protocol);
+    break;
+  default:
+    ah = auth_ah_service_registry->get_handler(protocol);
+  }
+  if (get_mytype() == CEPH_ENTITY_TYPE_MON &&
+      peer_type != CEPH_ENTITY_TYPE_MON) {
+    // the monitor doesn't do authenticators for msgr1.
+    isvalid = true;
+    return true;
+  }
+  if (!ah) {
+    lderr(cct) << __func__ << " no AuthAuthorizeHandler found for protocol "
+              << protocol << dendl;
+    isvalid = false;
+    return false;
+  }
+
+  for (auto dis : dispatchers) {
+    KeyStore *ks = dis->ms_get_auth1_authorizer_keystore();
+    if (ks) {
+      isvalid = ah->verify_authorizer(
+       cct,
+       ks,
+       authorizer,
+       authorizer_reply,
+       con->peer_name,
+       con->peer_global_id,
+       con->peer_caps_info,
+       session_key,
+       challenge);
+      if (isvalid) {
+       dis->ms_handle_authentication(con);
+      }
       return true;
+    }
   }
   return false;
 }

diff --git a/src/msg/Messenger.h b/src/msg/Messenger.h
index 971acb477edfa6546881b42efa8030e04dced0b3..c075b7c0c76d2cc6ec7780d65bfd1f9a8b1b488e 100644 (file)
--- a/src/msg/Messenger.h
+++ b/src/msg/Messenger.h
@@ -20,6 +20,10 @@
 #include <map>
 #include <deque>
 
+#include <errno.h>
+#include <sstream>
+#include <memory>
+
 #include "Message.h"
 #include "Dispatcher.h"
 #include "Policy.h"
@@ -31,6 +35,8 @@
 #include "include/ceph_features.h"
 #include "auth/Crypto.h"
 #include "common/item_history.h"
+#include "auth/AuthAuthorizeHandler.h"
+#include "include/ceph_assert.h"
 
 #include <errno.h>
 #include <sstream>
@@ -40,6 +46,8 @@
 
 class Timer;
 
+class AuthAuthorizerHandlerRegistry;
+
 class Messenger {
 private:
   std::deque<Dispatcher*> dispatchers;
@@ -80,6 +88,13 @@ public:
   int crcflags;
 
   using Policy = ceph::net::Policy<Throttle>;
+
+protected:
+  // for authentication
+  std::unique_ptr<AuthAuthorizeHandlerRegistry> auth_ah_service_registry;
+  std::unique_ptr<AuthAuthorizeHandlerRegistry> auth_ah_cluster_registry;
+
+public:
   /**
    * Messenger constructor. Call this from your implementation.
    * Messenger users should construct full implementations directly,