auth: use none auth if keyring not found

If both cephx and none are accepted auth methods, and
cephx keyring cannot be found then resort to using
none, instead of failing.

Signed-off-by: Yehuda Sadeh <yehuda@inktank.com>

diff --git a/src/auth/AuthMethodList.cc b/src/auth/AuthMethodList.cc
index dc181f92041c51fba32151e136b6cca4225e5e22..e345e150549efafd741cf5bec246c35b0fa5ddee 100644 (file)
--- a/src/auth/AuthMethodList.cc
+++ b/src/auth/AuthMethodList.cc
@@ -56,3 +56,11 @@ int AuthMethodList::pick(const std::set<__u32>& supported)
       return *p;
   return CEPH_AUTH_UNKNOWN;
 }
+
+void AuthMethodList::remove_supported_auth(int auth_type)
+{
+  for (list<__u32>::iterator p = auth_supported.begin(); p != auth_supported.end(); ++p) {
+    if (*p == (__u32)auth_type)
+      auth_supported.erase(p++);
+  }
+}

diff --git a/src/auth/AuthMethodList.h b/src/auth/AuthMethodList.h
index 82bc5b54e01080e0d7785822112ce76f8dd1ee62..7b21b325aeb50463ae05ae74d94d194616413fea 100644 (file)
--- a/src/auth/AuthMethodList.h
+++ b/src/auth/AuthMethodList.h
@@ -33,6 +33,8 @@ public:
   const std::list<__u32>& get_supported_set() const {
     return auth_supported;
   }
+
+  void remove_supported_auth(int auth_type);
 };
 
 

diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc
index 6ffe8e8d6da9c45683a51b7c2cdbc3ac54e703ee..6a1c3567e5497eabc6d01aab3c265858830aa353 100644 (file)
--- a/src/mon/MonClient.cc
+++ b/src/mon/MonClient.cc
@@ -263,35 +263,7 @@ int MonClient::init()
 
   entity_name = cct->_conf->name;
 
-  // keyring
-  keyring = new KeyRing;
-  int r = keyring->from_ceph_context(cct);
-  if (r == -ENOENT) {
-    // do we care?
-    string method;
-    if (cct->_conf->auth_supported.length() != 0) 
-      method = cct->_conf->auth_supported;
-    else if (entity_name.get_type() == CEPH_ENTITY_TYPE_MDS ||
-            entity_name.get_type() == CEPH_ENTITY_TYPE_OSD)
-      method = cct->_conf->auth_cluster_required;
-    else
-      method = cct->_conf->auth_client_required;
-    AuthMethodList supported(cct, method);
-    if (!supported.is_supported_auth(CEPH_AUTH_CEPHX)) {
-      ldout(cct, 2) << "cephx auth is not supported, ignoring absence of keyring" << dendl;
-      r = 0;
-    }
-  }
-  if (r < 0) {
-    lderr(cct) << "failed to open keyring: " << cpp_strerror(r) << dendl;
-    return r;
-  }
-  rotating_secrets = new RotatingKeyRing(cct, cct->get_module_type(), keyring);
-
   Mutex::Locker l(monc_lock);
-  timer.init();
-  finisher.start();
-  schedule_tick();
 
   string method;
     if (cct->_conf->auth_supported.length() != 0)
@@ -305,7 +277,35 @@ int MonClient::init()
   auth_supported = new AuthMethodList(cct, method);
   ldout(cct, 10) << "auth_supported " << auth_supported->get_supported_set() << " method " << method << dendl;
 
+  int r = 0;
+  keyring = new KeyRing; // initializing keyring anyway
+
+  if (auth_supported->is_supported_auth(CEPH_AUTH_CEPHX)) {
+    r = keyring->from_ceph_context(cct);
+    if (r == -ENOENT) {
+      lderr(cct) << "failed to open keyring: " << cpp_strerror(r) << dendl;
+      auth_supported->remove_supported_auth(CEPH_AUTH_CEPHX);
+      if (auth_supported->get_supported_set().size() > 0) {
+       lderr(cct) << "WARNING: keyring not found, will not use cephx for authentication" << dendl;
+       r = 0;
+      } else {
+       lderr(cct) << "ERROR: missing keyring, cannot use cephx for authentication" << dendl;
+      }
+    }
+  }
+
+  if (r < 0) {
+    return r;
+  }
+
+  rotating_secrets = new RotatingKeyRing(cct, cct->get_module_type(), keyring);
+
   initialized = true;
+
+  timer.init();
+  finisher.start();
+  schedule_tick();
+
   return 0;
 }