msg,osd: enable unauthenticated Dispatcher for pre-nautilus OSD compat

Before nautilus, osd heartbeats are sent over an unauthenticated channel.
We need support here to allow these connections when they are necessary
for upgrade compatibility.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/msg/Dispatcher.h b/src/msg/Dispatcher.h
index c0b6115698466222f8033c5734e8cb2b9b89a501..9ddf95bd56c37dc47133389b26d89253b2d076c3 100644 (file)
--- a/src/msg/Dispatcher.h
+++ b/src/msg/Dispatcher.h
@@ -242,8 +242,17 @@ public:
   /**
    * @} //Authentication
    */
+
+  void ms_set_require_authorizer(bool b) {
+    require_authorizer = b;
+  }
 protected:
   CephContext *cct;
+public:
+  // allow unauthenticated connections.  This is needed for
+  // compatibility with pre-nautilus OSDs, which do not authenticate
+  // the heartbeat sessions.
+  bool require_authorizer = true;
 private:
   explicit Dispatcher(const Dispatcher &rhs);
   Dispatcher& operator=(const Dispatcher &rhs);

diff --git a/src/msg/Messenger.cc b/src/msg/Messenger.cc
index 875e2bc3942e18f822a62a011f3175e88dff7508..75b9d2082091ce53960d2289e14cc26ba0a03326 100644 (file)
--- a/src/msg/Messenger.cc
+++ b/src/msg/Messenger.cc
@@ -128,6 +128,15 @@ bool Messenger::ms_deliver_verify_authorizer(
   CryptoKey& session_key,
   std::unique_ptr<AuthAuthorizerChallenge> *challenge)
 {
+  if (authorizer.length() == 0) {
+    for (auto dis : dispatchers) {
+      if (!dis->require_authorizer) {
+       //ldout(cct,10) << __func__ << " tolerating missing authorizer" << dendl;
+       isvalid = true;
+       return true;
+      }
+    }
+  }
   AuthAuthorizeHandler *ah = 0;
   switch (peer_type) {
   case CEPH_ENTITY_TYPE_MDS:

diff --git a/src/msg/async/Protocol.cc b/src/msg/async/Protocol.cc
index f3c3d4bae8eb32dd25e33c3639996ada9b6daad5..9f8509eeca6562e4c7b2c401760ea165005b11ca 100644 (file)
--- a/src/msg/async/Protocol.cc
+++ b/src/msg/async/Protocol.cc
@@ -1686,12 +1686,16 @@ CtPtr ProtocolV1::client_ready() {
   // If we have an authorizer, get a new AuthSessionHandler to deal with
   // ongoing security of the connection.  PLR
   if (authorizer != NULL) {
+    ldout(cct, 10) << __func__ << " setting up session_security with auth "
+                  << authorizer << dendl;
     session_security.reset(get_auth_session_handler(
         cct, authorizer->protocol, authorizer->session_key,
         connection->get_features()));
   } else {
     // We have no authorizer, so we shouldn't be applying security to messages
     // in this AsyncConnection.  PLR
+    ldout(cct, 10) << __func__ << " no authorizer, clearing session_security"
+                  << dendl;
     session_security.reset();
   }
 
@@ -1903,7 +1907,10 @@ CtPtr ProtocolV1::handle_connect_message_2() {
   }
 
   connection->lock.unlock();
-
+  ldout(cct,10) << __func__ << " authorizor_protocol "
+               << connect_msg.authorizer_protocol
+               << " len " << authorizer_buf.length()
+               << dendl;
   bool authorizer_valid;
   bool need_challenge = HAVE_FEATURE(connect_msg.features, CEPHX_V2);
   bool had_challenge = (bool)authorizer_challenge;
@@ -1964,7 +1971,8 @@ CtPtr ProtocolV1::handle_connect_message_2() {
     }
 
     if (exproto->state == CLOSED) {
-      ldout(cct, 1) << __func__ << " existing already closed." << dendl;
+      ldout(cct, 1) << __func__ << " existing " << existing
+                   << " already closed." << dendl;
       existing->lock.unlock();
       existing = nullptr;
 
@@ -2312,7 +2320,9 @@ CtPtr ProtocolV1::open(ceph_msg_connect_reply &reply,
   connection->set_features((uint64_t)reply.features &
                            (uint64_t)connect_msg.features);
   ldout(cct, 10) << __func__ << " accept features "
-                 << connection->get_features() << dendl;
+                 << connection->get_features()
+                << " authorizer_protocol "
+                << connect_msg.authorizer_protocol << dendl;
 
   session_security.reset(
       get_auth_session_handler(cct, connect_msg.authorizer_protocol,
@@ -2406,7 +2416,9 @@ CtPtr ProtocolV1::handle_seq(char *buffer, int r) {
 }
 
 CtPtr ProtocolV1::server_ready() {
-  ldout(cct, 20) << __func__ << dendl;
+  ldout(cct, 20) << __func__ << " session_security is "
+                << session_security
+                << dendl;
 
   ldout(cct, 20) << __func__ << " accept done" << dendl;
   memset(&connect_msg, 0, sizeof(connect_msg));

diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc
index 568c14663d3b2f09fe1d5aacfba2ead4dea2f553..a711a5b23bc791089a4440c62bee2fd9dc35b0fe 100644 (file)
--- a/src/osd/OSD.cc
+++ b/src/osd/OSD.cc
@@ -8071,6 +8071,10 @@ void OSD::check_osdmap_features()
       ceph_assert(err == 0);
     }
   }
+
+  if (osdmap->require_osd_release < CEPH_RELEASE_NAUTILUS) {
+    heartbeat_dispatcher.ms_set_require_authorizer(false);
+  }
 }
 
 struct C_FinishSplits : public Context {