common/options: add ms_mon_client_mode

The server now has a list of *allowed* modes (no ordering) and the clients
have a list of modes in order of preference.  Since we want everything
connecting to the mon to be secure by default (think: ceph auth set ...),
we need a separate option to ensure we prefer secure mon connections from
the CLI etc.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/auth/AuthRegistry.cc b/src/auth/AuthRegistry.cc
index f7483d56211d2fbc866d15378f813e9630690fbe..f89868cbfa5b341316845b10be6fc05c42693fb0 100644 (file)
--- a/src/auth/AuthRegistry.cc
+++ b/src/auth/AuthRegistry.cc
@@ -103,6 +103,8 @@ void AuthRegistry::_refresh_config()
                   &mon_cluster_modes);
   _parse_mode_list(cct->_conf.get_val<string>("ms_mon_service_mode"),
                   &mon_service_modes);
+  _parse_mode_list(cct->_conf.get_val<string>("ms_mon_client_mode"),
+                  &mon_client_modes);
   _parse_mode_list(cct->_conf.get_val<string>("ms_cluster_mode"),
                   &cluster_modes);
   _parse_mode_list(cct->_conf.get_val<string>("ms_service_mode"),
@@ -115,8 +117,9 @@ void AuthRegistry::_refresh_config()
                << " client_methods " << client_methods
                << dendl;
   ldout(cct,10) << __func__ << " mon_cluster_modes " << mon_cluster_modes
-               << " mon_service_mdoes " << mon_service_modes
-               << " cluster_modes " << cluster_modes
+               << " mon_service_modes " << mon_service_modes
+               << " mon_client_modes " << mon_client_modes
+               << "; cluster_modes " << cluster_modes
                << " service_modes " << service_modes
                << " client_modes " << client_modes
                << dendl;
@@ -163,7 +166,13 @@ void AuthRegistry::get_supported_methods(
       *methods = client_methods;
     }
     if (modes) {
-      *modes = client_modes;
+      switch (peer_type) {
+      case CEPH_ENTITY_TYPE_MON:
+       *modes = mon_client_modes;
+       break;
+      default:
+       *modes = client_modes;
+      }
     }
     return;
   case CEPH_ENTITY_TYPE_MON:

diff --git a/src/auth/AuthRegistry.h b/src/auth/AuthRegistry.h
index ae2cad4fcc3a3928a46abe499af4c12fb4110a6c..72335e1b156f6aa4928725d6ca7dad6777956f44 100644 (file)
--- a/src/auth/AuthRegistry.h
+++ b/src/auth/AuthRegistry.h
@@ -28,6 +28,7 @@ class AuthRegistry : public md_config_obs_t {
   // CEPH_CON_MODE_*
   std::vector<uint32_t> mon_cluster_modes;
   std::vector<uint32_t> mon_service_modes;
+  std::vector<uint32_t> mon_client_modes;
   std::vector<uint32_t> cluster_modes;
   std::vector<uint32_t> service_modes;
   std::vector<uint32_t> client_modes;

diff --git a/src/common/options.cc b/src/common/options.cc
index 8fa0414be98749317d412f25e1948a87bd24503a..07345d8f146966ca9285ab073783f858a923a8be 100644 (file)
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -844,6 +844,7 @@ std::vector<Option> get_global_options() {
     .set_default("crc secure")
     .set_description("Connection modes (crc, secure) for intra-mon connections in order of preference")
     .add_see_also("ms_mon_service_mode")
+    .add_see_also("ms_mon_client_mode")
     .add_see_also("ms_service_mode")
     .add_see_also("ms_cluster_mode")
     .add_see_also("ms_client_mode"),
@@ -853,6 +854,16 @@ std::vector<Option> get_global_options() {
     .set_description("Allowed connection modes (crc, secure) for connections to mons")
     .add_see_also("ms_service_mode")
     .add_see_also("ms_mon_cluster_mode")
+    .add_see_also("ms_mon_client_mode")
+    .add_see_also("ms_cluster_mode")
+    .add_see_also("ms_client_mode"),
+
+    Option("ms_mon_client_mode", Option::TYPE_STR, Option::LEVEL_BASIC)
+    .set_default("crc secure")
+    .set_description("Connection modes (crc, secure) for connections from clients to monitors in order of preference")
+    .add_see_also("ms_mon_service_mode")
+    .add_see_also("ms_mon_cluster_mode")
+    .add_see_also("ms_service_mode")
     .add_see_also("ms_cluster_mode")
     .add_see_also("ms_client_mode"),