mon: use key_server for looking up mon key

Note: the key_server is already configured to fallback (via
KeyServerData::extra_secrets) to the Monitor::keyring which is sourced from the
mon's keyring file.

Using the Monitor::key_server allows us to maintain the mon's secret in the
auth database alongside all other secrets. This makes rotating the mons' keys
the same as all other entities in Ceph. Before this, to rotate the mons' key
you would need to turn off all montitors and then rotate the key files
manually. This is obviously disruptive since it's not a rolling upgrade.

If the key is sourced from the Monitor::key_server, then the key can be rotated
and all mons are aware of the new key. The mons can then proceed to restart as
needed in a non-disruptive fashion.

A followup commit will cleanup the monitor to try either its local keyring key
or the key in the key_server (if present) when authenticating with other mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index f126f24c32eb4fd2f885e7f275e91a52ed39dac1..3fe46f4a1d05e27a5ebfec463dc860c0c3b6ed97 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -6467,9 +6467,10 @@ int Monitor::handle_auth_request(
       return -EOPNOTSUPP;
     }
     bool was_challenge = (bool)auth_meta->authorizer_challenge;
+    dout(20) << __func__ << ": verify authorizer was_challenge=" << was_challenge << dendl;
     bool isvalid = ah->verify_authorizer(
       cct,
-      keyring,
+      key_server,
       payload,
       auth_meta->get_connection_secret_length(),
       reply,
@@ -6539,6 +6540,11 @@ int Monitor::handle_auth_request(
       dout(1) << __func__ << " failed to decode, " << e.what() << dendl;
       return -EACCES;
     }
+    dout(15) << __func__ << ": decoded"
+            << " mode=" << mode
+            << " entity_name=" << entity_name
+            << " con->peer_global_id=" << con->peer_global_id
+            << dendl;
 
     // supported method?
     if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
@@ -6579,6 +6585,8 @@ int Monitor::handle_auth_request(
     s->auth_handler = auth_handler.release();
     con->set_priv(RefCountedPtr{s, false});
 
+    dout(20) << __func__ << ": starting session: " << *s << dendl;
+
     r = s->auth_handler->start_session(
       entity_name,
       con->peer_global_id,