mon/Monitor: require authorizer from peer monitors

Mon to mon links use authorizers.  It's only non-mons connecting to mons
that use MAuth messages.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index c03328e56cc333e4e4218e6e48230a02d4470b3e..55231f60bf6e30534cf57ad10ac39b071d1c068b 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -6188,9 +6188,11 @@ int Monitor::handle_auth_request(
           << " payload " << payload.length()
           << dendl;
   if (!payload.length()) {
-    if (!con->is_msgr2()) {
-      // for v1 connections, we tolerate no authorizer, because authentication
-      // happens via MAuth messages.
+    if (!con->is_msgr2() &&
+       con->get_peer_type() != CEPH_ENTITY_TYPE_MON) {
+      // for v1 connections, we tolerate no authorizer (from
+      // non-monitors), because authentication happens via MAuth
+      // messages.
       return 1;
     }
     return -EACCES;