mds: check cap string only if !allow_all

This corrects a regression introduced by #16891 which fixes
http://tracker.ceph.com/issues/20990. Not using cephx would
cause all clients to fail auth with:

    2017-08-17 12:21:05.191958 7f5b788d4700  0 -- 127.0.0.1:0/65887226 >> 127.0.0.1:6805/3339248996 conn(0x1004be8a0 :-1 s=STATE_CONNECTING_WAIT_CONNECT_REPLY_AUTH pgs=0 cs=0 l=0).handle_connect_reply connect got BADAUTHORIZER

Fixes: http://tracker.ceph.com/issues/21027
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
(cherry picked from commit ce1995fc63829f854f2da16c68bee09c03efa180)

diff --git a/src/mds/MDSDaemon.cc b/src/mds/MDSDaemon.cc
index 19be284834b122cdf8e26e0333bc94019fc0ab91..1e4558121a586c9691deb53dc4322ade15836021 100644 (file)
--- a/src/mds/MDSDaemon.cc
+++ b/src/mds/MDSDaemon.cc
@@ -1343,28 +1343,28 @@ bool MDSDaemon::ms_verify_authorizer(Connection *con, int peer_type,
     if (caps_info.allow_all) {
       // Flag for auth providers that don't provide cap strings
       s->auth_caps.set_allow_all();
-    }
-
-    bufferlist::iterator p = caps_info.caps.begin();
-    string auth_cap_str;
-    try {
-      ::decode(auth_cap_str, p);
-
-      dout(10) << __func__ << ": parsing auth_cap_str='" << auth_cap_str << "'" << dendl;
-      std::ostringstream errstr;
-      if (!s->auth_caps.parse(g_ceph_context, auth_cap_str, &errstr)) {
-        dout(1) << __func__ << ": auth cap parse error: " << errstr.str()
-               << " parsing '" << auth_cap_str << "'" << dendl;
-       clog->warn() << name << " mds cap '" << auth_cap_str
-                    << "' does not parse: " << errstr.str();
+    } else {
+      bufferlist::iterator p = caps_info.caps.begin();
+      string auth_cap_str;
+      try {
+        ::decode(auth_cap_str, p);
+
+        dout(10) << __func__ << ": parsing auth_cap_str='" << auth_cap_str << "'" << dendl;
+        std::ostringstream errstr;
+        if (!s->auth_caps.parse(g_ceph_context, auth_cap_str, &errstr)) {
+          dout(1) << __func__ << ": auth cap parse error: " << errstr.str()
+                 << " parsing '" << auth_cap_str << "'" << dendl;
+         clog->warn() << name << " mds cap '" << auth_cap_str
+                      << "' does not parse: " << errstr.str();
+          is_valid = false;
+        }
+      } catch (buffer::error& e) {
+        // Assume legacy auth, defaults to:
+        //  * permit all filesystem ops
+        //  * permit no `tell` ops
+        dout(1) << __func__ << ": cannot decode auth caps bl of length " << caps_info.caps.length() << dendl;
         is_valid = false;
       }
-    } catch (buffer::error& e) {
-      // Assume legacy auth, defaults to:
-      //  * permit all filesystem ops
-      //  * permit no `tell` ops
-      dout(1) << __func__ << ": cannot decode auth caps bl of length " << caps_info.caps.length() << dendl;
-      is_valid = false;
     }
   }