From: Patrick Donnelly <pdonnell@ibm.com>
Date: Tue, 13 May 2025 16:28:39 +0000 (-0400)
Subject: mon/AuthMonitor: shutdown session connection on auth failure
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0208c4c73fef0354d69dc71c329d94cf2829f555;p=ceph-ci.git

mon/AuthMonitor: shutdown session connection on auth failure

Currently the mons will allow the session to persist even though an auth
failure has occurred, probably while trying to obtain new tickets.

A sequence to easily trigger this:

    ceph auth rotate osd.0
    ceph auth wipe-rotating-service-keys

The osd.0 will continue interacting with the mons until restart or a network
interruption occurs.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 2efa73fea17..c10a46ef2b6 100644
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -837,6 +837,11 @@ bool AuthMonitor::prep_auth(MonOpRequestRef op, bool paxos_writable)
 reply:
   reply = new MAuthReply(proto, &response_bl, ret, s->con->peer_global_id);
   mon.send_reply(op, reply);
+  if (ret < 0) {
+    /* auth has failed (key change?), close the session */
+    dout(1) << "stopping due to failed auth (" << cpp_strerror(ret) << "): " << *s << dendl;
+    s->con->shutdown();
+  }
   if (finished) {
     // always send the latest monmap.
     if (m->monmap_epoch < mon.monmap->get_epoch())