From: Ilya Dryomov <idryomov@gmail.com>
Date: Sat, 17 Oct 2020 09:12:16 +0000 (+0200)
Subject: crimson/mon: actually skip CEPHX_V2 authorizer challenges when needed
X-Git-Tag: v16.1.0~575^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=16cf4cc062adcb4094ae4c9beca485791e290667;p=ceph.git

crimson/mon: actually skip CEPHX_V2 authorizer challenges when needed

When commit 321548010578 ("mon/MonClient: skip CEPHX_V2 challenge
if client doesn't support it") was being ported to crimson, it got
adjusted incorrectly (but rather fortunately).  While the original
always skips authorizer challenges, the port almost never skips
them.  This is because it looks at the features of the monitor that
crimson-osd is connected to instead of the features of the peer that
is trying to authenticate.  As a result, msgr1 peer would get the
challenge even if it legitimately doesn't support CEPHX_V2 and fault
on an unknown protocol tag.

To fix, port commit 4a82c72e3bdd ("mon/MonClient: bring back CEPHX_V2
authorizer challenges").

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---

diff --git a/src/crimson/mon/MonClient.cc b/src/crimson/mon/MonClient.cc
index 0376a67f8ea5..9be91ce84972 100644
--- a/src/crimson/mon/MonClient.cc
+++ b/src/crimson/mon/MonClient.cc
@@ -627,14 +627,8 @@ int Client::handle_auth_request(crimson::net::ConnectionRef con,
     return -EOPNOTSUPP;
   }
   auto authorizer_challenge = &auth_meta->authorizer_challenge;
-  if (!active_con) {
-    logger().error("connection to monitors is down, abort connection for now");
-    return -EBUSY;
-  }
-  if (!HAVE_FEATURE(active_con->get_conn()->get_features(), CEPHX_V2)) {
-    if (local_conf().get_val<uint64_t>("cephx_service_require_version") >= 2) {
-      return -EACCES;
-    }
+  if (auth_meta->skip_authorizer_challenge) {
+    logger().info("skipping challenge on {}", con);
     authorizer_challenge = nullptr;
   }
   bool was_challenge = (bool)auth_meta->authorizer_challenge;
diff --git a/src/crimson/net/ProtocolV1.cc b/src/crimson/net/ProtocolV1.cc
index e0aa85694872..8a290c8f7447 100644
--- a/src/crimson/net/ProtocolV1.cc
+++ b/src/crimson/net/ProtocolV1.cc
@@ -590,6 +590,10 @@ seastar::future<stop_t> ProtocolV1::repeat_handle_connect()
 
       bufferlist authorizer_reply;
       auth_meta->auth_method = h.connect.authorizer_protocol;
+      if (!HAVE_FEATURE((uint64_t)h.connect.features, CEPHX_V2)) {
+        // peer doesn't support it and we won't get here if we require it
+        auth_meta->skip_authorizer_challenge = true;
+      }
       auto more = static_cast<bool>(auth_meta->authorizer_challenge);
       ceph_assert(messenger.get_auth_server());
       int r = messenger.get_auth_server()->handle_auth_request(