From: Sage Weil Date: Mon, 23 Sep 2019 18:20:29 +0000 (-0500) Subject: mon/MonClient: skip CEPHX_V2 challenge if client doesn't support it X-Git-Tag: v14.2.5~101^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=19fa1a63dd01ecf0d3af3790a31ba441b6a9d448;p=ceph.git mon/MonClient: skip CEPHX_V2 challenge if client doesn't support it If the client doesn't support the CEPHX_V2 challenge, and we don't require it, skip it. This allows the client to authenticate without getting an error like cephx: verify_reply couldn't decrypt with error: error decoding block for decryption Note that we don't have this problem in the monitor exchange in Monitor::handle_auth_request() because that verify_authorizer() caller is only used for msgrv2, and all such clients support CEPHX_V2. Instead, those client authenticate via the MAuth messages, a path that does not use authorizers at all. Fixes: https://tracker.ceph.com/issues/40716 Signed-off-by: Sage Weil (cherry picked from commit 321548010578d6ff7bbf2e5ce8a550008b131423) --- diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index 37e4c347f5b..c7e64d7dc9c 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -1403,6 +1403,18 @@ int MonClient::handle_auth_request( << auth_method << dendl; return -EOPNOTSUPP; } + + auto ac = &auth_meta->authorizer_challenge; + if (!HAVE_FEATURE(con->get_features(), CEPHX_V2)) { + if (cct->_conf->cephx_service_require_version >= 2) { + ldout(cct,10) << __func__ << " client missing CEPHX_V2 (" + << "cephx_service_requre_version = " + << cct->_conf->cephx_service_require_version << ")" << dendl; + return -EACCES; + } + ac = nullptr; + } + bool was_challenge = (bool)auth_meta->authorizer_challenge; bool isvalid = ah->verify_authorizer( cct, @@ -1415,7 +1427,7 @@ int MonClient::handle_auth_request( &con->peer_caps_info, &auth_meta->session_key, &auth_meta->connection_secret, - &auth_meta->authorizer_challenge); + ac); if (isvalid) { handle_authentication_dispatcher->ms_handle_authentication(con); return 1;