From: Sage Weil Date: Fri, 11 Jan 2019 21:59:58 +0000 (-0600) Subject: msg/async: consolidate authorizer checks X-Git-Tag: v14.1.0~183^2~66 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=43548f743d606f8e0c2c0cd9a9d8c579090e51b6;p=ceph.git msg/async: consolidate authorizer checks No need to special-case auth methods at this layer. Signed-off-by: Sage Weil --- diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc index 6bdbff59642..6d781312d54 100644 --- a/src/msg/async/ProtocolV2.cc +++ b/src/msg/async/ProtocolV2.cc @@ -1536,7 +1536,7 @@ CtPtr ProtocolV2::handle_auth_more(char *payload, uint32_t length) { } } else if (state == ACCEPTING) { if (auth_method == CEPH_AUTH_CEPHX) { - return handle_cephx_auth(auth_more.auth_payload()); + return _handle_authorizer(auth_more.auth_payload()); } else { ceph_abort("Auth method %d not implemented", auth_method); } @@ -2467,72 +2467,6 @@ CtPtr ProtocolV2::post_server_banner_exchange() { return CONTINUE(read_frame); } -CtPtr ProtocolV2::handle_cephx_auth(bufferlist &auth_payload) { - ldout(cct, 20) << __func__ << dendl; - - ceph_assert(auth_method == CEPH_AUTH_CEPHX); - - ldout(cct, 15) << __func__ - << " authorizer payload len=" << auth_payload.length() - << dendl; - - bool authorizer_valid; - bufferlist authorizer_reply; - bool had_challenge = (bool)authorizer_challenge; - - connection->lock.unlock(); - if (!messenger->ms_deliver_verify_authorizer( - connection, connection->peer_type, auth_method, auth_payload, - authorizer_reply, authorizer_valid, session_key, - &connection_secret, - &authorizer_challenge) || - !authorizer_valid) { - connection->lock.lock(); - - if (!had_challenge && authorizer_challenge) { - ldout(cct, 10) << __func__ << " challenging authorizer" << dendl; - ceph_assert(authorizer_reply.length()); - AuthMoreFrame more(authorizer_reply.length(), authorizer_reply); - return WRITE(more.get_buffer(), "auth more", read_frame); - } else { - ldout(cct, 0) << __func__ << " got bad authorizer, auth_reply_len=" - << authorizer_reply.length() << dendl; - session_security.reset(); - AuthBadAuthFrame bad_auth(EPERM, "Bad Authorizer"); - return WRITE(bad_auth.get_buffer(), "bad auth", read_frame); - } - } - - connection->lock.lock(); - - if (state != ACCEPTING) { - ldout(cct, 1) << __func__ - << " state changed while accept, it must be mark_down" - << dendl; - ceph_assert(state == CLOSED); - return _fault(); - } - - session_security.reset( - get_auth_session_handler(cct, auth_method, session_key, - connection_secret, - CEPH_FEATURE_MSG_AUTH | CEPH_FEATURE_CEPHX_V2)); - - if (cct->_conf.get_val("ms_msgr2_sign_messages")) { - auth_flags |= static_cast(AuthFlag::SIGNED); - } - if (cct->_conf.get_val("ms_msgr2_encrypt_messages")) { - auth_flags |= static_cast(AuthFlag::ENCRYPTED); - } - - ldout(cct, 1) << __func__ << " authentication done," - << " flags=" << std::hex << auth_flags << std::dec << dendl; - - AuthDoneFrame auth_done(auth_flags, authorizer_reply.length(), - authorizer_reply); - return WRITE(auth_done.get_buffer(), "auth done", read_frame); -} - CtPtr ProtocolV2::handle_auth_request(char *payload, uint32_t length) { ldout(cct, 20) << __func__ << " payload_len=" << length << dendl; @@ -2557,27 +2491,29 @@ CtPtr ProtocolV2::handle_auth_request(char *payload, uint32_t length) { } ldout(cct, 10) << __func__ << " auth method=" << auth_request.method() - << " accepted" << dendl; + << " accepted, authorizer payload len=" + << auth_request.auth_payload().length() << dendl; auth_method = auth_request.method(); - if (auth_method == CEPH_AUTH_NONE) { - ldout(cct, 1) << __func__ << " proceeding without authentication" << dendl; + return _handle_authorizer(auth_request.auth_payload()); +} - // even with CEPH_AUTH_NONE we still need to call verify_authorizer to - // make sure that peer caps are set correctly, and code up in the stack - // runs ms_handle_authentication. - connection->lock.unlock(); - bufferlist authorizer_reply; - bool authorizer_valid; - messenger->ms_deliver_verify_authorizer( - connection, connection->peer_type, auth_method, - auth_request.auth_payload(), authorizer_reply, authorizer_valid, - session_key, - nullptr /* connection_secret */, - nullptr); - connection->lock.lock(); +CtPtr ProtocolV2::_handle_authorizer(bufferlist& auth_payload) +{ + bool authorizer_valid; + bufferlist authorizer_reply; + bool had_challenge = (bool)authorizer_challenge; + connection->lock.unlock(); + if (!messenger->ms_deliver_verify_authorizer( + connection, connection->peer_type, auth_method, + auth_payload, + authorizer_reply, authorizer_valid, session_key, + &connection_secret, + &authorizer_challenge) || + !authorizer_valid) { + connection->lock.lock(); if (state != ACCEPTING) { ldout(cct, 1) << __func__ << " state changed while accept, it must be mark_down" @@ -2586,28 +2522,46 @@ CtPtr ProtocolV2::handle_auth_request(char *payload, uint32_t length) { return _fault(); } - if (!authorizer_valid) { + if (!had_challenge && authorizer_challenge) { + ldout(cct, 10) << __func__ << " challenging authorizer" << dendl; + ceph_assert(authorizer_reply.length()); + AuthMoreFrame more(authorizer_reply.length(), authorizer_reply); + return WRITE(more.get_buffer(), "auth more", read_frame); + } else { ldout(cct, 0) << __func__ << " got bad authorizer, auth_reply_len=" << authorizer_reply.length() << dendl; session_security.reset(); AuthBadAuthFrame bad_auth(EPERM, "Bad Authorizer"); return WRITE(bad_auth.get_buffer(), "bad auth", read_frame); } + } - session_security.reset(); - bufferlist empty_bl; - AuthDoneFrame auth_done(0, 0, empty_bl); - return WRITE(auth_done.get_buffer(), "auth done", read_frame); + connection->lock.lock(); + if (state != ACCEPTING) { + ldout(cct, 1) << __func__ + << " state changed while accept, it must be mark_down" + << dendl; + ceph_assert(state == CLOSED); + return _fault(); } + session_security.reset( + get_auth_session_handler(cct, auth_method, session_key, + connection_secret, + CEPH_FEATURE_MSG_AUTH | CEPH_FEATURE_CEPHX_V2)); + if (auth_method == CEPH_AUTH_CEPHX) { - return handle_cephx_auth(auth_request.auth_payload()); +#warning fix msgr2 sign/encrypt options + if (cct->_conf.get_val("ms_msgr2_sign_messages")) { + auth_flags |= static_cast(AuthFlag::SIGNED); + } + if (cct->_conf.get_val("ms_msgr2_encrypt_messages")) { + auth_flags |= static_cast(AuthFlag::ENCRYPTED); + } } - - lderr(cct) << __func__ << " auth method " << auth_method << " not implemented" - << dendl; - ceph_abort(); - return nullptr; + AuthDoneFrame auth_done(auth_flags, authorizer_reply.length(), + authorizer_reply); + return WRITE(auth_done.get_buffer(), "auth done", read_frame); } CtPtr ProtocolV2::handle_client_ident(char *payload, uint32_t length) { diff --git a/src/msg/async/ProtocolV2.h b/src/msg/async/ProtocolV2.h index c849bd50654..f2b5d766cb2 100644 --- a/src/msg/async/ProtocolV2.h +++ b/src/msg/async/ProtocolV2.h @@ -253,8 +253,8 @@ private: Ct *start_server_banner_exchange(); Ct *post_server_banner_exchange(); - Ct *handle_cephx_auth(bufferlist &auth_payload); Ct *handle_auth_request(char *payload, uint32_t length); + Ct *_handle_authorizer(bufferlist& auth_payload); Ct *handle_client_ident(char *payload, uint32_t length); Ct *handle_ident_missing_features_write(int r); Ct *handle_reconnect(char *payload, uint32_t length);