From: Sage Weil <sage@inktank.com>
Date: Fri, 28 Dec 2012 00:18:19 +0000 (-0800)
Subject: mon: enforce 'cephx require signatures' during negotiation
X-Git-Tag: v0.57~177^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=91a573a4eb80e04bc4f5c24d4b2b56ada97404b6;p=ceph.git

mon: enforce 'cephx require signatures' during negotiation

If we are negotiating which auth protocol to use, and the client does not
support the MSG_AUTH feature, and the server has 'cephx require signatures'
set to true, then remove cephx from the list of allowed protocols.

Also print something in the mon log so that we know wtf is going on.

Signed-off-by: Sage Weil <sage@inktank.com>
---

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 84585912be54..1afc215fa785 100644
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -336,14 +336,34 @@ bool AuthMonitor::prep_auth(MAuth *m, bool paxos_writable)
       goto reply;
     }
 
-    int type;
+    // do we require cephx signatures?
+
+    if (!m->get_connection()->has_feature(CEPH_FEATURE_MSG_AUTH)) {
+      if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
+	  entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
+	  entity_name.get_type() == CEPH_ENTITY_TYPE_MDS) {
+	if (g_conf->cephx_cluster_require_signatures ||
+	    g_conf->cephx_require_signatures) {
+	  dout(1) << m->get_source_inst() << " supports cephx but not signatures and 'cephx [cluster] require signatures = true'; disallowing cephx" << dendl;
+	  supported.erase(CEPH_AUTH_CEPHX);
+	}
+      } else {
+	if (g_conf->cephx_service_require_signatures ||
+	    g_conf->cephx_require_signatures) {
+	  dout(1) << m->get_source_inst() << " supports cephx but not signatures and 'cephx [service] require signatures = true'; disallowing cephx" << dendl;
+	  supported.erase(CEPH_AUTH_CEPHX);
+	}
+      }
+    }
 
+    int type;
     if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
 	entity_name.get_type() == CEPH_ENTITY_TYPE_OSD ||
 	entity_name.get_type() == CEPH_ENTITY_TYPE_MDS)
       type = mon->auth_cluster_required.pick(supported);
     else
       type = mon->auth_service_required.pick(supported);
+
     s->auth_handler = get_auth_service_handler(type, g_ceph_context, &mon->key_server);
     if (!s->auth_handler) {
       dout(1) << "client did not provide supported auth type" << dendl;