From: Ilya Dryomov <idryomov@gmail.com>
Date: Mon, 29 Mar 2021 09:49:20 +0000 (+0200)
Subject: doc/releases/pacific.rst: add CEPHX_V2 release note
X-Git-Tag: v17.1.0~2418^2~4
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a5c13a54d02c4abe3560c73a61ce7e071ef82ae8;p=ceph.git

doc/releases/pacific.rst: add CEPHX_V2 release note

Landed in pacific in commit a6651bad8f1f ("auth: require CEPHX_V2 by
default").

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---

diff --git a/doc/releases/pacific.rst b/doc/releases/pacific.rst
index ea5e7a00042..729d5237c32 100644
--- a/doc/releases/pacific.rst
+++ b/doc/releases/pacific.rst
@@ -481,6 +481,15 @@ Notable Changes
   the balancer was included in the ``always_on_modules`` list, but needed to be
   turned on explicitly using the ``ceph balancer on`` command.
 
+* Version 2 of the cephx authentication protocol (``CEPHX_V2`` feature bit) is
+  now required by default.  It was introduced in 2018, adding replay attack
+  protection for authorizers and making msgr v1 message signatures stronger
+  (CVE-2018-1128 and CVE-2018-1129).  Support is present in Jewel 10.2.11,
+  Luminous 12.2.6, Mimic 13.2.1, Nautilus 14.2.0 and later; upstream kernels
+  4.9.150, 4.14.86, 4.19 and later; various distribution kernels, in particular
+  CentOS 7.6 and later.  To enable older clients, set ``cephx_require_version``
+  and ``cephx_service_require_version`` config options to 1.
+
 * `blacklist` has been replaced with `blocklist` throughout.  The following commands have changed:
 
   - ``ceph osd blacklist ...`` are now ``ceph osd blocklist ...``