From: Sage Weil <sage@redhat.com>
Date: Wed, 19 Sep 2018 16:44:32 +0000 (-0500)
Subject: msg,osd: enable unauthenticated Dispatcher for pre-nautilus OSD compat
X-Git-Tag: v14.0.1~26^2~1
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=b8d1c80370443975ca291caeac037ab179dd3791;p=ceph-ci.git

msg,osd: enable unauthenticated Dispatcher for pre-nautilus OSD compat

Before nautilus, osd heartbeats are sent over an unauthenticated channel.
We need support here to allow these connections when they are necessary
for upgrade compatibility.

Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/src/msg/Dispatcher.h b/src/msg/Dispatcher.h
index c0b61156984..9ddf95bd56c 100644
--- a/src/msg/Dispatcher.h
+++ b/src/msg/Dispatcher.h
@@ -242,8 +242,17 @@ public:
   /**
    * @} //Authentication
    */
+
+  void ms_set_require_authorizer(bool b) {
+    require_authorizer = b;
+  }
 protected:
   CephContext *cct;
+public:
+  // allow unauthenticated connections.  This is needed for
+  // compatibility with pre-nautilus OSDs, which do not authenticate
+  // the heartbeat sessions.
+  bool require_authorizer = true;
 private:
   explicit Dispatcher(const Dispatcher &rhs);
   Dispatcher& operator=(const Dispatcher &rhs);
diff --git a/src/msg/Messenger.cc b/src/msg/Messenger.cc
index 875e2bc3942..75b9d208209 100644
--- a/src/msg/Messenger.cc
+++ b/src/msg/Messenger.cc
@@ -128,6 +128,15 @@ bool Messenger::ms_deliver_verify_authorizer(
   CryptoKey& session_key,
   std::unique_ptr<AuthAuthorizerChallenge> *challenge)
 {
+  if (authorizer.length() == 0) {
+    for (auto dis : dispatchers) {
+      if (!dis->require_authorizer) {
+	//ldout(cct,10) << __func__ << " tolerating missing authorizer" << dendl;
+	isvalid = true;
+	return true;
+      }
+    }
+  }
   AuthAuthorizeHandler *ah = 0;
   switch (peer_type) {
   case CEPH_ENTITY_TYPE_MDS:
diff --git a/src/msg/async/Protocol.cc b/src/msg/async/Protocol.cc
index f3c3d4bae8e..9f8509eeca6 100644
--- a/src/msg/async/Protocol.cc
+++ b/src/msg/async/Protocol.cc
@@ -1686,12 +1686,16 @@ CtPtr ProtocolV1::client_ready() {
   // If we have an authorizer, get a new AuthSessionHandler to deal with
   // ongoing security of the connection.  PLR
   if (authorizer != NULL) {
+    ldout(cct, 10) << __func__ << " setting up session_security with auth "
+		   << authorizer << dendl;
     session_security.reset(get_auth_session_handler(
         cct, authorizer->protocol, authorizer->session_key,
         connection->get_features()));
   } else {
     // We have no authorizer, so we shouldn't be applying security to messages
     // in this AsyncConnection.  PLR
+    ldout(cct, 10) << __func__ << " no authorizer, clearing session_security"
+		   << dendl;
     session_security.reset();
   }
 
@@ -1903,7 +1907,10 @@ CtPtr ProtocolV1::handle_connect_message_2() {
   }
 
   connection->lock.unlock();
-
+  ldout(cct,10) << __func__ << " authorizor_protocol "
+		<< connect_msg.authorizer_protocol
+		<< " len " << authorizer_buf.length()
+		<< dendl;
   bool authorizer_valid;
   bool need_challenge = HAVE_FEATURE(connect_msg.features, CEPHX_V2);
   bool had_challenge = (bool)authorizer_challenge;
@@ -1964,7 +1971,8 @@ CtPtr ProtocolV1::handle_connect_message_2() {
     }
 
     if (exproto->state == CLOSED) {
-      ldout(cct, 1) << __func__ << " existing already closed." << dendl;
+      ldout(cct, 1) << __func__ << " existing " << existing
+		    << " already closed." << dendl;
       existing->lock.unlock();
       existing = nullptr;
 
@@ -2312,7 +2320,9 @@ CtPtr ProtocolV1::open(ceph_msg_connect_reply &reply,
   connection->set_features((uint64_t)reply.features &
                            (uint64_t)connect_msg.features);
   ldout(cct, 10) << __func__ << " accept features "
-                 << connection->get_features() << dendl;
+                 << connection->get_features()
+		 << " authorizer_protocol "
+		 << connect_msg.authorizer_protocol << dendl;
 
   session_security.reset(
       get_auth_session_handler(cct, connect_msg.authorizer_protocol,
@@ -2406,7 +2416,9 @@ CtPtr ProtocolV1::handle_seq(char *buffer, int r) {
 }
 
 CtPtr ProtocolV1::server_ready() {
-  ldout(cct, 20) << __func__ << dendl;
+  ldout(cct, 20) << __func__ << " session_security is "
+		 << session_security
+		 << dendl;
 
   ldout(cct, 20) << __func__ << " accept done" << dendl;
   memset(&connect_msg, 0, sizeof(connect_msg));
diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc
index 568c14663d3..a711a5b23bc 100644
--- a/src/osd/OSD.cc
+++ b/src/osd/OSD.cc
@@ -8071,6 +8071,10 @@ void OSD::check_osdmap_features()
       ceph_assert(err == 0);
     }
   }
+
+  if (osdmap->require_osd_release < CEPH_RELEASE_NAUTILUS) {
+    heartbeat_dispatcher.ms_set_require_authorizer(false);
+  }
 }
 
 struct C_FinishSplits : public Context {