From: Ilya Dryomov <idryomov@gmail.com>
Date: Fri, 16 Oct 2020 09:35:27 +0000 (+0200)
Subject: msg/async/ProtocolV1: resurrect "implement cephx_*require_version options"
X-Git-Tag: v15.2.6~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=bafdfec8f974f1a3f7d404bcfd0a4cfad784937d;p=ceph.git

msg/async/ProtocolV1: resurrect "implement cephx_*require_version options"

This was added in commit 9bcbc2a3621f ("mon,msg: implement
cephx_*_require_version options") and inadvertently dropped in
commit e6f043f7d2dc ("msgr/async: huge refactoring of protocol V1").
As a result, service daemons don't enforce cephx_require_version
and cephx_cluster_require_version options and connections without
CEPH_FEATURE_CEPHX_V2 are allowed through.

(cephx_service_require_version enforcement was brought back a
year later in commit 321548010578 ("mon/MonClient: skip CEPHX_V2
challenge if client doesn't support it"), although the peer gets
TAG_BADAUTHORIZER instead of TAG_FEATURES.)

Resurrect the original behaviour: all cephx_*require_version
options are enforced and the peer gets TAG_FEATURES, signifying
that it is missing a required feature.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 6f5c4152ca2c6423e665cde2196c6301f76043a2)
---

diff --git a/src/msg/async/ProtocolV1.cc b/src/msg/async/ProtocolV1.cc
index 414167cec96c..9d6d5c59fb58 100644
--- a/src/msg/async/ProtocolV1.cc
+++ b/src/msg/async/ProtocolV1.cc
@@ -2006,6 +2006,14 @@ CtPtr ProtocolV1::handle_connect_message_2() {
             << dendl;
         connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (cct->_conf->cephx_require_version >= 2 ||
+          cct->_conf->cephx_cluster_require_version >= 2) {
+        ldout(cct, 10)
+            << __func__
+            << " using cephx, requiring cephx v2 feature bit for cluster"
+            << dendl;
+        connection->policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+      }
     } else {
       if (cct->_conf->cephx_require_signatures ||
           cct->_conf->cephx_service_require_signatures) {
@@ -2015,6 +2023,14 @@ CtPtr ProtocolV1::handle_connect_message_2() {
             << dendl;
         connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (cct->_conf->cephx_require_version >= 2 ||
+          cct->_conf->cephx_service_require_version >= 2) {
+        ldout(cct, 10)
+            << __func__
+            << " using cephx, requiring cephx v2 feature bit for service"
+            << dendl;
+        connection->policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+      }
     }
   }