From: Patrick Donnelly <pdonnell@ibm.com>
Date: Tue, 24 Jun 2025 03:27:31 +0000 (-0400)
Subject: mon: provide emergency mechanism to rescue allowed_ciphers
X-Git-Tag: testing/wip-pdonnell-testing-20260210.212535~41
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d04188f8c95a03006742e2147977dd69dc823bf2;p=ceph-ci.git

mon: provide emergency mechanism to rescue allowed_ciphers

If the administrator accidentally revokes auth to client.admin, they cannot fix
it because the setting is stored in the monmap. Provide a config to restore
access in such an emergency.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/src/common/options/mon.yaml.in b/src/common/options/mon.yaml.in
index 0ca496848db..41d41224b54 100644
--- a/src/common/options/mon.yaml.in
+++ b/src/common/options/mon.yaml.in
@@ -833,6 +833,15 @@ options:
   - mon
   flags:
   - runtime
+- name: mon_auth_emergency_allowed_ciphers
+  type: str
+  level: advanced
+  desc: set allowed ciphers to override mon map configuration
+  services:
+  - mon
+  flags:
+  - startup
+  - no_mon_update
 - name: mon_auth_validate_all_caps
   type: bool
   level: advanced
diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 60ee673bd2d..20c0e0205e9 100644
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -510,6 +510,10 @@ bool AuthMonitor::check_health()
     next.add("AUTH_INSECURE_KEYS_CREATABLE", HEALTH_WARN, "Monitors are configured to allow creation of insecure key types", 1);
   }
 
+  if (auto c = cct->_conf.get_val<std::string>("mon_auth_emergency_allowed_ciphers"); !c.empty()) {
+    next.add("AUTH_EMERGENCY_CIPHERS_SET", HEALTH_WARN, "Monitors are configured to use emergency allowed ciphers", 1);
+  }
+
   {
     auto service_key_type = mon.monmap->auth_service_cipher;
     if (!secure_key_types.contains(service_key_type)) {
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index bd3f48cde66..3232f4097b1 100644
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -957,6 +957,23 @@ int Monitor::init()
   dout(2) << "init" << dendl;
   std::lock_guard l(lock);
 
+  auto emergency_ciphers = cct->_conf.get_val<std::string>("mon_auth_emergency_allowed_ciphers");
+  if (!emergency_ciphers.empty()) {
+    std::vector<std::string> v;
+    std::vector<int> ciphers;
+    get_str_vec(emergency_ciphers, ", ", v);
+    for (auto& cipher : v) {
+      int c = CryptoManager::get_key_type(cipher);
+      if (c < 0) {
+        lderr(cct) << "init: invalid cipher: " << cipher << dendl;
+        continue;
+      }
+      ciphers.push_back(c);
+    }
+    std::lock_guard lock{cipher_mutex};
+    my_allowed_ciphers = std::move(ciphers);
+  }
+
   finisher.start();
 
   // start ticker
@@ -6822,8 +6839,16 @@ void Monitor::notify_new_monmap(bool can_change_external_state, bool remove_rank
     std::lock_guard lock{cipher_mutex};
     my_service_cipher = monmap->auth_service_cipher;
     dout(20) << __func__ << ": my_service_cipher now " << my_service_cipher << dendl;
-    my_allowed_ciphers = monmap->auth_allowed_ciphers;
-    dout(20) << __func__ << ": auth_allowed_ciphers now " << my_allowed_ciphers << dendl;
+    auto emergency_ciphers = cct->_conf.get_val<std::string>("mon_auth_emergency_allowed_ciphers");
+    if (emergency_ciphers.empty()) {
+      my_allowed_ciphers = monmap->auth_allowed_ciphers;
+      dout(20) << __func__ << ": auth_allowed_ciphers now " << my_allowed_ciphers << dendl;
+    } else {
+      dout(20) << __func__
+               << ": mon_auth_emergency_allowed_ciphers (" << my_allowed_ciphers
+               << ") overrides MonMap::auth_allowed_ciphers (" << monmap->auth_allowed_ciphers << ")"
+               << dendl;
+    }
   }
 }