From: Patrick Donnelly <pdonnell@ibm.com>
Date: Thu, 29 May 2025 14:07:52 +0000 (-0400)
Subject: mon: use key_server for looking up mon key
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=dabf3d41e1292cd3dc6fb78f8d6baeafbe6b9e85;p=ceph-ci.git

mon: use key_server for looking up mon key

Note: the key_server is already configured to fallback (via
KeyServerData::extra_secrets) to the Monitor::keyring which is sourced from the
mon's keyring file.

Using the Monitor::key_server allows us to maintain the mon's secret in the
auth database alongside all other secrets. This makes rotating the mons' keys
the same as all other entities in Ceph. Before this, to rotate the mons' key
you would need to turn off all montitors and then rotate the key files
manually. This is obviously disruptive since it's not a rolling upgrade.

If the key is sourced from the Monitor::key_server, then the key can be rotated
and all mons are aware of the new key. The mons can then proceed to restart as
needed in a non-disruptive fashion.

A followup commit will cleanup the monitor to try either its local keyring key
or the key in the key_server (if present) when authenticating with other mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index f126f24c32e..3fe46f4a1d0 100644
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -6467,9 +6467,10 @@ int Monitor::handle_auth_request(
       return -EOPNOTSUPP;
     }
     bool was_challenge = (bool)auth_meta->authorizer_challenge;
+    dout(20) << __func__ << ": verify authorizer was_challenge=" << was_challenge << dendl;
     bool isvalid = ah->verify_authorizer(
       cct,
-      keyring,
+      key_server,
       payload,
       auth_meta->get_connection_secret_length(),
       reply,
@@ -6539,6 +6540,11 @@ int Monitor::handle_auth_request(
       dout(1) << __func__ << " failed to decode, " << e.what() << dendl;
       return -EACCES;
     }
+    dout(15) << __func__ << ": decoded"
+            << " mode=" << mode
+            << " entity_name=" << entity_name
+            << " con->peer_global_id=" << con->peer_global_id
+            << dendl;
 
     // supported method?
     if (entity_name.get_type() == CEPH_ENTITY_TYPE_MON ||
@@ -6579,6 +6585,8 @@ int Monitor::handle_auth_request(
     s->auth_handler = auth_handler.release();
     con->set_priv(RefCountedPtr{s, false});
 
+    dout(20) << __func__ << ": starting session: " << *s << dendl;
+
     r = s->auth_handler->start_session(
       entity_name,
       con->peer_global_id,