From: Ilya Dryomov <idryomov@gmail.com>
Date: Wed, 14 Apr 2021 17:58:49 +0000 (+0200)
Subject: Merge branch 'CVE-2021-20288' into master
X-Git-Tag: v17.1.0~2258
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=f3a4166379b12d4a7bba667fe761e5b660552db1;p=ceph.git

Merge branch 'CVE-2021-20288' into master

* CVE-2021-20288:
  qa/standalone: default to disable insecure global id reclaim
  qa/suites/upgrade/octopus-x: disable insecure global_id reclaim health warnings
  qa/tasks/ceph[adm].conf[.template]: disable insecure global_id reclaim health alerts
  cephadm: set auth_allow_insecure_global_id_reclaim for mon on bootstrap
  mon/HealthMonitor: raise AUTH_INSECURE_GLOBAL_ID_RENEWAL[_ALLOWED]
  auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys
  auth/cephx: rotate auth tickets less often
  mon: fail fast when unauthorized global_id (re)use is disallowed
  auth/cephx: option to disallow unauthorized global_id (re)use
  auth/cephx: make cephx_decode_ticket() take a const ticket_blob
  auth/AuthServiceHandler: keep track of global_id and whether it is new
  auth/AuthServiceHandler: build_cephx_response_header() is cephx-specific
  auth/AuthServiceHandler: drop unused start_session() args
  mon/MonClient: drop global_id arg from _add_conn() and _add_conns()
  mon/MonClient: reset auth state in shutdown()
  mon/MonClient: preserve auth state on reconnects
  mon/MonClient: claim active_con's auth explicitly
  mon/MonClient: resurrect "waiting for monmap|config" timeouts

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
---

f3a4166379b12d4a7bba667fe761e5b660552db1