From 2c3a1aa32f98acd1d261feb896c41d628dcf6bbd Mon Sep 17 00:00:00 2001
From: Matan Breizman <mbreizma@redhat.com>
Date: Thu, 12 Jun 2025 09:23:37 +0000
Subject: [PATCH] crimson/mon/MonClient: call _wipe_secrets_and_tickets when
 needed

Signed-off-by: Matan Breizman <mbreizma@redhat.com>
Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---
 src/crimson/mon/MonClient.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/crimson/mon/MonClient.cc b/src/crimson/mon/MonClient.cc
index 08d2a7fa1ab..2ab04b0d862 100644
--- a/src/crimson/mon/MonClient.cc
+++ b/src/crimson/mon/MonClient.cc
@@ -812,6 +812,8 @@ int Client::handle_auth_bad_method(crimson::net::Connection &conn,
 seastar::future<> Client::handle_monmap(crimson::net::Connection &conn,
                                         Ref<MMonMap> m)
 {
+  const auto old_auth_epoch = monmap.auth_epoch;
+
   monmap.decode(m->monmapbl);
   const auto peer_addr = conn.get_peer_addr();
   auto cur_mon = monmap.get_name(peer_addr);
@@ -827,6 +829,12 @@ seastar::future<> Client::handle_monmap(crimson::net::Connection &conn,
     }
   }
 
+  if (old_auth_epoch < monmap.auth_epoch) {
+    logger().warn("mon.{} auth epoch has changed: "
+                  "invalidating tickets and rotating secrets", cur_mon);
+    co_await _wipe_secrets_and_tickets();
+  }
+
   // TODO: we can probably renew tickets only if the session was reopened
   if (active_con) {
     logger().info("handle_monmap: renewing tickets");
-- 
2.47.3