From 5110fade2c238d86e9e004ef1f7361f4a99c3e05 Mon Sep 17 00:00:00 2001 From: Patrick Donnelly Date: Tue, 25 Mar 2025 22:02:26 -0400 Subject: [PATCH] auth,mon: add _exit config when auth fails This is largely for testing: we want a client to exit immediately if auth failures occur. Presently, those clients will try to reconnect forever. Signed-off-by: Patrick Donnelly --- src/common/options/global.yaml.in | 7 +++++++ src/mon/MonClient.cc | 30 ++++++++++++++++++++++-------- 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in index aa031a6a2ff..e5ea60e7923 100644 --- a/src/common/options/global.yaml.in +++ b/src/common/options/global.yaml.in @@ -2153,6 +2153,13 @@ options: each other. Valid settings are ``cephx`` or ``none``. default: cephx with_legacy: true +- name: auth_exit_on_failure + type: int + level: dev + desc: call _exit with given error code when auth fails when non-negative + default: -1 + flags: + - runtime # required by daemons of clients - name: auth_service_required type: str diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index 3c1b7c333e6..bb33c496188 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -59,6 +59,18 @@ #include "auth/RotatingKeyRing.h" #define dout_subsys ceph_subsys_monc + +/* Used by both MonClient and MonConnection. */ +static int handle_auth_failure(CephContext* cct) +{ + int ecode = cct->_conf.get_val("auth_exit_on_failure"); + if (ecode >= 0) { + lderr(cct) << __func__ << " exiting with " << ecode << " due to auth failure" << dendl; + _exit(ecode); + } + return -EACCES; +} + #undef dout_prefix #define dout_prefix *_dout << "monclient" << (_hunting() ? "(hunting)":"") << ": " @@ -738,6 +750,8 @@ void MonClient::_finish_auth(int auth_err) << " auth returned EAGAIN, reopening the session to try again" << dendl; _reopen_session(); + } else { + [[maybe_unused]] int rc = handle_auth_failure(cct); } auth_cond.notify_all(); } @@ -1652,7 +1666,7 @@ int MonClient::handle_auth_bad_method( << " result " << cpp_strerror(result) << " and auth is " << (auth ? auth->get_protocol() : 0) << dendl; - return -EACCES; + return handle_auth_failure(cct); } } @@ -1672,12 +1686,12 @@ int MonClient::handle_auth_request( return 1; } } - return -EACCES; + return handle_auth_failure(cct); } auth_meta->auth_mode = payload[0]; if (auth_meta->auth_mode < AUTH_MODE_AUTHORIZER || auth_meta->auth_mode > AUTH_MODE_AUTHORIZER_MAX) { - return -EACCES; + return handle_auth_failure(cct); } AuthAuthorizeHandler *ah = get_auth_authorize_handler(con->get_peer_type(), auth_method); @@ -1710,7 +1724,7 @@ int MonClient::handle_auth_request( if (handle_authentication_dispatcher->ms_handle_fast_authentication(con)) { return 1; } - return -EACCES; + return handle_auth_failure(cct); } if (!more && !was_challenge && auth_meta->authorizer_challenge) { ldout(cct,10) << __func__ << " added challenge on " << con << dendl; @@ -1719,7 +1733,7 @@ int MonClient::handle_auth_request( ldout(cct,10) << __func__ << " bad authorizer on " << con << dendl; // discard old challenge auth_meta->authorizer_challenge.reset(); - return -EACCES; + return handle_auth_failure(cct); } AuthAuthorizer* MonClient::build_authorizer(int service_id) const { @@ -1804,7 +1818,7 @@ int MonConnection::get_auth_request( std::vector as; auth_registry->get_supported_methods(con->get_peer_type(), &as); if (as.empty()) { - return -EACCES; + return handle_auth_failure(cct); } auth_method = as.front(); } @@ -1814,7 +1828,7 @@ int MonConnection::get_auth_request( ldout(cct,10) << __func__ << " method " << *method << " preferred_modes " << *preferred_modes << dendl; if (preferred_modes->empty()) { - return -EACCES; + return handle_auth_failure(cct); } int r = _init_auth(*method, entity_name, want_keys, keyring, true); @@ -1906,7 +1920,7 @@ int MonConnection::handle_auth_bad_method( if (p == auth_supported.end()) { lderr(cct) << __func__ << " server allowed_methods " << allowed_methods << " but i only support " << auth_supported << dendl; - return -EACCES; + return handle_auth_failure(cct); } auth_method = *p; ldout(cct,10) << __func__ << " will try " << auth_method << " next" << dendl; -- 2.39.5