From b9c294e7a4c4ee77e691cfea83048c77e006dbe5 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@redhat.com>
Date: Mon, 18 Feb 2019 13:02:16 -0600
Subject: [PATCH] common/options: add ms_mon_client_mode

The server now has a list of *allowed* modes (no ordering) and the clients
have a list of modes in order of preference.  Since we want everything
connecting to the mon to be secure by default (think: ceph auth set ...),
we need a separate option to ensure we prefer secure mon connections from
the CLI etc.

Signed-off-by: Sage Weil <sage@redhat.com>
---
 src/auth/AuthRegistry.cc | 15 ++++++++++++---
 src/auth/AuthRegistry.h  |  1 +
 src/common/options.cc    | 11 +++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/auth/AuthRegistry.cc b/src/auth/AuthRegistry.cc
index f7483d56211..f89868cbfa5 100644
--- a/src/auth/AuthRegistry.cc
+++ b/src/auth/AuthRegistry.cc
@@ -103,6 +103,8 @@ void AuthRegistry::_refresh_config()
 		   &mon_cluster_modes);
   _parse_mode_list(cct->_conf.get_val<string>("ms_mon_service_mode"),
 		   &mon_service_modes);
+  _parse_mode_list(cct->_conf.get_val<string>("ms_mon_client_mode"),
+		   &mon_client_modes);
   _parse_mode_list(cct->_conf.get_val<string>("ms_cluster_mode"),
 		   &cluster_modes);
   _parse_mode_list(cct->_conf.get_val<string>("ms_service_mode"),
@@ -115,8 +117,9 @@ void AuthRegistry::_refresh_config()
 		<< " client_methods " << client_methods
 		<< dendl;
   ldout(cct,10) << __func__ << " mon_cluster_modes " << mon_cluster_modes
-		<< " mon_service_mdoes " << mon_service_modes
-		<< " cluster_modes " << cluster_modes
+		<< " mon_service_modes " << mon_service_modes
+		<< " mon_client_modes " << mon_client_modes
+		<< "; cluster_modes " << cluster_modes
 		<< " service_modes " << service_modes
 		<< " client_modes " << client_modes
 		<< dendl;
@@ -163,7 +166,13 @@ void AuthRegistry::get_supported_methods(
       *methods = client_methods;
     }
     if (modes) {
-      *modes = client_modes;
+      switch (peer_type) {
+      case CEPH_ENTITY_TYPE_MON:
+	*modes = mon_client_modes;
+	break;
+      default:
+	*modes = client_modes;
+      }
     }
     return;
   case CEPH_ENTITY_TYPE_MON:
diff --git a/src/auth/AuthRegistry.h b/src/auth/AuthRegistry.h
index ae2cad4fcc3..72335e1b156 100644
--- a/src/auth/AuthRegistry.h
+++ b/src/auth/AuthRegistry.h
@@ -28,6 +28,7 @@ class AuthRegistry : public md_config_obs_t {
   // CEPH_CON_MODE_*
   std::vector<uint32_t> mon_cluster_modes;
   std::vector<uint32_t> mon_service_modes;
+  std::vector<uint32_t> mon_client_modes;
   std::vector<uint32_t> cluster_modes;
   std::vector<uint32_t> service_modes;
   std::vector<uint32_t> client_modes;
diff --git a/src/common/options.cc b/src/common/options.cc
index 8fa0414be98..07345d8f146 100644
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -844,6 +844,7 @@ std::vector<Option> get_global_options() {
     .set_default("crc secure")
     .set_description("Connection modes (crc, secure) for intra-mon connections in order of preference")
     .add_see_also("ms_mon_service_mode")
+    .add_see_also("ms_mon_client_mode")
     .add_see_also("ms_service_mode")
     .add_see_also("ms_cluster_mode")
     .add_see_also("ms_client_mode"),
@@ -853,6 +854,16 @@ std::vector<Option> get_global_options() {
     .set_description("Allowed connection modes (crc, secure) for connections to mons")
     .add_see_also("ms_service_mode")
     .add_see_also("ms_mon_cluster_mode")
+    .add_see_also("ms_mon_client_mode")
+    .add_see_also("ms_cluster_mode")
+    .add_see_also("ms_client_mode"),
+
+    Option("ms_mon_client_mode", Option::TYPE_STR, Option::LEVEL_BASIC)
+    .set_default("crc secure")
+    .set_description("Connection modes (crc, secure) for connections from clients to monitors in order of preference")
+    .add_see_also("ms_mon_service_mode")
+    .add_see_also("ms_mon_cluster_mode")
+    .add_see_also("ms_service_mode")
     .add_see_also("ms_cluster_mode")
     .add_see_also("ms_client_mode"),
 
-- 
2.39.5