From d0036dbe3ef2aba531a06b56d87024c9554f5ff9 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Sat, 17 Oct 2020 11:07:55 +0200 Subject: [PATCH] crimson/net: port proper cephx_* option handling Port commits 949e2e595eda ("msg/async/ProtocolV1: resurrect "include MGR as service when applying cephx settings"") and 6f5c4152ca2c ("msg/async/ProtocolV1: resurrect "implement cephx_*require_version options""). Signed-off-by: Ilya Dryomov --- src/crimson/net/ProtocolV1.cc | 23 ++++++++++++++++++++++- src/crimson/net/ProtocolV1.h | 1 + 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/crimson/net/ProtocolV1.cc b/src/crimson/net/ProtocolV1.cc index eaed769dcd3..e0aa8569487 100644 --- a/src/crimson/net/ProtocolV1.cc +++ b/src/crimson/net/ProtocolV1.cc @@ -522,13 +522,31 @@ bool ProtocolV1::require_auth_feature() const return true; } if (h.connect.host_type == CEPH_ENTITY_TYPE_OSD || - h.connect.host_type == CEPH_ENTITY_TYPE_MDS) { + h.connect.host_type == CEPH_ENTITY_TYPE_MDS || + h.connect.host_type == CEPH_ENTITY_TYPE_MGR) { return local_conf()->cephx_cluster_require_signatures; } else { return local_conf()->cephx_service_require_signatures; } } +bool ProtocolV1::require_cephx_v2_feature() const +{ + if (h.connect.authorizer_protocol != CEPH_AUTH_CEPHX) { + return false; + } + if (local_conf()->cephx_require_version >= 2) { + return true; + } + if (h.connect.host_type == CEPH_ENTITY_TYPE_OSD || + h.connect.host_type == CEPH_ENTITY_TYPE_MDS || + h.connect.host_type == CEPH_ENTITY_TYPE_MGR) { + return local_conf()->cephx_cluster_require_version >= 2; + } else { + return local_conf()->cephx_service_require_version >= 2; + } +} + seastar::future ProtocolV1::repeat_handle_connect() { return socket->read(sizeof(h.connect)) @@ -561,6 +579,9 @@ seastar::future ProtocolV1::repeat_handle_connect() if (require_auth_feature()) { conn.policy.features_required |= CEPH_FEATURE_MSG_AUTH; } + if (require_cephx_v2_feature()) { + conn.policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2; + } if (auto feat_missing = conn.policy.features_required & ~(uint64_t)h.connect.features; feat_missing != 0) { return send_connect_reply( diff --git a/src/crimson/net/ProtocolV1.h b/src/crimson/net/ProtocolV1.h index 8ab0da18673..d7d642c5727 100644 --- a/src/crimson/net/ProtocolV1.h +++ b/src/crimson/net/ProtocolV1.h @@ -103,6 +103,7 @@ class ProtocolV1 final : public Protocol { seastar::future handle_connect_with_existing( SocketConnectionRef existing, bufferlist&& authorizer_reply); bool require_auth_feature() const; + bool require_cephx_v2_feature() const; seastar::future repeat_handle_connect(); // open -- 2.47.3