From f159a093ecab4aa53693ec106c00d5ecb383c467 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Thu, 20 Jul 2017 13:07:32 -0400 Subject: [PATCH] osd,mds,mgr: do not dereference null rotating_keys Immediately after we bind to a port, but before we have set up our auth infrastructure, we may get incoming connections. Deny them. Since we are not yet advertising ourselves these are peers trying to connect to old instances of daemons, not us. This triggers now because of bf4938567943c80345966f9c5a3bdc75a913175b. Previously, the peer would see we were a different addr and drop the connection. Now, it continues. Fixes: http://tracker.ceph.com/issues/20667 Signed-off-by: Sage Weil --- src/mds/MDSDaemon.cc | 13 ++++++++++--- src/mgr/DaemonServer.cc | 18 ++++++++++++------ src/osd/OSD.cc | 14 ++++++++++---- 3 files changed, 32 insertions(+), 13 deletions(-) diff --git a/src/mds/MDSDaemon.cc b/src/mds/MDSDaemon.cc index 62b2a02f695..62b4c37cbce 100644 --- a/src/mds/MDSDaemon.cc +++ b/src/mds/MDSDaemon.cc @@ -1257,9 +1257,16 @@ bool MDSDaemon::ms_verify_authorizer(Connection *con, int peer_type, EntityName name; uint64_t global_id; - is_valid = authorize_handler->verify_authorizer( - cct, monc->rotating_secrets.get(), - authorizer_data, authorizer_reply, name, global_id, caps_info, session_key); + RotatingKeyRing *keys = monc->rotating_secrets.get(); + if (keys) { + is_valid = authorize_handler->verify_authorizer( + cct, keys, + authorizer_data, authorizer_reply, name, global_id, caps_info, + session_key); + } else { + dout(10) << __func__ << " no rotating_keys (yet), denied" << dendl; + is_valid = false; + } if (is_valid) { entity_name_t n(con->get_peer_type(), global_id); diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc index 6454c8da306..947d5651f0d 100644 --- a/src/mgr/DaemonServer.cc +++ b/src/mgr/DaemonServer.cc @@ -143,12 +143,18 @@ bool DaemonServer::ms_verify_authorizer(Connection *con, s->inst.addr = con->get_peer_addr(); AuthCapsInfo caps_info; - is_valid = handler->verify_authorizer( - cct, monc->rotating_secrets.get(), - authorizer_data, - authorizer_reply, s->entity_name, - s->global_id, caps_info, - session_key); + RotatingKeyRing *keys = monc->rotating_secrets.get(); + if (keys) { + is_valid = handler->verify_authorizer( + cct, keys, + authorizer_data, + authorizer_reply, s->entity_name, + s->global_id, caps_info, + session_key); + } else { + dout(10) << __func__ << " no rotating_keys (yet), denied" << dendl; + is_valid = false; + } if (is_valid) { if (caps_info.allow_all) { diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc index 7a494f8e18d..7a90a0a5faa 100644 --- a/src/osd/OSD.cc +++ b/src/osd/OSD.cc @@ -6941,10 +6941,16 @@ bool OSD::ms_verify_authorizer(Connection *con, int peer_type, uint64_t global_id; uint64_t auid = CEPH_AUTH_UID_DEFAULT; - isvalid = authorize_handler->verify_authorizer( - cct, monc->rotating_secrets.get(), - authorizer_data, authorizer_reply, name, global_id, caps_info, session_key, - &auid); + RotatingKeyRing *keys = monc->rotating_secrets.get(); + if (keys) { + isvalid = authorize_handler->verify_authorizer( + cct, keys, + authorizer_data, authorizer_reply, name, global_id, caps_info, session_key, + &auid); + } else { + dout(10) << __func__ << " no rotating_keys (yet), denied" << dendl; + isvalid = false; + } if (isvalid) { Session *s = static_cast(con->get_priv()); -- 2.39.5