15.2.12

mgr/dashboard: fix cookie injection issue

Fixes: CVE-2021-3509
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
(cherry picked from commit b39922818bc57cde1b016e9ad41908b18063b93b)

Conflicts:
src/pybind/mgr/dashboard/controllers/docs.py
        - Remove allow_empty_body and _with_token method

mgr/dashboard: fix base-href: revert it to previous approach

Fixes: https://tracker.ceph.com/issues/50684
Signed-off-by: Avan Thakkar <athakkar@redhat.com>
(cherry picked from commit b6f92922f5c80223fd288d98ce85405a650c0135)

 Conflicts:
src/pybind/mgr/dashboard/frontend/src/app/app.module.ts
     - Adopt the changes coming from master.

(cherry picked from commit fab19ddf55c1e3f1e61745a676785ff0309f11f2)

rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader

follows up on 1524d3c0c5cb11775313ea1e2bb36a93257947f2 to escape \r as
well

Fixes: CVE-2021-3524
Reported-by: Sergey Bobrov <Sergey.Bobrov@kaspersky.com>
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 87806f48e7a1b8891eb90711f1cedd26f1119aac)

rgw: RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name

checking for empty name avoids later assertion in RGWObjectCtx::set_atomic

Fixes: CVE-2021-3531
Reviewed-by: Casey Bodley <cbodley@redhat.com>
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 7196a469b4470f3c8628489df9a41ec8b00a5610)

15.2.11

auth/cephx: make KeyServer::build_session_auth_info() less confusing

The second KeyServer::build_session_auth_info() overload is used only
by the monitor, for mon <-> mon authentication.  The monitor passes in
service_secret (mon secret) and secret_id (-1).  The TTL is irrelevant
because there is no rotation.

However the signature doesn't make it obvious.  Clarify that
service_secret and secret_id are input parameters and info is the only
output parameter.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 6f12cd3688b753633c8ff29fb3bd64758f960b2b)

auth/cephx: cap ticket validity by expiration of "next" key

If auth_mon_ticket_ttl is increased by several times as done in
commit 522a52e6c258 ("auth/cephx: rotate auth tickets less often"),
active clients eventually get stuck because the monitor sends out an
auth ticket with a bogus validity.  The ticket is secured with the
"current" secret that is scheduled to expire according to the old TTL,
but the validity of the ticket is set to the new TTL.  As a result,
the client simply doesn't attempt to renew, letting the secrets rotate
potentially more than once.  When that happens, the client first hits
auth authorizer errors as it tries to renew service tickets and when
it finally gets to renewing the auth ticket, it hits the insecure
global_id reclaim wall.

Cap TTL by expiration of "next" key -- the "current" key may be
milliseconds away from expiration and still be used, legitimately.
Do it in KeyServerData alongside key rotation code and propagate the
capped TTL to the upper layer.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 370c9b13970d47a55b1b20ef983c6f01236c9565)

auth/cephx: drop redundant KeyServerData::get_service_secret() overload

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 3078af716505ae754723864786a41a6d6af0534c)

qa/standalone: default to disable insecure global id reclaim

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 72c4fc75ad301980baebc7789ed6391444057e5b)

qa/suites/upgrade/octopus-x: disable insecure global_id reclaim health warnings

These will trigger on upgrade; suppress them so that our health gates
will still work.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 3e80f61efeafc186ea8130984d64c05b2707d6ba)

Conflicts:
qa/suites/rados/cephadm/upgrade/3-start-upgrade.yaml [ commit
  04a3d4c927e7 ("qa/suites/rados/cephadm/upgrade: deploy a legacy
  r.z-style rgw") not in octopus ]
qa/suites/upgrade/octopus-x/parallel/1-tasks.yaml [ no octopus-x
  upgrade suite in octopus ]
qa/suites/upgrade/octopus-x/rgw-multisite/overrides.yaml [ ditto ]
qa/suites/upgrade/octopus-x/stress-split/1-start.yaml [ ditto ]

qa/tasks/ceph[adm].conf[.template]: disable insecure global_id reclaim health alerts

Turn these off everywhere for our tests so they don't interfere with our health checks.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 9f6fd4fe563c9cd4cf65316921d511b677c972e4)

cephadm: set auth_allow_insecure_global_id_reclaim for mon on bootstrap

If this is a fresh pacific cluster, let's assume that there won't be
legacy clients connecting.  (And if there are, let's put the burden on
the user to enable them to do so insecurely.)

This is in contrast to upgrades, where our focus is on not breaking
anything.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 7ca74183226b1125b29f4ea8f324ae9e38b46795)

Conflicts:
src/cephadm/cephadm [ commit 369989ebf90c ("cephadm: split-off
  config work on bootstrap") not in octopus ]

mon/HealthMonitor: raise AUTH_INSECURE_GLOBAL_ID_RENEWAL[_ALLOWED]

Two new alerts:

- AUTH_INSECURE_GLOBAL_ID_RENEWAL_ALLOWED if we are allowing clients to reclaim
global_ids in an insecure manner (for backwards compatibility until
clients are upgraded)

- AUTH_INSECURE_GLBOAL_ID_RENEWAL if there are currently clients connected that
do not know how to securely renew their global_id, as exposed by
auth_expose_insecure_global_id_reclaim=true.  The client auth names and IPs
are listed the alert details (up to a limit, at least).

The docs recommend operators mute these alerts instead of silencing, but
we still include option that allow the alerts to be disabled entirely.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 18b343b06e5dd904af425dc99e2c848e12f3b552)

Conflicts:
src/mon/HealthMonitor.cc [ commit e4bf716bfa07 ("mon: store
  a reference as member variable") not in octopus ]

auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys

When handling CEPHX_GET_AUTH_SESSION_KEY requests from nautilus+
clients, ignore CEPH_ENTITY_TYPE_AUTH in CephXAuthenticate::other_keys.
Similarly, when handling CEPHX_GET_PRINCIPAL_SESSION_KEY requests,
ignore CEPH_ENTITY_TYPE_AUTH in CephXServiceTicketRequest::keys.
These fields are intended for requesting service tickets, the auth
ticket (which is really a ticket granting ticket) must not be shared
this way.

Otherwise we end up sharing an auth ticket that a) isn't encrypted
with the old session key even if needed (should_enc_ticket == true)
and b) has the wrong validity, namely auth_service_ticket_ttl instead
of auth_mon_ticket_ttl.  In the CEPHX_GET_AUTH_SESSION_KEY case, this
undue ticket immediately supersedes the actual auth ticket already
encoded in the same reply (the reply frame ends up containing two auth
tickets).

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 05772ab6127bdd9ed2f63fceef840f197ecd9ea8)

auth/cephx: rotate auth tickets less often

If unauthorized global_id (re)use is disallowed, a client that has
been disconnected from the network long enough for keys to rotate
and its auth ticket to expire (i.e. become invalid/unverifiable)
would not be able to reconnect.

The default TTL is 12 hours, resulting in a 12-24 hour reconnect
window (the previous key is kept around, so the actual window can be
up to double the TTL).  The setting has stayed the same since 2009,
but it also hasn't been enforced.  Bump it to get a 72 hour reconnect
window to cover for something breaking on Friday and not getting fixed
until Monday.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 522a52e6c258932274f0753feb623ce008519216)

mon: fail fast when unauthorized global_id (re)use is disallowed

When unauthorized global_id (re)use is disallowed, we don't want to
let unpatched clients in because they wouldn't be able to reestablish
their monitor session later, resulting in subtle hangs and disrupted
user workloads.

Denying the initial connect for all legacy (CephXAuthenticate < v3)
clients is not feasible because a large subset of them never stopped
presenting their ticket on reconnects and are therefore compatible with
enforcing mode: most notably all kernel clients but also pre-luminous
userspace clients.  They don't need to be patched and excluding them
would significantly hamper the adoption of enforcing mode.

Instead, force clients that we are not sure about to reconnect shortly
after they go through authentication and obtain global_id.  This is
done in Monitor::dispatch_op() to capture both msgr1 and msgr2, most
likely instead of dispatching mon_subscribe.

We need to let mon_getmap through for "ceph ping" and "ceph tell" to
work.  This does mean that we share the monmap, which lets the client
return from MonClient::authenticate() considering authentication to be
finished and causing the potential reconnect error to not propagate to
the user -- the client would hang waiting for remaining cluster maps.
For msgr1, this is unavoidable because the monmap is sent immediately
after the final MAuthReply.  But for msgr2 this is rare: most of the
time we get to their mon_subscribe and cut the connection before they
process the monmap!

Regardless, the user doesn't get a chance to start a workload since
there is no proper higher-level session at that point.

To help with identifying clients that need patching, add global_id and
global_id_status to "sessions" output.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 08766a17edebb7450cd9b17cc2dc01efc068bb94)

auth/cephx: option to disallow unauthorized global_id (re)use

global_id is a cluster-wide unique id that must remain stable for the
lifetime of the client instance.  The cephx protocol has a facility to
allow clients to preserve their global_id across reconnects:

(1) the client should provide its global_id in the initial handshake
    message/frame and later include its auth ticket proving previous
    possession of that global_id in CEPHX_GET_AUTH_SESSION_KEY request

(2) the monitor should verify that the included auth ticket is valid
    and has the same global_id and, if so, allow the reclaim

(3) if the reclaim is allowed, the new auth ticket should be
    encrypted with the session key of the included auth ticket to
    ensure authenticity of the client performing reclaim.  (The
    included auth ticket could have been snooped when the monitor
    originally shared it with the client or any time the client
    provided it back to the monitor as part of requesting service
    tickets, but only the genuine client would have its session key
    and be able to decrypt.)

Unfortunately, all (1), (2) and (3) have been broken for a while:

- (1) was broken in 2016 by commit a2eb6ae3fb57 ("mon/monclient:
  hunt for multiple monitor in parallel") and is addressed in patch
  "mon/MonClient: preserve auth state on reconnects"

- it turns out that (2) has never been enforced.  When cephx was
  being designed and implemented in 2009, two changes to the protocol
  raced with each other pulling it in different directions: commits
  0669ca21f4f7 ("auth: reuse global_id when requesting tickets")
  and fec31964a12b ("auth: when renewing session, encrypt ticket")
  added the reclaim mechanism based strictly on auth tickets, while
  commit 5eeb711b6b2b ("auth: change server side negotiation a bit")
  allowed the client to provide global_id in the initial handshake.
  These changes didn't get reconciled and as a result a malicious
  client can assign itself any global_id of its choosing by simply
  passing something other than 0 in MAuth message or AUTH_REQUEST
  frame and not even bother supplying any ticket.  This includes
  getting a global_id that is being used by another client.

- (3) was broken in 2019 with addition of support for msgr2, where
  the new auth ticket ends up being shared unencrypted.  However the
  root cause is deeper and a malicious client can coerce msgr1 into
  the same.  This also goes back to 2009 and is addressed in patch
  "auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys".

Because (2) has never been enforced, no one noticed when (1) got
broken and we began to rely on this flaw for normal operation in
the face of reconnects due to network hiccups or otherwise.  As of
today, only pre-luminous userspace clients and kernel clients are
not exercising it on a daily basis.

Bump CephXAuthenticate version and use a dummy v3 to distinguish
between legacy clients that don't (may not) include their auth ticket
and new clients.  For new clients, unconditionally disallow claiming
global_id without a corresponding auth ticket.  For legacy clients,
introduce a choice between permissive (current behavior, default for
the foreseeable future) and enforcing mode.

If the reclaim is disallowed, return EACCES.  While MonClient does
have some provision for global_id changes and we could conceivably
implement enforcement by handing out a fresh global_id instead of
the provided one, those code paths have never been tested and there
are too many ways a sudden global_id change could go wrong.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit abebd643cc60fa8a7cb82dc29a9d5041fb3c3d36)

Conflicts:
src/auth/cephx/CephxProtocol.h [ bufferlist vs
  ceph::buffer::list ]
src/auth/cephx/CephxServiceHandler.h [ ditto ]
src/auth/none/AuthNoneServiceHandler.h [ ditto ]

auth/cephx: make cephx_decode_ticket() take a const ticket_blob

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 6b860684c6e59b11c727206819805f89f0518575)

auth/AuthServiceHandler: keep track of global_id and whether it is new

AuthServiceHandler already has global_id field, but it is unused.
Revive it and let the handler know whether global_id is newly assigned
by the monitor or provided by the client.

Lift the setting of entity_name into AuthServiceHandler.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit b50b6abd60e730176a7ef602bdd25d789a3c467d)

Conflicts:
src/auth/cephx/CephxServiceHandler.cc [ bufferlist vs
  ceph::buffer::list ]
src/auth/cephx/CephxServiceHandler.h [ ditto ]
src/auth/none/AuthNoneServiceHandler.h [ ditto ]

auth/AuthServiceHandler: build_cephx_response_header() is cephx-specific

Make the one in CephxServiceHandler private and drop the stub in
AuthNoneServiceHandler.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 49cba02a750d4c1ab68399401f0c04f9c9be5b9e)

Conflicts:
src/auth/cephx/CephxServiceHandler.h [ bufferlist vs
  ceph::buffer::list ]
src/auth/none/AuthNoneServiceHandler.h [ ditto ]

auth/AuthServiceHandler: drop unused start_session() args

session_key, connection_secret and connection_secret_required_length
aren't material for start_session() across all three implementations.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit c151c9659bdb71f30b520bbd62f91cc009ec51cd)

Conflicts:
src/auth/cephx/CephxServiceHandler.h [ bufferlist vs
  ceph::buffer::list ]
src/auth/none/AuthNoneServiceHandler.h [ ditto ]

mon/MonClient: drop global_id arg from _add_conn() and _add_conns()

Passing anything but MonClient instance's global_id doesn't make
sense.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit a71f6e90d43cca5a79db92ca6a640598796ae7ee)

Conflicts:
src/mon/MonClient.cc [ commit 1e9b18008c5e ("mon: set
  MonClient::_add_conn return type to void") not in octopus ]
src/mon/MonClient.h [ ditto ]

mon/MonClient: reset auth state in shutdown()

Destroying AuthClientHandler and not resetting global_id is another
way to get MonClient to send CEPHX_GET_AUTH_SESSION_KEY requests with
CephXAuthenticate::old_ticket not populated.  This is particularly
pertinent to get_monmap_and_config() which shuts down the bootstrap
MonClient between retry attempts.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit c9b022e07392979e7f9ea6c11484a7dd872cc235)

mon/MonClient: preserve auth state on reconnects

Commit a2eb6ae3fb57 ("mon/monclient: hunt for multiple monitor in
parallel") introduced a regression where auth state (global_id and
AuthClientHandler) was no longer preserved on reconnects.  The ensuing
breakage was quickly noticed and prompted a follow-on fix 8bb6193c8f53
("mon/MonClient: persist global_id across re-connecting").

However, as evident from the subject, the follow-on fix only took
care of the global_id part.  AuthClientHandler is still destroyed
and all cephx tickets are discarded.  A new from-scratch instance
is created for each MonConnection and CEPHX_GET_AUTH_SESSION_KEY
requests end up with CephXAuthenticate::old_ticket not populated.
The bug is in MonClient, so both msgr1 and msgr2 are affected.

This should have resulted in a similar sort of breakage but didn't
because of a much larger bug.  The monitor should have denied the
attempt to reclaim global_id with no valid ticket proving previous
possession of that global_id presented.  Alas, it appears that this
aspect of the cephx protocol has never been enforced.  This is dealt
with in the next patch.

To fix the issue at hand, clone AuthClientHandler into each
MonConnection so that each respective CEPHX_GET_AUTH_SESSION_KEY
request gets a copy of the current auth ticket.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 236b536b28482ec9d8b872de03da7d702ce4787b)

Conflicts:
src/mon/MonClient.cc [ commit 1e9b18008c5e ("mon: set
  MonClient::_add_conn return type to void") not in octopus ]

mon/MonClient: claim active_con's auth explicitly

Eliminate confusion by moving auth from active_con into MonClient
instead of swapping them.

The existing MonClient::auth can be destroyed right away -- I don't
see why active_con would need it or a reason to delay its destruction
(which is what stashing in active_con effectively does).

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit eec24e4d119c57c7eb5119dc0083616a61b33b89)

mon/MonClient: resurrect "waiting for monmap|config" timeouts

This fixes a regression introduced in commit 85157d5aae3d ("mon:
s/Mutex/ceph::mutex/").  Waiting for monmap and config indefinitely
is not just bad UX, it actually masks other more serious bugs.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 6faa18e0a8e8efba6bd2978942eb9909b6568d5c)

qa/tasks/ceph.conf: shorten cephx TTL for testing

Rotate tickets frequently to exercise those code paths during testing.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 94df76244798cdc0bafd74c9e5197adb5aa990c0)

15.2.10

Merge pull request #40155 from rhcs-dashboard/wip-49272-octopus

octopus: mgr/dashboard: delete EOF when reading passwords from file

Reviewed-by: Ernesto Puerta <epuertat@redhat.com>
Reviewed-by: Yuri Weinstein <yweinste@redhat.com>

mgr/dashboard: delete EOF when reading passwords from file

Signed-off-by: Alfonso Martínez <almartin@redhat.com>
(cherry picked from commit caeadf1397db00c6b7ba218b1910508099802e39)

Merge pull request #39701 from ifed01/wip-ifed-fix-huge-bluefs-oct

octopus: os/bluestore: fix huge reads/writes at BlueFS

Reviewed-by: Adam Kupczyk <akupczyk@redhat.com>

Merge pull request #40074 from ideepika/wip-fix-ignorelist

octopus: qa/suites/upgrade: s/whitelist/ignorelist for octopus specific tests

Reviewed-by: Neha Ojha <nojha@redhat.com>
Reviewed-by: Yuri Weinstein <yweinste@redhat.com>

Merge pull request #39754 from ifed01/wip-ifed-bluefs-zero-read-retry-octa

octopus: os/bluestore: Add option to check BlueFS reads

Reviewed-by: Adam Kupczyk <akupczyk@redhat.com>

Merge pull request #39872 from rhcs-dashboard/wip-48190-octopus

octopus: mgr/dashboard: add ssl verify option for prometheus and alert manager

Reviewed-by: Alfonso Martínez <almartin@redhat.com>
Reviewed-by: Nizamudeen A <nia@redhat.com>

Merge pull request #39868 from rhcs-dashboard/wip-49083-octopus

octopus: mgr/dashboard: Fix missing root path of each session for CephFS

Reviewed-by: Alfonso Martínez <almartin@redhat.com>
Reviewed-by: Tatjana Dehler <tdehler@suse.com>
Reviewed-by: Tatjana Dehler <tdehler@suse.com>

Merge pull request #39854 from rhcs-dashboard/wip-49324-octopus

octopus: mgr/dashboard: fix MTU Mismatch alert

Reviewed-by: Nizamudeen A <nia@redhat.com>
Reviewed-by: Aashish Sharma <aasharma@redhat.com>

Merge pull request #39852 from rhcs-dashboard/wip-49599-octopus

octopus: mgr/dashboard: report mgr fsid

Reviewed-by: Laura Paduano <lpaduano@suse.com>
Reviewed-by: Nizamudeen A <nia@redhat.com>

Merge pull request #39436 from rhcs-dashboard/wip-48654-octopus

octopus: mgr/dashboard: CLI commands: read passwords from file

Reviewed-by: Avan Thakkar <athakkar@redhat.com>
Reviewed-by: Laura Paduano <lpaduano@suse.com>

qa/suites/upgrade: s/whitelist/ignorelist for octopus only

some upgrade tests are only present for octopus and not for master and
hence we missed updating the ignorelist terminology for those cases.

Signed-off-by: Deepika Upadhyay <dupadhya@redhat.com>

Merge pull request #39885 from smithfarm/wip-49031-octopus

octopus: cmake: boost>=1.74 adds BOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT to radosgw

Reviewed-by: Kefu Chai <kchai@redhat.com>

Merge pull request #39867 from trociny/wip-49452-octopus

octopus: rbd-mirror: reset update_status_task pointer in timer thread

Reviewed-by: Jason Dillaman <dillaman@redhat.com>

Merge pull request #39866 from trociny/wip-49454-octopus

octopus: librbd: use on-disk image name when storing mirror snapshot state

Reviewed-by: Jason Dillaman <dillaman@redhat.com>

Merge pull request #39864 from trociny/wip-49399-octopus

octopus: librbd: allow disabling journaling for snapshot based mirroring image

Reviewed-by: Jason Dillaman <dillaman@redhat.com>

Merge pull request #39863 from trociny/wip-49335-octopus

octopus: mgr/rbd_support: mirror snapshot schedule should skip non-primary images

Reviewed-by: Jason Dillaman <dillaman@redhat.com>

Merge pull request #39862 from trociny/wip-49263-octopus

octopus: librbd: don't log error if get mirror status fails due to mirroring disabled

Reviewed-by: Jason Dillaman <dillaman@redhat.com>

Merge pull request #39704 from smithfarm/wip-49397-octopus

octopus: qa/suites/rados/dashboard: whitelist TELEMETRY_CHANGED

Reviewed-by: Laura Paduano <lpaduano@suse.com>
Reviewed-by: Yaarit Hatuka <yaarithatuka@gmail.com>
Reviewed-by: Nizamudeen A <nia@redhat.com>

Merge pull request #39890 from tchaikov/octopus-github-milestone

octopus: .github: add workflow for adding label and milestone

Reviewed-by: Ernesto Puerta <epuertat@redhat.com>

.github/workflows: use a released sha1

otherwise the action cannot be found

Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit ae8ea10f415ec170be4a7be48567dbac83221dc0)

.github/workflows: rename labeler.yml to pr-triage.yml

to reflect the change in the actions in it.

Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit 453cd5fd602c54809dc091f0c3a498f903366c8f)

.github/workflows: use @{sha1} for actions

more secure this way. see also https://julienrenaux.fr/2019/12/20/github-actions-security-risk/

point the sha1 to

* labeler@v3
* milestone@main HEAD

Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit 79e8038046092053b0c0b120e0d7ca07a33a1c00)

.github/workflows: move milestone.yml into labeler.yml

no need to have two actions triggered by the same event.

we could backport this labeler.yml to LTS branches.

Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit 98b90189791d3f4d2524fd829edb616d0ffd94f7)

.github: correct the regex in mileston workflow

also use pull_request_target event so the action is run in the
context of the base of the pull request. this helps us to overcome
the "Resource not accessible by integration" issue where the action
is run in the context of the pull request.

Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit c5f6d15e36fdd019196a1520525382f73f276f14)

.github: add workflow for adding milestone

Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit 1657a44750442ff2582d601fb028aa89e3a95999)

github/labeler: disable sync-labels

Yaml syntax cleaned too.

Fixes: https://github.com/ceph/ceph/pull/38107#issuecomment-729300615
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
(cherry picked from commit 59702b6198c59b84f1695e37256ae351b331b604)

github: autolabel PRs

... starting with dashboard ones.

Requires https://github.com/marketplace/actions/labeler

Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
(cherry picked from commit 298bc67f7b8d1c64520b543f4749b29f7be67379)

Merge PR #39906 into octopus

* refs/pull/39906/head:
mgr/volumes: Bump up AuthMetadataManager's version
pybind/ceph_volume_client: Bump up the version and compat_version to 6
pybind/ceph_volume_client: Fix auth-metadata file recovery
pybind/ceph_volume_client: Update the 'volumes' key to 'subvolumes' in auth metadata file

Reviewed-by: Ramana Raja <rraja@redhat.com>
Reviewed-by: Patrick Donnelly <pdonnell@redhat.com>

Merge pull request #39627 from rhcs-dashboard/wip-49421-octopus

octopus: mgr/dashboard: set security headers

Reviewed-by: Alfonso Martínez <almartin@redhat.com>
Reviewed-by: Nizamudeen A <nia@redhat.com>

mgr/volumes: Bump up AuthMetadataManager's version

With ceph_volume_client and mgr-volumes co-existing
for sometime, the version of both needs to be same.
The ceph_volume_client version <=5 can't decode
'subvolumes' key in auth-metadata file. Hence to
handle version in-compatibility, the version of
ceph_volume_client is bumped up to 6 and the same
needs to be done in mgr-volume's AuthMetadataManager

Fixes: https://tracker.ceph.com/issues/49374
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 818c7781ff0467c6521bf2b3002b094fb8a71257)

pybind/ceph_volume_client: Bump up the version and compat_version to 6

With 'volumes' key updated to 'subvolumes', the version of
ceph_volume_client <= 5 can't decode auth-metadata file. Hence
bumping up ceph_volume_client version and compat_version to 6.

Fixes: https://tracker.ceph.com/issues/49294
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit ce55a0bcdc5db139fc8f39665c372f1b7cc274a7)

pybind/ceph_volume_client: Fix auth-metadata file recovery

Fixes: https://tracker.ceph.com/issues/49294
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 99cdfdad59175a19bc06859e69301ca0478a2db4)

pybind/ceph_volume_client: Update the 'volumes' key to 'subvolumes' in auth metadata file

The older auth metadata files before nautilus release stores
the authorized subvolumes using the 'volumes' key. As the
notion of 'subvolumes' brought in by mgr/volumes, it makes
sense to use 'subvolumes' key. This patch would be tranparently
update 'volumes' key to 'subvolumes' and newer auth metadata
files would store them with 'subvolumes' key.

Also fails the deauthorize if the auth-id doesn't exist.

Fixes: https://tracker.ceph.com/issues/49294
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit dee03c8d5c0b86cf51865090bec203419a3008a9)

Merge pull request #39390 from kotreshhr/wip-mgr-backports-octopus

octopus: mgr/volume: subvolume auth_id management and few bug fixes

Reviewed-by: Ramana Raja <rraja@redhat.com>

cmake: boost>=1.74 adds BOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT to radosgw

Fixes: https://tracker.ceph.com/issues/48988
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 722b4303b1986ce93744af5baeecde7681d8e347)

mgr/dashboard: add ssl verify option for prometheus and alert manager

Fixes: https://tracker.ceph.com/issues/47863
Signed-off-by: Jean "henyxia" Wasilewski <henyxia@revs0.com>
(cherry picked from commit 0f230ea49b93c85a1db47cc665951c79bc8b2225)

mgr/dashboard: Fix missing root path of each session for CephFS

Signed-off-by: Yongseok Oh <yongseok.oh@linecorp.com>
(cherry picked from commit 7c3cadd09645575898a85d2b50b95808b334de69)

rbd-mirror: reset update_status_task pointer in timer thread

To avoid a time window when m_update_status_task is invalid. If
during this time the cancel_update_mirror_image_replay_status is
called, it may cancel some other's ImageReplayer task, if it
happened to add the task with the same address.

Fixes: https://tracker.ceph.com/issues/49418
Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 3a289d43f6ab010bcadb80888fb73763f4f55ed0)

test/librbd: TestLibRBD.RenameViaLockOwner doesn't require journaling now

Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 3042eec0d8aa7e28a8b0452c11a6dc6528fe4992)

librbd: use on-disk image name when storing mirror snapshot state

Fixes: https://tracker.ceph.com/issues/49115
Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 813728ae2036231a269be86bcb3dc48951a20f21)

test/librbd: extend TestLibRBD.RenameViaLockOwner

To cover the following case:

- Client A has image opened but does not owns the lock.
- Client B renames the image (client A is not aware of it).
- Client A becomes the lock owner.
- Client B requests rename, which is proxied to the client A.

Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 2d2e04e86bcc666e3abaceeeef7e1598dcc9fb94)

Merge pull request #39836 from rhcs-dashboard/wip-49594-octopus

octopus: mgr/dashboard: fix issues related with PyJWT versions >=2.0.0

Reviewed-by: Avan Thakkar <athakkar@redhat.com>
Reviewed-by: Ernesto Puerta <epuertat@redhat.com>

librbd: make rename be always executed by lock owner

Fixes: https://tracker.ceph.com/issues/49115
Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 2a9fac2cc4b10af04c52e12f34932e6d2d91441f)

Conflicts:
src/librbd/Operations.cc
        (request_id (async notification) is not used for "rename" op in octopus
         -- added in pasific for "serialize maintenance operations by type")

librbd: always check on-disk image name when renaming

Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 950a7b5cfc66bdfea35304e6cb06e74c92dcaf5c)

librbd: allow disabling journaling for snapshot based mirroring image

Fixes: https://tracker.ceph.com/issues/49282
Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 2a5885fedaaf2ddd3c7005162064c9981a499240)

mgr/rbd_support: mirror snapshot schedule should skip non-primary images

And while here, suppress error messages for ENOENT errors.

Fixes: https://tracker.ceph.com/issues/49284
Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit d39eb283c5cee12c98afb2667d63112ef9409630)

librbd: don't log error if get mirror status fails due to mirroring disabled

Fixes: https://tracker.ceph.com/issues/49245
Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 1d303e6faa51ab71e5b5b909053fd6120c981081)

mgr/dashboard:fix MTU Mismatch alert

This PR intends to fix the expression used for MTU Mismatch alert in prometheus

Signed-off-by: Aashish Sharma <aasharma@redhat.com>
(cherry picked from commit 8527489b9148a8845d6fccca6461b23ed7989172)

mgr/dashboard: report mgr fsid

Add mgr fsid from the ceph mgr API.

Fixes: https://tracker.ceph.com/issues/49283
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
(cherry picked from commit 206f9f2ea180b6b06158d5d74e1ab55c21044502)

 Conflicts:
src/pybind/mgr/dashboard/frontend/cypress/integration/cluster/configuration.e2e-spec.ts
     - Adopting the master branch changes.

qa: leave one standby available to avoid warning

Four file systems will use all MDS and generate this warning:

2020-11-02T03:48:33.407 INFO:teuthology.orchestra.run.smithi003.stdout:2020-11-02T03:24:21.817337+0000 mon.a (mon.0) 481 : cluster [WRN] Health check failed: insufficient standby MDS daemons available (MDS_INSUFFICIENT_STANDBY).

Fixes: https://tracker.ceph.com/issues/23718
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
(cherry picked from commit 59451923d31f5e4f707aa6d22ececc8edd395ca9)

qa: Fix a few mgr/volume test cases

Recovering dirty auth metadata file might not retain the order,
fixed the comparison in 'test_recover_auth_metadata_during_authorize'
and 'test_recover_auth_metadata_during_deauthorize'.

Fixes: https://tracker.ceph.com/issues/49192
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 4952d2132ffd92594e749a652970d5d9415c721d)

qa/cephfs: add methods to read/write on CephFS mounts

Signed-off-by: Rishabh Dave <ridave@redhat.com>
(cherry picked from commit 3f0284f272231c3b62b0f3f201cbaaecfa405bcd)

Conflicts:
    qa/tasks/cephfs/mount.py: get_file and IP module is not present in
      octopus

ceph_volume_client: Fix failure of test_idempotency

With the test environment, 'args must be encodeable
 as a bytearray' error is seen for 'ceph_mds_command'.
Hence removed tuple and passed the JSON formatted string.

Fixes: https://tracker.ceph.com/issues/48830
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 1c6c172a9b665d6b769d67e301061dbd7b044472)

mgr/volumes: Evict clients based on auth-IDs and subvolume mounted

Add subvolume evict command which evicts the subvolume mounts
which are mounted using particular auth-ID.

Fixes: https://tracker.ceph.com/issues/44928
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 269adcc8b8ab0742ba741ed7c2b59ccfb17a63f9)

Conflicts:
    qa/tasks/cephfs/test_volumes.py: Few of the tests are re-organized,
           hence the conflicts. Resolved the same.

doc/mgr/volumes: Document 'fs subvolume authorized_list' cli

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 9f9f8adc47486432c746565ea5a1f204736632c1)

qa: Add tests for list auth-ids of a subvolume

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 1b98e63e75236ff1cd1c9cb1ead8eb965698d5b6)

Conflicts:
   qa/tasks/cephfs/test_volumes.py: Few of the tests are re-organized,
       hence the conflicts. Resolved the same.

mgr/volumes: Update the 'volumes' key to 'subvolumes' in auth metadata file

The older auth metadata files created by CephVolumeClient stores the
authorized subvolumes using the 'volumes' key as the notion of
'subvolumes' brought in by mgr/volumes. Hence, this would be tranparently
updated to 'subvolumes' and newer auth metadata files would store them
with 'subvolumes' key.

Also fails the deauthorize if the auth-id doesn't exist.

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 5f32eb15918657bcf1f73025fbb3adf0cc06317e)

mgr/volumes: Optionally authorize existing auth-ids

Optionally allow authorizing auth-ids not created by mgr plugin
via the option 'allow_existing_id'. This can help existing deployers
of manila to disallow/allow authorization of pre-created auth IDs
via a manila driver config that sets 'allow_existing_id' to False/True.

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 713270d1869e2370b674b1a4bc6f6a37023a5917)

mgr/volumes: Preserve existing caps while authorize/deauthorize auth-id

Authorize/Deauthorize used to overwrite the caps of auth-id which would
end up deleting existing caps. This patch fixes the same by retaining
the existing caps by appending or deleting the new caps as needed.

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 2dece3be081fe572455d6b634e38a663d1643dc8)

mgr/volumes: Disallow authorize existing auth_id

This patch disallow the mgr plugin to authorize the auth_id
which is not created via mgr plugin. Those auth_ids could be
created by other means for other use cases which should not be modified
via mgr plugin.

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit c02890404e47a5a95c5cc16b699306045d586c7f)

mgr/volumes: Add subvolume authorized_list command

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 1abec3d0ca8c4fa405cdbf56c55f44f37aca9ca8)

mgr/volumes: Add tenant_id option to subvolume authorize

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 39acfcc91c1b6a85f6fa96a5e894d81a7225f9dc)

mgr/volumes: Persist auth and subvolume metadata

1. Subvolume create and delete operations create and delete subvolume
   metadata file respectively.
2. Subvolume authorize creates the auth meta file and persists the
   required metadata on subvolume metadata file and auth metdata file
   on disk. Subvolume deauthorize clears the required metadata on
   both metadata files.

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 04d876ced756ca86580bdff4ac116333dbb102e5)

mgr/volumes: Filter inherited snapshots while listing snapshots

Filter inherited snapshots resulted as part of a snapshot
at ancestor level while listing snapshots of a subvolume
and subvolumegroup

Also, fail the snapshot info on inherited snapshot.

Fixes: https://tracker.ceph.com/issues/48501
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit bd49b6409be79dba4a119c809983a05687242732)

Conflicts:
    qa/tasks/cephfs/test_volumes.py: Few of the tests are re-organized,
       hence the conflicts. Resolved the same.

doc/mgr/volumes: Document authorize/deauthorize cli commands

Fixes: https://tracker.ceph.com/issues/40401
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 1426c23ab50a4d64e1c4f1f61185117a270c8ec7)

qa/tasks/cephfs: test `fs subvolume authorize/deauthorize`

Fixes: https://tracker.ceph.com/issues/40401
Signed-off-by: Ramana Raja <rraja@redhat.com>
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 7c98dc1ad35a2244cbf949be9782a3412886b305)

Conflicts:
    qa/tasks/cephfs/test_volumes.py: Few of the test cases are
re-organized, hence the conflicts. Resolved the same.

Signed-off-by: Kotresh HR <khiremat@redhat.com>

mgr/volumes: Allow/deny auth IDs access to FS subvolumes

... via the `ceph fs subvolume authorize/deauthorize` command.

Fixes: https://tracker.ceph.com/issues/40401
Signed-off-by: Ramana Raja <rraja@redhat.com>
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 6c3b7547fbf3d987e715e9502359acd873374831)

mon/MonCap: allow 'profile mgr' to create/update/del auth IDs

Signed-off-by: Ramana Raja <rraja@redhat.com>
(cherry picked from commit d3aea5579778a73dc2418e7b137dc21717944c3e)

Merge pull request #39512 from rhcs-dashboard/wip-48862-octopus

octopus: mgr/dashboard: Monitoring alert badge includes suppressed alerts

Reviewed-by: Aashish Sharma <aasharma@redhat.com>
Reviewed-by: Nizamudeen A <nia@redhat.com>

mgr/dashboard: fix issues related with PyJWT versions >=2.0.0

Fixes: https://tracker.ceph.com/issues/49574
Signed-off-by: Alfonso Martínez <almartin@redhat.com>
(cherry picked from commit 4b96bb51e8f133badd7bc651bcb4dcd755b43d75)

 Conflicts:
src/pybind/mgr/dashboard/services/auth.py
        - Addressed conflicts.

Merge pull request #39715 from sebastian-philipp/octopus-backport-39069

octopus: cephadm: fix 'inspect' and 'pull'

Reviewed-by: Nathan Cutler <ncutler@suse.com>