Merge PR #33777 into octopus

* refs/pull/33777/head:
	rgw: svc.config_key_rados: get() warns if potentially insecure connection
	rgw: svc.rados: add clog_warn()
	mon: log monitor: add command level param
	auth registry: helpers for checking secure method/mode

Reviewed-by: Casey Bodley <cbodley@redhat.com>
Reviewed-by: Sage Weil <sage@redhat.com>

src/auth/AuthRegistry.h

@@ -60,6 +60,14 @@ public:
 		     uint32_t auth_method,
 		     const std::vector<uint32_t>& preferred_modes);
 
+  static bool is_secure_method(uint32_t method) {
+    return (method == CEPH_AUTH_CEPHX);
+  }
+
+  static bool is_secure_mode(uint32_t mode) {
+    return (mode == CEPH_CON_MODE_SECURE);
+  }
+
   AuthAuthorizeHandler *get_handler(int peer_type, int method);
 
   const char** get_tracked_conf_keys() const override;

src/mon/LogMonitor.cc

@@ -673,6 +673,7 @@ bool LogMonitor::prepare_command(MonOpRequestRef op)
 
   if (prefix == "log") {
     vector<string> logtext;
+    string level_str;
     cmd_getval(cmdmap, "logtext", logtext);
     LogEntry le;
     le.rank = m->get_orig_source();
@@ -680,7 +681,8 @@ bool LogMonitor::prepare_command(MonOpRequestRef op)
     le.name = session->entity_name;
     le.stamp = m->get_recv_stamp();
     le.seq = 0;
-    le.prio = CLOG_INFO;
+    cmd_getval(cmdmap, "level", level_str, string("info"));
+    le.prio = LogEntry::str_to_level(level_str);
     le.channel = CLOG_CHANNEL_DEFAULT;
     le.msg = str_join(logtext, " ");
     pending_summary.add(le);

src/rgw/rgw_asio_frontend.cc

@@ -603,7 +603,7 @@ int AsioFrontend::get_config_key_val(string name,
   }
 
   auto svc = env.store->svc()->config_key;
-  int r = svc->get(name, pbl);
+  int r = svc->get(name, true, pbl);
   if (r < 0) {
     lderr(ctx()) << type << " was not found: " << name << dendl;
     return r;

src/rgw/rgw_service.cc

@@ -160,6 +160,12 @@ int RGWServices_Def::init(CephContext *cct,
     return r;
   }
 
+  r = config_key_rados->start();
+  if (r < 0) {
+    ldout(cct, 0) << "ERROR: failed to start config_key service (" << cpp_strerror(-r) << dendl;
+    return r;
+  }
+
   r = zone_utils->start();
   if (r < 0) {
     ldout(cct, 0) << "ERROR: failed to start zone_utils service (" << cpp_strerror(-r) << dendl;

src/rgw/services/svc_config_key.h

@@ -26,6 +26,6 @@ public:
   RGWSI_ConfigKey(CephContext *cct) : RGWServiceInstance(cct) {}
   virtual ~RGWSI_ConfigKey() {}
 
-  virtual int get(const string& key, bufferlist *result) = 0;
+  virtual int get(const string& key, bool secure, bufferlist *result) = 0;
 };
 

src/rgw/services/svc_config_key_rados.cc

@@ -2,7 +2,28 @@
 #include "svc_rados.h"
 #include "svc_config_key_rados.h"
 
-int RGWSI_ConfigKey_RADOS::get(const string& key, bufferlist *result)
+int RGWSI_ConfigKey_RADOS::do_start()
+{
+  maybe_insecure_mon_conn = !svc.rados->check_secure_mon_conn();
+
+  return 0;
+}
+
+void RGWSI_ConfigKey_RADOS::warn_if_insecure()
+{
+  if (!maybe_insecure_mon_conn ||
+      warned_insecure.test_and_set()) {
+    return;
+  }
+
+  string s = "rgw is configured to optionally allow insecure connections to the monitors (auth_supported, ms_mon_client_mode), ssl certificates stored at the monitor configuration could leak";
+
+  svc.rados->clog_warn(s);
+
+  lderr(ctx()) << __func__ << "(): WARNING: " << s << dendl;
+}
+
+int RGWSI_ConfigKey_RADOS::get(const string& key, bool secure, bufferlist *result)
 {
   string cmd =
     "{"
@@ -12,5 +33,14 @@ int RGWSI_ConfigKey_RADOS::get(const string& key, bufferlist *result)
 
   bufferlist inbl;
   auto handle = svc.rados->handle();
-  return handle.mon_command(cmd, inbl, result, nullptr);
+  int ret = handle.mon_command(cmd, inbl, result, nullptr);
+  if (ret < 0) {
+    return ret;
+  }
+
+  if (secure) {
+    warn_if_insecure();
+  }
+
+  return 0;
 }

src/rgw/services/svc_config_key_rados.h

@@ -18,6 +18,8 @@
 
 #pragma once
 
+#include <atomic>
+
 #include "rgw/rgw_service.h"
 
 #include "svc_config_key.h"
@@ -26,6 +28,13 @@ class RGWSI_RADOS;
 
 class RGWSI_ConfigKey_RADOS : public RGWSI_ConfigKey
 {
+  bool maybe_insecure_mon_conn{false};
+  std::atomic_flag warned_insecure{ATOMIC_FLAG_INIT};
+
+  int do_start() override;
+
+  void warn_if_insecure();
+
 public:
   struct Svc {
     RGWSI_RADOS *rados{nullptr};
@@ -37,7 +46,7 @@ public:
 
   RGWSI_ConfigKey_RADOS(CephContext *cct) : RGWSI_ConfigKey(cct) {}
 
-  int get(const string& key, bufferlist *result) override;
+  int get(const string& key, bool secure, bufferlist *result) override;
 };
 
 

src/rgw/services/svc_rados.cc

@@ -9,6 +9,8 @@
 #include "rgw/rgw_tools.h"
 #include "rgw/rgw_cr_rados.h"
 
+#include "auth/AuthRegistry.h"
+
 #define dout_subsys ceph_subsys_rgw
 
 RGWSI_RADOS::RGWSI_RADOS(CephContext *cct) : RGWServiceInstance(cct)
@@ -369,3 +371,46 @@ int RGWSI_RADOS::Pool::List::get_marker(string *marker)
   return 0;
 }
 
+int RGWSI_RADOS::clog_warn(const string& msg)
+{
+  string cmd =
+    "{"
+      "\"prefix\": \"log\", "
+      "\"level\": \"warn\", "
+      "\"logtext\": [\"" + msg + "\"]"
+    "}";
+
+  bufferlist inbl;
+  auto h = handle();
+  return h.mon_command(cmd, inbl, nullptr, nullptr);
+}
+
+bool RGWSI_RADOS::check_secure_mon_conn() const
+{
+  AuthRegistry reg(cct);
+
+  reg.refresh_config();
+
+  std::vector<uint32_t> methods;
+  std::vector<uint32_t> modes;
+
+  reg.get_supported_methods(CEPH_ENTITY_TYPE_MON, &methods, &modes);
+  ldout(cct, 20) << __func__ << "(): auth registy supported: methods=" << methods << " modes=" << modes << dendl;
+
+  for (auto method : methods) {
+    if (!reg.is_secure_method(method)) {
+      ldout(cct, 20) << __func__ << "(): method " << method << " is insecure" << dendl;
+      return false;
+    }
+  }
+
+  for (auto mode : modes) {
+    if (!reg.is_secure_mode(mode)) {
+      ldout(cct, 20) << __func__ << "(): mode " << mode << " is insecure" << dendl;
+      return false;
+    }
+  }
+
+  return true;
+}
+

src/rgw/services/svc_rados.h

@@ -68,11 +68,14 @@ public:
   void shutdown() override;
 
   uint64_t instance_id();
+  bool check_secure_mon_conn() const;
 
   RGWAsyncRadosProcessor *get_async_processor() {
     return async_processor.get();
   }
 
+  int clog_warn(const string& msg);
+
   class Handle;
 
   class Pool {