diff --git a/src/client/Client.cc b/src/client/Client.cc index 082ea717327..b39a5184056 100644 --- a/src/client/Client.cc +++ b/src/client/Client.cc @@ -13990,14 +13990,6 @@ bool Client::ms_handle_refused(Connection *con) return false; } -bool Client::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) -{ - if (dest_type == CEPH_ENTITY_TYPE_MON) - return true; - *authorizer = monclient->build_authorizer(dest_type); - return true; -} - Inode *Client::get_quota_root(Inode *in, const UserPerm& perms) { Inode *quota_in = root_ancestor; diff --git a/src/client/Client.h b/src/client/Client.h index 3c00d2294f4..bf4da673779 100644 --- a/src/client/Client.h +++ b/src/client/Client.h @@ -923,7 +923,6 @@ protected: bool ms_handle_reset(Connection *con) override; void ms_handle_remote_reset(Connection *con) override; bool ms_handle_refused(Connection *con) override; - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override; int authenticate(); diff --git a/src/librados/RadosClient.cc b/src/librados/RadosClient.cc index e2321759987..5c0e2f919e0 100644 --- a/src/librados/RadosClient.cc +++ b/src/librados/RadosClient.cc @@ -56,16 +56,6 @@ #undef dout_prefix #define dout_prefix *_dout << "librados: " -bool librados::RadosClient::ms_get_authorizer(int dest_type, - AuthAuthorizer **authorizer) { - //ldout(cct, 0) << "RadosClient::ms_get_authorizer type=" << dest_type << dendl; - /* monitor authorization is being handled on different layer */ - if (dest_type == CEPH_ENTITY_TYPE_MON) - return true; - *authorizer = monclient.build_authorizer(dest_type); - return *authorizer != NULL; -} - librados::RadosClient::RadosClient(CephContext *cct_) : Dispatcher(cct_->get()), cct_deleter{cct_, [](CephContext *p) {p->put();}}, diff --git a/src/librados/RadosClient.h b/src/librados/RadosClient.h index 8c12aa066a1..ecba2e6af20 100644 --- a/src/librados/RadosClient.h +++ b/src/librados/RadosClient.h @@ -61,7 +61,6 @@ private: bool _dispatch(Message *m); bool ms_dispatch(Message *m) override; - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override; void ms_handle_connect(Connection *con) override; bool ms_handle_reset(Connection *con) override; void ms_handle_remote_reset(Connection *con) override; diff --git a/src/mds/MDSDaemon.cc b/src/mds/MDSDaemon.cc index 9d91043541a..cbcb3ca301f 100644 --- a/src/mds/MDSDaemon.cc +++ b/src/mds/MDSDaemon.cc @@ -1163,20 +1163,6 @@ bool MDSDaemon::ms_dispatch2(const ref_t &m) } } -bool MDSDaemon::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) -{ - dout(10) << "MDSDaemon::ms_get_authorizer type=" - << ceph_entity_type_name(dest_type) << dendl; - - /* monitor authorization is being handled on different layer */ - if (dest_type == CEPH_ENTITY_TYPE_MON) - return true; - - *authorizer = monc->build_authorizer(dest_type); - return *authorizer != NULL; -} - - /* * high priority messages we always process */ @@ -1277,11 +1263,6 @@ bool MDSDaemon::ms_handle_refused(Connection *con) return false; } -KeyStore *MDSDaemon::ms_get_auth1_authorizer_keystore() -{ - return monc->rotating_secrets.get(); -} - bool MDSDaemon::parse_caps(const AuthCapsInfo& info, MDSAuthCaps& caps) { caps.clear(); diff --git a/src/mds/MDSDaemon.h b/src/mds/MDSDaemon.h index 5f12dd14333..4603f0512ee 100644 --- a/src/mds/MDSDaemon.h +++ b/src/mds/MDSDaemon.h @@ -106,9 +106,7 @@ class MDSDaemon : public Dispatcher, public md_config_obs_t { private: bool ms_dispatch2(const ref_t &m) override; - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override; int ms_handle_authentication(Connection *con) override; - KeyStore *ms_get_auth1_authorizer_keystore() override; void ms_handle_accept(Connection *con) override; void ms_handle_connect(Connection *con) override; bool ms_handle_reset(Connection *con) override; diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc index e6976cb3891..b7c5e35f59b 100644 --- a/src/mgr/DaemonServer.cc +++ b/src/mgr/DaemonServer.cc @@ -158,11 +158,6 @@ entity_addrvec_t DaemonServer::get_myaddrs() const return msgr->get_myaddrs(); } -KeyStore *DaemonServer::ms_get_auth1_authorizer_keystore() -{ - return monc->rotating_secrets.get(); -} - int DaemonServer::ms_handle_authentication(Connection *con) { MgrSession *s = new MgrSession(cct); @@ -210,21 +205,6 @@ int DaemonServer::ms_handle_authentication(Connection *con) return 1; } -bool DaemonServer::ms_get_authorizer( - int dest_type, - AuthAuthorizer **authorizer) -{ - dout(10) << "type=" << ceph_entity_type_name(dest_type) << dendl; - - if (dest_type == CEPH_ENTITY_TYPE_MON) { - return true; - } - - *authorizer = monc->build_authorizer(dest_type); - dout(20) << "got authorizer " << *authorizer << dendl; - return *authorizer != NULL; -} - bool DaemonServer::ms_handle_reset(Connection *con) { if (con->get_peer_type() == CEPH_ENTITY_TYPE_OSD) { diff --git a/src/mgr/DaemonServer.h b/src/mgr/DaemonServer.h index b728fabad8d..5c87dec15e7 100644 --- a/src/mgr/DaemonServer.h +++ b/src/mgr/DaemonServer.h @@ -142,8 +142,6 @@ public: bool ms_handle_reset(Connection *con) override; void ms_handle_remote_reset(Connection *con) override {} bool ms_handle_refused(Connection *con) override; - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override; - KeyStore *ms_get_auth1_authorizer_keystore() override; bool handle_open(const ceph::ref_t& m); bool handle_close(const ceph::ref_t& m); diff --git a/src/mgr/MgrStandby.cc b/src/mgr/MgrStandby.cc index 418a2114cd2..13d03a69efd 100644 --- a/src/mgr/MgrStandby.cc +++ b/src/mgr/MgrStandby.cc @@ -452,15 +452,6 @@ bool MgrStandby::ms_dispatch2(const ref_t& m) } -bool MgrStandby::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) -{ - if (dest_type == CEPH_ENTITY_TYPE_MON) - return true; - - *authorizer = monc.build_authorizer(dest_type); - return *authorizer != NULL; -} - bool MgrStandby::ms_handle_refused(Connection *con) { // do nothing for now diff --git a/src/mgr/MgrStandby.h b/src/mgr/MgrStandby.h index 8a7e633b1d7..ae1d02e3328 100644 --- a/src/mgr/MgrStandby.h +++ b/src/mgr/MgrStandby.h @@ -74,7 +74,6 @@ public: bool ms_dispatch2(const ceph::ref_t& m) override; bool ms_handle_reset(Connection *con) override { return false; } void ms_handle_remote_reset(Connection *con) override {} - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override; bool ms_handle_refused(Connection *con) override; int init(); diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index f56907c7cf0..c03328e56cc 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -6021,7 +6021,7 @@ int Monitor::get_auth_request( return -EACCES; } AuthAuthorizer *auth; - if (!ms_get_authorizer(con->get_peer_type(), &auth)) { + if (!get_authorizer(con->get_peer_type(), &auth)) { return -EACCES; } auth_meta->authorizer.reset(auth); @@ -6082,9 +6082,9 @@ int Monitor::handle_auth_bad_method( return -EACCES; } -bool Monitor::ms_get_authorizer(int service_id, AuthAuthorizer **authorizer) +bool Monitor::get_authorizer(int service_id, AuthAuthorizer **authorizer) { - dout(10) << "ms_get_authorizer for " << ceph_entity_type_name(service_id) + dout(10) << "get_authorizer for " << ceph_entity_type_name(service_id) << dendl; if (is_shutdown()) @@ -6153,7 +6153,7 @@ bool Monitor::ms_get_authorizer(int service_id, AuthAuthorizer **authorizer) CephXTicketBlob blob; if (!cephx_build_service_ticket_blob(cct, info, blob)) { - dout(0) << "ms_get_authorizer failed to build service ticket" << dendl; + dout(0) << "get_authorizer failed to build service ticket" << dendl; return false; } bufferlist ticket_data; @@ -6170,11 +6170,6 @@ bool Monitor::ms_get_authorizer(int service_id, AuthAuthorizer **authorizer) return true; } -KeyStore *Monitor::ms_get_auth1_authorizer_keystore() -{ - return &keyring; -} - int Monitor::handle_auth_request( Connection *con, AuthConnectionMeta *auth_meta, diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h index cf57b560a9f..2df754d042e 100644 --- a/src/mon/Monitor.h +++ b/src/mon/Monitor.h @@ -892,8 +892,7 @@ public: void dispatch_op(MonOpRequestRef op); //mon_caps is used for un-connected messages from monitors MonCap mon_caps; - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override; - KeyStore *ms_get_auth1_authorizer_keystore(); + bool get_authorizer(int dest_type, AuthAuthorizer **authorizer); public: // for AuthMonitor msgr1: int ms_handle_authentication(Connection *con) override; private: diff --git a/src/msg/Dispatcher.h b/src/msg/Dispatcher.h index fef5e3203ff..f7a6fded347 100644 --- a/src/msg/Dispatcher.h +++ b/src/msg/Dispatcher.h @@ -23,10 +23,8 @@ class Messenger; class Connection; -class AuthAuthorizer; class CryptoKey; class CephContext; -class AuthAuthorizerChallenge; class KeyStore; class Dispatcher { @@ -216,32 +214,6 @@ public: return 0; } - /** - * get authentication keyring - * - * Return the keyring to use for authentication with msgr1. Remove me - * someday. - */ - virtual KeyStore* ms_get_auth1_authorizer_keystore() { - return nullptr; - } - - /** - * Retrieve the AuthAuthorizer for the given peer type. It might not - * provide one if it knows there is no AuthAuthorizer for that type. - * - * @param dest_type The peer type we want the authorizer for. - * @param a Double pointer to an AuthAuthorizer. The Dispatcher will fill - * in *a with the correct AuthAuthorizer, if it can. Make sure that you have - * set *a to NULL before calling in. - * @param force_new Force the Dispatcher to wait for a new set of keys before - * returning the authorizer. - * - * @return True if this function call properly filled in *a, false otherwise. - */ - virtual bool ms_get_authorizer(int dest_type, AuthAuthorizer **a) { - return false; - } /** * @} //Authentication */ diff --git a/src/msg/Messenger.cc b/src/msg/Messenger.cc index c61b3834cf0..b975006a1dd 100644 --- a/src/msg/Messenger.cc +++ b/src/msg/Messenger.cc @@ -97,60 +97,3 @@ int Messenger::bindv(const entity_addrvec_t& addrs) return bind(addrs.legacy_addr()); } -bool Messenger::ms_deliver_verify_authorizer( - Connection *con, - int peer_type, - int protocol, - bufferlist& authorizer, - bufferlist& authorizer_reply, - bool& isvalid, - CryptoKey& session_key, - std::string *connection_secret, - std::unique_ptr *challenge) -{ - if (authorizer.length() == 0) { - for (auto dis : dispatchers) { - if (!dis->require_authorizer) { - //ldout(cct,10) << __func__ << " tolerating missing authorizer" << dendl; - isvalid = true; - return true; - } - } - } - AuthAuthorizeHandler *ah = auth_registry.get_handler(peer_type, protocol); - if (get_mytype() == CEPH_ENTITY_TYPE_MON && - peer_type != CEPH_ENTITY_TYPE_MON) { - // the monitor doesn't do authenticators for msgr1. - isvalid = true; - return true; - } - if (!ah) { - lderr(cct) << __func__ << " no AuthAuthorizeHandler found for protocol " - << protocol << dendl; - isvalid = false; - return false; - } - - for (auto dis : dispatchers) { - KeyStore *ks = dis->ms_get_auth1_authorizer_keystore(); - if (ks) { - isvalid = ah->verify_authorizer( - cct, - ks, - authorizer, - 0, - &authorizer_reply, - &con->peer_name, - &con->peer_global_id, - &con->peer_caps_info, - &session_key, - connection_secret, - challenge); - if (isvalid) { - return dis->ms_handle_authentication(con)>=0; - } - return true; - } - } - return false; -} diff --git a/src/msg/Messenger.h b/src/msg/Messenger.h index 77aa76136bf..1af703adde1 100644 --- a/src/msg/Messenger.h +++ b/src/msg/Messenger.h @@ -788,43 +788,6 @@ public: } } - /** - * Get the AuthAuthorizer for a new outgoing Connection. - * - * @param peer_type The peer type for the new Connection - * @param force_new True if we want to wait for new keys, false otherwise. - * @return A pointer to the AuthAuthorizer, if we have one; NULL otherwise - */ - AuthAuthorizer *ms_deliver_get_authorizer(int peer_type) { - AuthAuthorizer *a = 0; - for (const auto& dispatcher : dispatchers) { - if (dispatcher->ms_get_authorizer(peer_type, &a)) - return a; - } - return NULL; - } - /** - * Verify that the authorizer on a new incoming Connection is correct. - * - * @param con The new incoming Connection - * @param peer_type The type of the endpoint on the new Connection - * @param protocol The ID of the protocol in use (at time of writing, cephx or none) - * @param authorizer The authorization string supplied by the remote - * @param authorizer_reply Output param: The string we should send back to - * the remote to authorize ourselves. Only filled in if isvalid - * @param isvalid Output param: True if authorizer is valid, false otherwise - * - * @return True if we were able to prove or disprove correctness of - * authorizer, false otherwise. - */ - bool ms_deliver_verify_authorizer( - Connection *con, int peer_type, - int protocol, ceph::buffer::list& authorizer, ceph::buffer::list& authorizer_reply, - bool& isvalid, - CryptoKey& session_key, - std::string *connection_secret, - std::unique_ptr *challenge); - /** * @} // Dispatcher Interfacing */ diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc index 750b94abbb2..999896dc461 100644 --- a/src/osd/OSD.cc +++ b/src/osd/OSD.cc @@ -7244,27 +7244,6 @@ void OSD::ms_fast_dispatch(Message *m) OID_EVENT_TRACE_WITH_MSG(m, "MS_FAST_DISPATCH_END", false); } -bool OSD::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) -{ - dout(10) << "OSD::ms_get_authorizer type=" << ceph_entity_type_name(dest_type) << dendl; - - if (is_stopping()) { - dout(10) << __func__ << " bailing, we are shutting down" << dendl; - return false; - } - - if (dest_type == CEPH_ENTITY_TYPE_MON) - return true; - - *authorizer = monc->build_authorizer(dest_type); - return *authorizer != NULL; -} - -KeyStore *OSD::ms_get_auth1_authorizer_keystore() -{ - return monc->rotating_secrets.get(); -} - int OSD::ms_handle_authentication(Connection *con) { int ret = 0; diff --git a/src/osd/OSD.h b/src/osd/OSD.h index ba01a8eb463..b29c5862cd7 100644 --- a/src/osd/OSD.h +++ b/src/osd/OSD.h @@ -1668,18 +1668,6 @@ public: int ms_handle_authentication(Connection *con) override { return true; } - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override { - // some pre-nautilus OSDs get confused if you include an - // authorizer but they are not expecting it. do not try to authorize - // heartbeat connections until all OSDs are nautilus. - if (osd->get_osdmap()->require_osd_release >= CEPH_RELEASE_NAUTILUS) { - return osd->ms_get_authorizer(dest_type, authorizer); - } - return false; - } - KeyStore *ms_get_auth1_authorizer_keystore() override { - return osd->ms_get_auth1_authorizer_keystore(); - } } heartbeat_dispatcher; private: @@ -2201,12 +2189,10 @@ private: } void ms_fast_dispatch(Message *m) override; bool ms_dispatch(Message *m) override; - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override; void ms_handle_connect(Connection *con) override; void ms_handle_fast_connect(Connection *con) override; void ms_handle_fast_accept(Connection *con) override; int ms_handle_authentication(Connection *con) override; - KeyStore *ms_get_auth1_authorizer_keystore() override; bool ms_handle_reset(Connection *con) override; void ms_handle_remote_reset(Connection *con) override {} bool ms_handle_refused(Connection *con) override; diff --git a/src/osdc/Objecter.cc b/src/osdc/Objecter.cc index 0f102bf91cf..f86d55a2573 100644 --- a/src/osdc/Objecter.cc +++ b/src/osdc/Objecter.cc @@ -4458,17 +4458,6 @@ bool Objecter::ms_handle_refused(Connection *con) return false; } -bool Objecter::ms_get_authorizer(int dest_type, - AuthAuthorizer **authorizer) -{ - if (!initialized) - return false; - if (dest_type == CEPH_ENTITY_TYPE_MON) - return true; - *authorizer = monc->build_authorizer(dest_type); - return *authorizer != NULL; -} - void Objecter::op_target_t::dump(Formatter *f) const { f->dump_stream("pg") << pgid; diff --git a/src/osdc/Objecter.h b/src/osdc/Objecter.h index 81437faae68..31c9b3a7762 100644 --- a/src/osdc/Objecter.h +++ b/src/osdc/Objecter.h @@ -3066,8 +3066,6 @@ public: bool ms_handle_reset(Connection *con) override; void ms_handle_remote_reset(Connection *con) override; bool ms_handle_refused(Connection *con) override; - bool ms_get_authorizer(int dest_type, - AuthAuthorizer **authorizer) override; void blacklist_self(bool set); diff --git a/src/tools/cephfs/MDSUtility.cc b/src/tools/cephfs/MDSUtility.cc index 7e7da209bb6..6e71d21a29c 100644 --- a/src/tools/cephfs/MDSUtility.cc +++ b/src/tools/cephfs/MDSUtility.cc @@ -156,11 +156,3 @@ void MDSUtility::handle_fs_map(MFSMap* m) } -bool MDSUtility::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) -{ - if (dest_type == CEPH_ENTITY_TYPE_MON) - return true; - - *authorizer = monc->build_authorizer(dest_type); - return *authorizer != NULL; -} diff --git a/src/tools/cephfs/MDSUtility.h b/src/tools/cephfs/MDSUtility.h index e75a7192eb5..8ffc32f7a5c 100644 --- a/src/tools/cephfs/MDSUtility.h +++ b/src/tools/cephfs/MDSUtility.h @@ -51,7 +51,6 @@ public: bool ms_handle_reset(Connection *con) override { return false; } void ms_handle_remote_reset(Connection *con) override {} bool ms_handle_refused(Connection *con) override { return false; } - bool ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer) override; int init(); void shutdown(); };