Merge PR #27823 into master

* refs/pull/27823/head:
	msg/async/ProtocolV1: generate authorizer for mon to mon connections
	mon/Monitor: require authorizer from peer monitors

Reviewed-by: Kefu Chai <kchai@redhat.com>
Reviewed-by: Neha Ojha <nojha@redhat.com>

src/mon/Monitor.cc

@@ -6188,9 +6188,11 @@ int Monitor::handle_auth_request(
 	   << " payload " << payload.length()
 	   << dendl;
   if (!payload.length()) {
-    if (!con->is_msgr2()) {
+    if (!con->is_msgr2() &&
-      // for v1 connections, we tolerate no authorizer, because authentication
+	con->get_peer_type() != CEPH_ENTITY_TYPE_MON) {
-      // happens via MAuth messages.
+      // for v1 connections, we tolerate no authorizer (from
+      // non-monitors), because authentication happens via MAuth
+      // messages.
       return 1;
     }
     return -EACCES;

src/msg/async/ProtocolV1.cc

@@ -1444,7 +1444,8 @@ CtPtr ProtocolV1::send_connect_message()
   bufferlist auth_bl;
   vector<uint32_t> preferred_modes;
 
-  if (connection->peer_type != CEPH_ENTITY_TYPE_MON) {
+  if (connection->peer_type != CEPH_ENTITY_TYPE_MON ||
+      messenger->get_myname().type() == CEPH_ENTITY_TYPE_MON) {
     if (authorizer_more.length()) {
       ldout(cct,10) << __func__ << " using augmented (challenge) auth payload"
 		    << dendl;
@@ -1575,7 +1576,8 @@ CtPtr ProtocolV1::handle_connect_reply_auth(char *buffer, int r) {
   bufferlist authorizer_reply;
   authorizer_reply.append(buffer, connect_reply.authorizer_len);
 
-  if (connection->peer_type != CEPH_ENTITY_TYPE_MON) {
+  if (connection->peer_type != CEPH_ENTITY_TYPE_MON ||
+      messenger->get_myname().type() == CEPH_ENTITY_TYPE_MON) {
     auto am = auth_meta;
     bool more = (connect_reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER);
     bufferlist auth_retry_bl;