Commit Graph

94651 Commits

Author SHA1 Message Date
Sage Weil
5e4df2a509 doc/dev/cephx: re-wordwrap
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:34 -06:00
Sage Weil
c1102f043e doc/dev/cephx: document nautilus change to cephx
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
d3f0d0968a vstart.sh: fix --msgr2 option
Should be v2 only and turn of v1.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
87a991cc28 msg/async/ProtocolV2: use shared_ptr to manage auth_meta
When we reconnect a session, we need to move the new connection's auth_meta
over to the existing connection.  However, the existing connection may
have a thread that is unlocked and calling into an AuthClient or AuthServer
method making good use of the old auth_meta.

Resolved this by making auth_meta a shared_ptr and taking a local ref
before dropping the connection lock.  This way we are free to move the
auth_meta over to the new connection as long as we are holding the lock,
and at the same time the existing connection can fiddle with the old
auth_meta without being disturbed.  (That old auth_meta is about to get
discarded, but we still need to prevent the two threads from stomping on
each other.)

This also cleans up the reset_recv_state() a bit since we can simply
replace the old auth_meta with a totally fresh one without worrying about
what kind of state might be lurking in there.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
160b54da80 auth/Auth{Client,Server}: pass auth_meta in explicitly
This removes the wonky accessor on Connection, and most importantly
allows the caller to control the lifecycle of the AuthConnectionMeta.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
a948c0d0de mon/MonClient: behave if authorizer can't be built (yet)
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
26a8bb65a7 osd: set_auth_server on client_messenger
monc sets up the AuthClient, not the AuthServer.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
c1b5794a5a common/ceph_context: get_moduel_type() for seastar cct
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
951da2fbfa auth: make connection_secret a std::string
Move connection mode decision to initial auth_request point so that it
can inform auth implementation how big the connection secret should be.
Pass that value through where appropriate.

The connection_secret is now a std::string filled with random bytes.

For now the v2 protocol just uses the session_key CryptoKey to encrypt,
but this is about to change.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
c7ee66c3e5 auth,msg/async/ProtocolV2: negotiate connection modes
The modes are:

- crc: crc32c checksums to protect against bit errors.  No secrecy or
  authenticity guarantees, so a MITM could alter traffic in flight.
- secure: cryptographic secrecy and authenticity proection (i.e, encrypted
  and signed).

We do not include a 'signed' mode that provides authenticity without
secrecy because the cryptographic protocols appear to be faster than
SHA-2.

New settings:

- ms_cluster_mode  : mode(s list) for intra-cluster connections
- ms_service_mode  : mode(s list) for daemons to allow
- ms_client_mode   : mode(s list) for clients to allow

Also,

- ms_mon_cluster_mode  : mon <-> mon connections
- ms_mon_service_mode  : mon <-> daemon or client connections

The msgr2 protocol is expanded slightly to negotiate a mode.  Client
shares it's allowed/preferred modes, and server picks one as auth finishes.
Negotiation is independent of the authentication, except that the
authentiction mode may precluse certain choices. Specifically, AUTH_NONE
does not support 'secure', only 'crc'.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
9c3dd336b7 auth/AuthRegistry: refactor handling of auth_*_requred options
- simplify/consolidate my type and peer type effects on auth method
- watch for runtime config changes

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
fa7c83f6dc osd,mgr,mds: remove unused authorize registries
These are handled by AuthClient and AuthServer now.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
1d29722f80 switch monc, daemons to use new msgr2 auth frame exchange
- MonClient implements AuthClient to authenticate as a client
- MonClient implements AuthServer to allow daemons to verify authorizers
- Monitor implements AuthServer to allow clients to authenticate with
  an exchange of msgr2 frames
- Monitor implements AuthClient to authenticate with other monitors

After this change ProtocolV1 and SimpleMessenger still use all of the
old Dispatcher-based callbacks, but ProtocolV2 doesn't need them at
all (except for ms_handle_authentication when we finish).

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 12:10:33 -06:00
Sage Weil
c1a2d1be52 doc/dev/msgr2: update docs to match implementation for auth frames
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
ee2e31b244 auth/AuthClientHandler: add build_initial_request hook
With msgr2 the initial kickoff of an authentication handshake is client ->
server, while with msgr1 it was server -> client.  So existing
implementations have an empty initial message (outside of the messenger's
envelope).  Future auth implementations that are msgr2 only (e.g., krb)
may want to make use of this initial payload.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
d0dc20ed9a msg/Messenger: attach auth_client and/or auth_server to each Messenger
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
cfe7f4992b auth: introduce AuthClient and AuthServer handlers
These will be the primary interfaces consumed by the messenger and
implemented by either MonClient (regular client, or service daemon) or
Monitor for doing authentication.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
f152b4aae1 auth: codify AUTH_MODE_AUTHORIZER
The AuthAuthorizer encoding always begins with byte 0x01.  Codify that
as AUTH_MODE_AUTHORIZER so that we can distinguish an authorizer from
something else (e.g., an attempt to authenticate and get an initial auth
ticket with the mon).

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
5bd92c29d9 msg/Connection: track peer_id (id portion of entity_name_t) for msgr2
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
a7d6a54f73 auth/AuthAuthorizeHandler: add get_supported_methods()
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
0267fb04ff auth/AuthAuthorizeHandler: fix args for verify_authorizer()
const bufferlists in, pointers for output args.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
4f78af7d69 auth: constify bufferlist arg to AuthAuthorizer::add_challenge()
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
1adf313ef9 auth/cephx: share all tickets and connection_secret in initial reply
Previously, we would give the client the auth ticket, like a rbd TGT
(ticket granting ticket), and the client would then ask for all of the
other tickets it wants in a separate message.

Instead, have the client specify which tickets it wants up front and pass
them all at the same time.

Also, generate and share the connection_secret, which will be used for
encryption.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
7dd93be90a msg/async,auth: add AuthConnectionMeta to Protocol
This will hold all of the authentication-related state in an easy-to-find
section that can be accessed via a Connection* or by the protocol stack
(as needed).

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
fc90a084c4 auth/AuthClientHandler: pass in session_key, connection_secret pointers
No functional change.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
a34fe37418 auth/AuthServiceHandler: take session_key and connection_secret as args
Allow these methods to populate session and connection secrets.

No functional change (yet).

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
c0d270a434 auth/cephx: pass more specific type into build_session_auth_info
We were passing CephXServiceTicketInfo in, but the only part of it we
needed was the embedded AuthTicket.  Pass that instead.

No functional change.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
c1aacdd85e mon/Session: separate session creation, peer ident, and registration
- We can now construct a session before we know who it is
- We can later call _ident to identify it
- and also later register it in the session map

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
6663d17ad7 mon/AuthMonitor: bump max_global_id from on_active() and tick()
We should get some runway even if there isn't an auth request coming in.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
91dd0c9787 mon/AuthMonitor: be more careful with max_global_id
We're potentially handing out ids that haven't committed by increasing
max_global_id before it commits.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
596fcff1ed mon: only all ms_handle_authentication() if auth method says we're done
Previously we would call ms_handle_authentication() possibly multiple
times, and without knowning whether it might succeed. Instead, only call
it when start_session() or handle_request() returns >0 to indicate that
we should.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
da326e7ab8 mon/AuthMonitor: fix "finished with auth" condition check
We are sending the monmap prematurely (before we finish the authentication
handshake).

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
133481ffd7 auth: clean up AuthServiceHandler::handle_request() args
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
57c72346c7 auth: clean up AuthServiceHandler::start_session()
- return error code, not type (which never changes)
- take const ref for input args
- pointers for output args

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
090033abd0 mon/AuthMonitor: drop unused op arg to assign_global_id()
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
1c40968bd5 msg/async: separate TAG_AUTH_REQUEST_MORE and TAG_AUTH_REPLY_MORE
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:03 -06:00
Sage Weil
43548f743d msg/async: consolidate authorizer checks
No need to special-case auth methods at this layer.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:02 -06:00
Sage Weil
27f8ff6282 msg/async: move get_auth_allowed into ProtocolV2.cc
We're the only user, and no Dispatchers override.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:02 -06:00
Sage Weil
942396bdf9 mon/MonClient: trivial cleanup
Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:53:02 -06:00
Sage Weil
a8935b3580 ceph_test_msgr: fix server->client addr discovery
The client's myaddr will be an ANY address, but the internel connection table
will use a v1: or v2: address.  Use the get_peer_addrs() to figure out how to
connect instead.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
80cc838b7b msg/{async,simple}: make learned_addr a bit smarter
Only set type ANY if we are a pure client; otherwise, preserve the
type.  Also, only populate the addr if we have a blank ip (sometimes
we already know it from learn_addr_unknowns).

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
cb0e7e0281 msg/async: very protocol type when looking up existing connections
Since we register client connections as any:, we may have either a ProtocolV1 or V2
connection.  This happens when clients have an imprecise mon search list and connect
to the same mon via both v1 and v2, for example when you do something like

 ceph -m 'v2:127.0.0.1:40648/0,v1:127.0.0.1:40649/0' -s

If we do encounter the other protocol type than what we expect, just mark it down and
proceed.  This is only a temporarily case that happens during mon discovery, the client
is always prepared to retry, and it doesn't actually matter which one succeeds since
it will return a monmap and the client will adapt accordingly.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
3518f794a2 common/LogEntry: use as_legacy_addr()
...just in case addrs has an any addr.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
f1f3b12df7 msg/msg_types: add entity_addrvec_t::as_legacy_addr()
Return either the actual legacy addr, or an any addr as a legacy addr.  If
neither is available, lie and return a v2 (or other) addr as a legacy adr.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
1c26e4d0f6 msg/async/AsyncMessenger: drop weird assert
I'm not sure what this was intended for originally...

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
d2d632192a msg/Messenger: be less verbose
This message has been annoying me

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
48dd8d04b4 msg/simple: learn client addr as type any
Just like AsyncMessenger.  Best to be consistent!

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
c6c5636b2d msg/simple: set_addr_unknowns(): use front(), not legacy_addr()
We may be passed an any: address.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
37e4f613d5 msg/msg_types: drop any: prefix
If it can be any type of address, then simply don't specify the type.  This
is less confusing for humans.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00
Sage Weil
ec8cc63910 remove all Messenger::get_myaddr() users
Use get_myaddrs() instead and join the glorious future.

Signed-off-by: Sage Weil <sage@redhat.com>
2019-02-07 06:13:09 -06:00