changes to address FTBFS on fc30
Reviewed-by: Brad Hubbard <bhubbard@redhat.com>
Reviewed-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Adam C. Emerson <aemerson@redhat.com>
* refs/pull/26059/head:
mon/MonClient: fix keepalive with v2 auth
msg/async/ProtocolV2: reject peer_addrs of -
msg/async/ProtocolV2: clean up feature management
mon/MonClient: set up rotating_secrets, etc before msgr ready
msg/async: let client specify preferred order of modes
msg/async/ProtocolV2: include entity_name, features in reconnect
msg/async/ProtocolV2: fix write_lock usage around AckFrame
qa/suites/rados/verify/validator/valgrind: debug refs = 5
qa/standalone/ceph-helpers: fix health_ok test
auth/AuthRegistry: only complain about disabling cephx if cephx was enabled
auth/AuthRegistry: fix locking for get_supported_methods()
auth: remove AUTH_UNKNOWN weirdness, hardcoded defaults.
msg/async/ProtocolV2: remove unused get_auth_allowed_methods
osd: set up messener auth_* before setting dispatcher (and going 'ready')
mon/AuthMonitor: request max_global_id increase from peon in tick
mon: prime MgrClient only after messengers are initialized
qa/suites/rados/workloads/rados_api_tests.yaml: debug mgrc = 20 on mon
auth: document Auth{Client,Server} interfaces
auth: future-proof AUTH_MODE_* a bit in case we need to change the encoding byte
mon/MonClient: request monmap on open instead of ping
mgr/PyModuleRegistry: add details for MGR_MODULE_{DEPENDENCY,ERROR}
crimson: fix build
mon/MonClient: finsih authenticate() only after we get monmap; fix 'tell mgr'
mon: add auth_lock to protect auth_meta manipulation
ceph-mon: set up auth before binding
mon: defer initial connection auth attempts until initial quorum is formed
mon/MonClient: make MonClientPinger an AuthCleint
ceph_test_msgr: use DummyAuth
auth/DummyAuth: dummy auth server and client for test code
mon/Monitor: fix leak of auth_handler if we error out
doc/dev/cephx: re-wordwrap
doc/dev/cephx: document nautilus change to cephx
vstart.sh: fix --msgr2 option
msg/async/ProtocolV2: use shared_ptr to manage auth_meta
auth/Auth{Client,Server}: pass auth_meta in explicitly
mon/MonClient: behave if authorizer can't be built (yet)
osd: set_auth_server on client_messenger
common/ceph_context: get_moduel_type() for seastar cct
auth: make connection_secret a std::string
auth,msg/async/ProtocolV2: negotiate connection modes
auth/AuthRegistry: refactor handling of auth_*_requred options
osd,mgr,mds: remove unused authorize registries
switch monc, daemons to use new msgr2 auth frame exchange
doc/dev/msgr2: update docs to match implementation for auth frames
auth/AuthClientHandler: add build_initial_request hook
msg/Messenger: attach auth_client and/or auth_server to each Messenger
auth: introduce AuthClient and AuthServer handlers
auth: codify AUTH_MODE_AUTHORIZER
msg/Connection: track peer_id (id portion of entity_name_t) for msgr2
auth/AuthAuthorizeHandler: add get_supported_methods()
auth/AuthAuthorizeHandler: fix args for verify_authorizer()
auth: constify bufferlist arg to AuthAuthorizer::add_challenge()
auth/cephx: share all tickets and connection_secret in initial reply
msg/async,auth: add AuthConnectionMeta to Protocol
auth/AuthClientHandler: pass in session_key, connection_secret pointers
auth/AuthServiceHandler: take session_key and connection_secret as args
auth/cephx: pass more specific type into build_session_auth_info
mon/Session: separate session creation, peer ident, and registration
mon/AuthMonitor: bump max_global_id from on_active() and tick()
mon/AuthMonitor: be more careful with max_global_id
mon: only all ms_handle_authentication() if auth method says we're done
mon/AuthMonitor: fix "finished with auth" condition check
auth: clean up AuthServiceHandler::handle_request() args
auth: clean up AuthServiceHandler::start_session()
mon/AuthMonitor: drop unused op arg to assign_global_id()
msg/async: separate TAG_AUTH_REQUEST_MORE and TAG_AUTH_REPLY_MORE
msg/async: consolidate authorizer checks
msg/async: move get_auth_allowed into ProtocolV2.cc
mon/MonClient: trivial cleanup
Reviewed-by: Greg Farnum <gfarnum@redhat.com>
The old trick of queuing a keepalive sequenced before auth does not work
when auth happens earlier in the process. Work around it.
Signed-off-by: Sage Weil <sage@redhat.com>
- check features on reconnect
- preserve features when connections are replaced
- require MSG_ADDR2 across the board
Signed-off-by: Sage Weil <sage@redhat.com>
We need to have rotating_secrets non-null before we can accept
connections or else we will segfault in handle_auth_request.
Signed-off-by: Sage Weil <sage@redhat.com>
The server side has an allowed list, while the client has an ordered list
in order of preference.
Note that some of the options are used as both (e.g., cluster_modes) as they
are used at both connecting and accepting ends of the connection.
Signed-off-by: Sage Weil <sage@redhat.com>
- A connects to B
- A sends client_ident
- fault before A gets server_ident, so A doesn't know B's features or name
- B reconnects to A
- connection established
A thinks B is unknown.0 and has not idea what the featurs are.
Fix this by including id and featurs in reconnect. We don't know the type, but that is
included in TAG_HELLO in another branch, which will be merged separately; add a
Signed-off-by: Sage Weil <sage@redhat.com>
Stopping the osd daemon won't reliably get you HEALTH_WARN or ERR; you have
to make sure it is also marked down.
Signed-off-by: Sage Weil <sage@redhat.com>
This is what the old code does so I kept it but I don't think it makes any sense.
Same with the defaults; let's just set the config option to something valid.
Signed-off-by: Sage Weil <sage@redhat.com>
The messenger doesn't activate until you set the dispatcher. Set up the auth_client
and auth_server values before that.
Signed-off-by: Sage Weil <sage@redhat.com>
For authv2, we only increase max_global_id from tick, not via prep_auth(), so we
need to ask the leader for more IDs here as we do there.
Signed-off-by: Sage Weil <sage@redhat.com>
Seeing some hangs when the mon is forwarding mgr commands (pg deep-scrub)
to the mgr. This is a buggy test (it should send it to the mgr directly)
but it is helpful to verify the mon forwarding behavior works.
Signed-off-by: Sage Weil <sage@redhat.com>
The ping is useless. The MMonGetMap ensures we get a monmap (and finish
authenticate()) before we get any other maps/messages, like mgr_map.
Getting other maps sooner rather than later can be confuse to MonClient
users because they will get dispatched MMgrMap before the authenticate()
call has returned.
Signed-off-by: Sage Weil <sage@redhat.com>
We used to get a valid monmap before we finished the MAuth exchange and
returned from authenticate(). Now, we finish authenticating before we even
send or receive a message, so authenticate() returns quickly. This
confuses many callers, and is probably a bad idea. So, rejigger the
_finish_auth and _finish_hunting callers so that we finish hunting as soon
as we have picked a mon but don't finish_auth if we have not gotten our
first monmap.
Signed-off-by: Sage Weil <sage@redhat.com>
In particular, we could be handling a get_auth_request() on a reconnect
while also running handle_auth_request() on a racing connection between
monitors.
Signed-off-by: Sage Weil <sage@redhat.com>
Reuse MonConnection to do the authentication.
Note this is a change in behavior: ceph ping mon* now requires
authentication.
Signed-off-by: Sage Weil <sage@redhat.com>
When we reconnect a session, we need to move the new connection's auth_meta
over to the existing connection. However, the existing connection may
have a thread that is unlocked and calling into an AuthClient or AuthServer
method making good use of the old auth_meta.
Resolved this by making auth_meta a shared_ptr and taking a local ref
before dropping the connection lock. This way we are free to move the
auth_meta over to the new connection as long as we are holding the lock,
and at the same time the existing connection can fiddle with the old
auth_meta without being disturbed. (That old auth_meta is about to get
discarded, but we still need to prevent the two threads from stomping on
each other.)
This also cleans up the reset_recv_state() a bit since we can simply
replace the old auth_meta with a totally fresh one without worrying about
what kind of state might be lurking in there.
Signed-off-by: Sage Weil <sage@redhat.com>
This removes the wonky accessor on Connection, and most importantly
allows the caller to control the lifecycle of the AuthConnectionMeta.
Signed-off-by: Sage Weil <sage@redhat.com>
Move connection mode decision to initial auth_request point so that it
can inform auth implementation how big the connection secret should be.
Pass that value through where appropriate.
The connection_secret is now a std::string filled with random bytes.
For now the v2 protocol just uses the session_key CryptoKey to encrypt,
but this is about to change.
Signed-off-by: Sage Weil <sage@redhat.com>
The modes are:
- crc: crc32c checksums to protect against bit errors. No secrecy or
authenticity guarantees, so a MITM could alter traffic in flight.
- secure: cryptographic secrecy and authenticity proection (i.e, encrypted
and signed).
We do not include a 'signed' mode that provides authenticity without
secrecy because the cryptographic protocols appear to be faster than
SHA-2.
New settings:
- ms_cluster_mode : mode(s list) for intra-cluster connections
- ms_service_mode : mode(s list) for daemons to allow
- ms_client_mode : mode(s list) for clients to allow
Also,
- ms_mon_cluster_mode : mon <-> mon connections
- ms_mon_service_mode : mon <-> daemon or client connections
The msgr2 protocol is expanded slightly to negotiate a mode. Client
shares it's allowed/preferred modes, and server picks one as auth finishes.
Negotiation is independent of the authentication, except that the
authentiction mode may precluse certain choices. Specifically, AUTH_NONE
does not support 'secure', only 'crc'.
Signed-off-by: Sage Weil <sage@redhat.com>