X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=ceph%2Fsrc%2Fmsg%2Fasync%2FAsyncConnection.cc;h=80231cccf4b9b3a1f8e832eb8af3538f02b753a5;hb=28e407b858acd3bddc89f68583571f771bb42e46;hp=f14be27412b3e612350652b70154b8f194b78ef6;hpb=b32b81446b3b05102be0267e79203f59329c1d97;p=ceph.git diff --git a/ceph/src/msg/async/AsyncConnection.cc b/ceph/src/msg/async/AsyncConnection.cc index f14be2741..80231cccf 100644 --- a/ceph/src/msg/async/AsyncConnection.cc +++ b/ceph/src/msg/async/AsyncConnection.cc @@ -986,7 +986,8 @@ ssize_t AsyncConnection::_process_connection() ldout(async_msgr->cct, 20) << __func__ << " connect peer addr for me is " << peer_addr_for_me << dendl; lock.unlock(); async_msgr->learned_addr(peer_addr_for_me); - if (async_msgr->cct->_conf->ms_inject_internal_delays) { + if (async_msgr->cct->_conf->ms_inject_internal_delays + && async_msgr->cct->_conf->ms_inject_socket_failures) { if (rand() % async_msgr->cct->_conf->ms_inject_socket_failures == 0) { ldout(msgr->cct, 10) << __func__ << " sleep for " << async_msgr->cct->_conf->ms_inject_internal_delays << dendl; @@ -1025,8 +1026,7 @@ ssize_t AsyncConnection::_process_connection() case STATE_CONNECTING_SEND_CONNECT_MSG: { - if (!got_bad_auth) { - delete authorizer; + if (!authorizer) { authorizer = async_msgr->get_authorizer(peer_type, false); } bufferlist bl; @@ -1106,7 +1106,15 @@ ssize_t AsyncConnection::_process_connection() } authorizer_reply.append(state_buffer, connect_reply.authorizer_len); - bufferlist::iterator iter = authorizer_reply.begin(); + + if (connect_reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER) { + ldout(async_msgr->cct,10) << __func__ << " connect got auth challenge" << dendl; + authorizer->add_challenge(async_msgr->cct, authorizer_reply); + state = STATE_CONNECTING_SEND_CONNECT_MSG; + break; + } + + auto iter = authorizer_reply.begin(); if (authorizer && !authorizer->verify_reply(iter)) { ldout(async_msgr->cct, 0) << __func__ << " failed verifying authorize reply" << dendl; goto fail; @@ -1484,20 +1492,32 @@ ssize_t AsyncConnection::handle_connect_msg(ceph_msg_connect &connect, bufferlis // require signatures for cephx? if (connect.authorizer_protocol == CEPH_AUTH_CEPHX) { if (peer_type == CEPH_ENTITY_TYPE_OSD || - peer_type == CEPH_ENTITY_TYPE_MDS) { + peer_type == CEPH_ENTITY_TYPE_MDS || + peer_type == CEPH_ENTITY_TYPE_MGR) { if (async_msgr->cct->_conf->cephx_require_signatures || async_msgr->cct->_conf->cephx_cluster_require_signatures) { ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring MSG_AUTH feature bit for cluster" << dendl; policy.features_required |= CEPH_FEATURE_MSG_AUTH; } + if (async_msgr->cct->_conf->cephx_require_version >= 2 || + async_msgr->cct->_conf->cephx_cluster_require_version >= 2) { + ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring cephx v2 feature bit for cluster" << dendl; + policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2; + } } else { if (async_msgr->cct->_conf->cephx_require_signatures || async_msgr->cct->_conf->cephx_service_require_signatures) { ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring MSG_AUTH feature bit for service" << dendl; policy.features_required |= CEPH_FEATURE_MSG_AUTH; } + if (async_msgr->cct->_conf->cephx_require_version >= 2 || + async_msgr->cct->_conf->cephx_service_require_version >= 2) { + ldout(async_msgr->cct, 10) << __func__ << " using cephx, requiring cephx v2 feature bit for service" << dendl; + policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2; + } } } + uint64_t feat_missing = policy.features_required & ~(uint64_t)connect.features; if (feat_missing) { ldout(async_msgr->cct, 1) << __func__ << " peer missing required features " @@ -1508,12 +1528,26 @@ ssize_t AsyncConnection::handle_connect_msg(ceph_msg_connect &connect, bufferlis lock.unlock(); bool authorizer_valid; - if (!async_msgr->verify_authorizer(this, peer_type, connect.authorizer_protocol, authorizer_bl, - authorizer_reply, authorizer_valid, session_key) || !authorizer_valid) { + bool need_challenge = HAVE_FEATURE(connect.features, CEPHX_V2); + bool had_challenge = (bool)authorizer_challenge; + if (!async_msgr->verify_authorizer( + this, peer_type, connect.authorizer_protocol, authorizer_bl, + authorizer_reply, authorizer_valid, session_key, + need_challenge ? &authorizer_challenge : nullptr) || + !authorizer_valid) { lock.lock(); - ldout(async_msgr->cct,0) << __func__ << ": got bad authorizer" << dendl; + char tag; + if (need_challenge && !had_challenge && authorizer_challenge) { + ldout(async_msgr->cct,0) << __func__ << ": challenging authorizer" + << dendl; + assert(authorizer_reply.length()); + tag = CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER; + } else { + ldout(async_msgr->cct,0) << __func__ << ": got bad authorizer" << dendl; + tag = CEPH_MSGR_TAG_BADAUTHORIZER; + } session_security.reset(); - return _reply_accept(CEPH_MSGR_TAG_BADAUTHORIZER, connect, reply, authorizer_reply); + return _reply_accept(tag, connect, reply, authorizer_reply); } // We've verified the authorizer for this AsyncConnection, so set up the session security structure. PLR @@ -1707,6 +1741,8 @@ ssize_t AsyncConnection::handle_connect_msg(ceph_msg_connect &connect, bufferlis // there shouldn't exist any buffer assert(recv_start == recv_end); + existing->authorizer_challenge.reset(); + auto deactivate_existing = std::bind( [existing, new_worker, new_center, connect, reply, authorizer_reply](ConnectedSocket &cs) mutable { // we need to delete time event in original thread