Merge branch 'CVE-2021-20288' into master

* CVE-2021-20288: qa/standalone: default to disable insecure global id reclaim qa/suites/upgrade/octopus-x: disable insecure global_id reclaim health warnings qa/tasks/ceph[adm].conf[.template]: disable insecure global_id reclaim health alerts cephadm: set auth_allow_insecure_global_id_reclaim for mon on bootstrap mon/HealthMonitor: raise AUTH_INSECURE_GLOBAL_ID_RENEWAL[_ALLOWED] auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys auth/cephx: rotate auth tickets less often mon: fail fast when unauthorized global_id (re)use is disallowed auth/cephx: option to disallow unauthorized global_id (re)use auth/cephx: make cephx_decode_ticket() take a const ticket_blob auth/AuthServiceHandler: keep track of global_id and whether it is new auth/AuthServiceHandler: build_cephx_response_header() is cephx-specific auth/AuthServiceHandler: drop unused start_session() args mon/MonClient: drop global_id arg from _add_conn() and _add_conns() mon/MonClient: reset auth state in shutdown() mon/MonClient: preserve auth state on reconnects mon/MonClient: claim active_con's auth explicitly mon/MonClient: resurrect "waiting for monmap|config" timeouts Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Sage Weil <sage@redhat.com>
author: Ilya Dryomov <idryomov@gmail.com> 2021-04-14 19:58:49 +0200
committer: Ilya Dryomov <idryomov@gmail.com> 2021-04-14 19:58:49 +0200
commit: f3a4166379b12d4a7bba667fe761e5b660552db1 (patch)
tree: 44bee23b3853b971baa31048faa4fcdee4b87863 /qa/suites
parent: Merge pull request #40614 from smithfarm/wip-39556 (diff)
parent: Merge branch 'master' into wip-unauthorized-gids (diff)
download: ceph-f3a4166379b12d4a7bba667fe761e5b660552db1.tar.xz
ceph-f3a4166379b12d4a7bba667fe761e5b660552db1.zip
6 files changed, 17 insertions, 0 deletions
diff --git a/qa/suites/rados/cephadm/upgrade/3-start-upgrade.yaml b/qa/suites/rados/cephadm/upgrade/3-start-upgrade.yaml
index 33b1a83ac8a..80463a6c075 100644
--- a/qa/suites/rados/cephadm/upgrade/3-start-upgrade.yaml
+++ b/qa/suites/rados/cephadm/upgrade/3-start-upgrade.yaml
@@ -8,4 +8,6 @@ tasks:
       - radosgw-admin period update --rgw-realm=r --commit
       - ceph orch apply rgw r z --placement=2 --port=8000
       - sleep 120
+      - ceph config set mon mon_warn_on_insecure_global_id_reclaim false --force
+      - ceph config set mon mon_warn_on_insecure_global_id_reclaim_allowed false --force
       - ceph orch upgrade start --image quay.ceph.io/ceph-ci/ceph:$sha1
diff --git a/qa/suites/rados/thrash-old-clients/ceph.yaml b/qa/suites/rados/thrash-old-clients/ceph.yaml
index 468b4af27d0..016ce36da7f 100644
--- a/qa/suites/rados/thrash-old-clients/ceph.yaml
+++ b/qa/suites/rados/thrash-old-clients/ceph.yaml
@@ -2,3 +2,6 @@
 verify_ceph_hash: false
 tasks:
 - cephadm:
+    conf:
+      mon:
+        auth allow insecure global id reclaim: true
diff --git a/qa/suites/upgrade/octopus-x/parallel/1-tasks.yaml b/qa/suites/upgrade/octopus-x/parallel/1-tasks.yaml
index a392953d286..b6bf1304fd2 100644
--- a/qa/suites/upgrade/octopus-x/parallel/1-tasks.yaml
+++ b/qa/suites/upgrade/octopus-x/parallel/1-tasks.yaml
@@ -26,6 +26,9 @@ tasks:
 - cephadm.shell:
     mon.a:
       - ceph config set mgr mgr/cephadm/use_repo_digest true --force
+      - ceph config set mon mon_warn_on_insecure_global_id_reclaim false --force
+      - ceph config set mon mon_warn_on_insecure_global_id_reclaim_allowed false --force
+
 - print: "**** done cephadm.shell ceph config set mgr..."
 
 - print: "**** done start parallel"
diff --git a/qa/suites/upgrade/octopus-x/rgw-multisite/overrides.yaml b/qa/suites/upgrade/octopus-x/rgw-multisite/overrides.yaml
index bf3a752d6a1..6f757bbde51 100644
--- a/qa/suites/upgrade/octopus-x/rgw-multisite/overrides.yaml
+++ b/qa/suites/upgrade/octopus-x/rgw-multisite/overrides.yaml
@@ -4,6 +4,9 @@ overrides:
     - \(PG_AVAILABILITY\)
     wait-for-scrub: false
     conf:
+      mon:
+        mon_warn_on_insecure_global_id_reclaim: false
+        mon_warn_on_insecure_global_id_reclaim_allowed: false
       client:
         setuser: ceph
         setgroup: ceph
diff --git a/qa/suites/upgrade/octopus-x/stress-split-no-cephadm/1-ceph-install/octopus.yaml b/qa/suites/upgrade/octopus-x/stress-split-no-cephadm/1-ceph-install/octopus.yaml
index 90a95841200..3d7a52a499f 100644
--- a/qa/suites/upgrade/octopus-x/stress-split-no-cephadm/1-ceph-install/octopus.yaml
+++ b/qa/suites/upgrade/octopus-x/stress-split-no-cephadm/1-ceph-install/octopus.yaml
@@ -14,6 +14,9 @@ tasks:
         bluestore_warn_on_legacy_statfs: false
         bluestore warn on no per pool omap: false
         mon pg warn min per osd: 0
+      mon:
+        mon_warn_on_insecure_global_id_reclaim: false
+        mon_warn_on_insecure_global_id_reclaim_allowed: false
     log-ignorelist:
       - Not found or unloadable
       - evicting unresponsive client
diff --git a/qa/suites/upgrade/octopus-x/stress-split/1-start.yaml b/qa/suites/upgrade/octopus-x/stress-split/1-start.yaml
index 2cfeb54ec18..432780592bf 100644
--- a/qa/suites/upgrade/octopus-x/stress-split/1-start.yaml
+++ b/qa/suites/upgrade/octopus-x/stress-split/1-start.yaml
@@ -17,6 +17,9 @@ tasks:
 - cephadm.shell:
     mon.a:
       - ceph fs volume create foo
+      - ceph config set mon mon_warn_on_insecure_global_id_reclaim false --force
+      - ceph config set mon mon_warn_on_insecure_global_id_reclaim_allowed false --force
+
 - ceph.healthy:
 
 - print: "**** upgrading first half of cluster, with stress ****"
author	Ilya Dryomov <idryomov@gmail.com>	2021-04-14 19:58:49 +0200
committer	Ilya Dryomov <idryomov@gmail.com>	2021-04-14 19:58:49 +0200
commit	f3a4166379b12d4a7bba667fe761e5b660552db1 (patch)
tree	44bee23b3853b971baa31048faa4fcdee4b87863 /qa/suites
parent	Merge pull request #40614 from smithfarm/wip-39556 (diff)
parent	Merge branch 'master' into wip-unauthorized-gids (diff)
download	ceph-f3a4166379b12d4a7bba667fe761e5b660552db1.tar.xz ceph-f3a4166379b12d4a7bba667fe761e5b660552db1.zip