Bug #46330: Accessing as an invalid user will result in an infinite loop in getting a SessionKey. - Ceph - Ceph

Actions

Copy link

Bug #46330

closed

Accessing as an invalid user will result in an infinite loop in getting a SessionKey.

Added by MASAYUKI MIYAKE almost 4 years ago. Updated almost 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

librados

Target version:

v15.2.4

% Done:

Source:

Community (user)

Tags:

Backport:

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

v15.2.1

ceph-qa-suite:

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description

Accessing a Ceph cluster as an invalid user results in an infinite loop instead of an error in authentication.

$ sudo rbd pool stats --user user_x user_a_rbd
2020-07-02T16:14:14.095+0900 7f03f4ab0f40  0 monclient(hunting): authenticate timed out after 300
2020-07-02T16:19:14.095+0900 7f03f4ab0f40  0 monclient(hunting): authenticate timed out after 300
2020-07-02T16:24:14.096+0900 7f03f4ab0f40  0 monclient(hunting): authenticate timed out after 300
2020-07-02T16:29:14.097+0900 7f03f4ab0f40  0 monclient(hunting): authenticate timed out after 300

To investigate the cause, I checked the authentication packets.
As a result, we found out that the authentication error -13 (Permission denied) was returned in response to a request to get a session key, but the retry process was repeated without completing the process due to this authentication error.

Ceph Auth, Proto: CephX
    Filter Data
    Tag: message (0x07)
    Message Header, Type: C_CEPH_MSG_AUTH, From: client, Front Len: 66
    Paxos Message
        Paxos Version: 0
        Mon: -1
        Mon Transaction ID: 0
    Auth Message, Proto: CephX
        Protocol: CephX (0x00000002)
        CephX, Request Type: Get Auth Session Key
            Type: Get Auth Session Key (0x0100)
            [Expert Info (Warning/Undecoded): This data's meaning depends on other information in the message but the dissector doesn't know what type it is.]
        34 unused bytes
            [Expert Info (Warning/Undecoded): 34 unused bytes]
        Monmap epoch: 0
    Message Footer

Ceph Auth Reply, Proto: CephX
    Filter Data
    Tag: message (0x07)
    Message Header, Type: C_CEPH_MSG_AUTH_REPLY, From: mon0, Front Len: 24
    Auth Reply Message, Proto: CephX
        Protocol: CephX (0x00000002)
        Result: -13
        Global ID: 0x000000000019d9f6
        [Expert Info (Warning/Undecoded): This data's meaning depends on other information in the message but the dissector doesn't know what type it is.]
        Message: 
    Message Footer

How to reproduce the problem

Create a keyring file for a user not registered in the Ceph cluster and execute the ceph client command on that user.

In the processing of CephxClientHandler::handle_response function, the It is creating an authentication error status from the data received.
This process, I believe, makes it EAGAIN instead of EACCES.