Actions
Bug #46330
closedAccessing as an invalid user will result in an infinite loop in getting a SessionKey.
% Done:
0%
Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Description
Accessing a Ceph cluster as an invalid user results in an infinite loop instead of an error in authentication.
$ sudo rbd pool stats --user user_x user_a_rbd 2020-07-02T16:14:14.095+0900 7f03f4ab0f40 0 monclient(hunting): authenticate timed out after 300 2020-07-02T16:19:14.095+0900 7f03f4ab0f40 0 monclient(hunting): authenticate timed out after 300 2020-07-02T16:24:14.096+0900 7f03f4ab0f40 0 monclient(hunting): authenticate timed out after 300 2020-07-02T16:29:14.097+0900 7f03f4ab0f40 0 monclient(hunting): authenticate timed out after 300
To investigate the cause, I checked the authentication packets.
As a result, we found out that the authentication error -13 (Permission denied) was returned in response to a request to get a session key, but the retry process was repeated without completing the process due to this authentication error.
Ceph Auth, Proto: CephX Filter Data Tag: message (0x07) Message Header, Type: C_CEPH_MSG_AUTH, From: client, Front Len: 66 Paxos Message Paxos Version: 0 Mon: -1 Mon Transaction ID: 0 Auth Message, Proto: CephX Protocol: CephX (0x00000002) CephX, Request Type: Get Auth Session Key Type: Get Auth Session Key (0x0100) [Expert Info (Warning/Undecoded): This data's meaning depends on other information in the message but the dissector doesn't know what type it is.] 34 unused bytes [Expert Info (Warning/Undecoded): 34 unused bytes] Monmap epoch: 0 Message Footer Ceph Auth Reply, Proto: CephX Filter Data Tag: message (0x07) Message Header, Type: C_CEPH_MSG_AUTH_REPLY, From: mon0, Front Len: 24 Auth Reply Message, Proto: CephX Protocol: CephX (0x00000002) Result: -13 Global ID: 0x000000000019d9f6 [Expert Info (Warning/Undecoded): This data's meaning depends on other information in the message but the dissector doesn't know what type it is.] Message: Message Footer
How to reproduce the problem
Create a keyring file for a user not registered in the Ceph cluster and execute the ceph client command on that user.
In the processing of CephxClientHandler::handle_response function, the It is creating an authentication error status from the data received.
This process, I believe, makes it EAGAIN instead of EACCES.
Updated by MASAYUKI MIYAKE almost 4 years ago
This bug was a mistake on my part.
This happened when I set only one MON in ceph.conf on the client side. It is.
Actions