libceph: add update_authorizer auth method
Currently the messenger calls out to a get_authorizer con op, which will create a new authorizer if it doesn't yet have one. In the meantime, when we rotate our service keys, the authorizer doesn't get updated. Eventually it will be rejected by the server on a new connection attempt and get invalidated, and we will then rebuild a new authorizer, but this is not ideal. Instead, if we do have an authorizer, call a new update_authorizer op that will verify that the current authorizer is using the latest secret. If it is not, we will build a new one that does. This avoids the transient failure. This fixes one of the sorry sequence of events for bug http://tracker.ceph.com/issues/4282 Signed-off-by: Sage Weil <sage@inktank.com> Reviewed-by: Alex Elder <elder@inktank.com>
This commit is contained in:
Sage Weil
parent
4b8e8b5d78
commit
0bed9b5c52
5 changed files with 38 additions and 1 deletions
|
|
@ -2220,6 +2220,11 @@ static struct ceph_auth_handshake *get_authorizer(struct ceph_connection *con,
|
|||
auth);
|
||||
if (ret)
|
||||
return ERR_PTR(ret);
|
||||
} else if (ac->ops && ac->ops->update_authorizer) {
|
||||
int ret = ac->ops->update_authorizer(ac, CEPH_ENTITY_TYPE_OSD,
|
||||
auth);
|
||||
if (ret)
|
||||
return ERR_PTR(ret);
|
||||
}
|
||||
*proto = ac->protocol;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue