Patch for v14.2.2

src/auth/cephx/CephxServiceHandler.cc

@@ -187,11 +187,14 @@ int CephxServiceHandler::handle_request(
 	    }
 	  }
 	  encode(cbl, *result_bl);
-	  // provite all of the other tickets at the same time
+	  // provide requested service tickets at the same time
 	  vector<CephXSessionAuthInfo> info_vec;
 	  for (uint32_t service_id = 1; service_id <= req.other_keys;
 	       service_id <<= 1) {
-	    if (req.other_keys & service_id) {
+	    // skip CEPH_ENTITY_TYPE_AUTH: auth ticket is already encoded
+	    // (possibly encrypted with the old session key)
+	    if ((req.other_keys & service_id) &&
+		service_id != CEPH_ENTITY_TYPE_AUTH) {
 	      ldout(cct, 10) << " adding key for service "
 			     << ceph_entity_type_name(service_id) << dendl;
 	      CephXSessionAuthInfo svc_info;
@@ -243,7 +246,10 @@ int CephxServiceHandler::handle_request(
       int service_err = 0;
       for (uint32_t service_id = 1; service_id <= ticket_req.keys;
 	   service_id <<= 1) {
-        if (ticket_req.keys & service_id) {
+        // skip CEPH_ENTITY_TYPE_AUTH: auth ticket must be obtained with
+        // CEPHX_GET_AUTH_SESSION_KEY
+        if ((ticket_req.keys & service_id) &&
+            service_id != CEPH_ENTITY_TYPE_AUTH) {
 	  ldout(cct, 10) << " adding key for service "
 			 << ceph_entity_type_name(service_id) << dendl;
           CephXSessionAuthInfo info;

src/msg/async/ProtocolV1.cc

@@ -1905,7 +1905,8 @@ CtPtr ProtocolV1::handle_connect_message_2() {
   // require signatures for cephx?
   if (connect_msg.authorizer_protocol == CEPH_AUTH_CEPHX) {
     if (connection->peer_type == CEPH_ENTITY_TYPE_OSD ||
-        connection->peer_type == CEPH_ENTITY_TYPE_MDS) {
+        connection->peer_type == CEPH_ENTITY_TYPE_MDS ||
+        connection->peer_type == CEPH_ENTITY_TYPE_MGR) {
       if (cct->_conf->cephx_require_signatures ||
           cct->_conf->cephx_cluster_require_signatures) {
         ldout(cct, 10)
@@ -1914,6 +1915,14 @@ CtPtr ProtocolV1::handle_connect_message_2() {
             << dendl;
         connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (cct->_conf->cephx_require_version >= 2 ||
+          cct->_conf->cephx_cluster_require_version >= 2) {
+        ldout(cct, 10)
+            << __func__
+            << " using cephx, requiring cephx v2 feature bit for cluster"
+            << dendl;
+        connection->policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+      }
     } else {
       if (cct->_conf->cephx_require_signatures ||
           cct->_conf->cephx_service_require_signatures) {
@@ -1923,6 +1932,14 @@ CtPtr ProtocolV1::handle_connect_message_2() {
             << dendl;
         connection->policy.features_required |= CEPH_FEATURE_MSG_AUTH;
       }
+      if (cct->_conf->cephx_require_version >= 2 ||
+          cct->_conf->cephx_service_require_version >= 2) {
+        ldout(cct, 10)
+            << __func__
+            << " using cephx, requiring cephx v2 feature bit for service"
+            << dendl;
+        connection->policy.features_required |= CEPH_FEATUREMASK_CEPHX_V2;
+      }
     }
   }
 

src/rgw/rgw_rest_swift.cc

@@ -2545,6 +2545,9 @@ bool RGWSwiftWebsiteHandler::is_web_dir() const
     return false;
   } else if (subdir_name.back() == '/') {
     subdir_name.pop_back();
+    if (subdir_name.empty()) {
+      return false;
+    }
   }
 
   rgw_obj obj(s->bucket, std::move(subdir_name));