[pve-devel] applied: [RFC storage] rbd: support auth=none if pveceph-managed
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Sep 12 11:38:58 CEST 2017
applied
On Mon, Sep 11, 2017 at 12:31:06PM +0200, Fabian Grünbichler wrote:
> preserve the old behaviour of selecting auth_supported based on the
> existence of the keyring, but limit it to external clusters.
>
> this allows switching 'auth XXX required' in the pveceph-managed
> ceph.conf while still automatically copying the keyring when adding a
> storage.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> this is a bit of a workaround:
>
> 1.) auth_supported actually means auth_required (it sets all the
> 'auth XXX required' options)
>
> this meant having a keyring file for a storage causes errors if the cluster is
> actually using no authentication. since we now automatically create the keyring
> file when adding a storage without monhost set, this would likely affect users
> running with auth = none.
>
> 2.) mixing pveceph and external clusters causes weird fallbacks
>
> since a pveceph managed ceph.conf contains a keyring line for the client.admin
> key, even with authx configured access is possible without having a storage
> specific keyring. this is not problematic per se, as cephx does not share the
> key material during authentication even though the keys are symmetric.
>
> I don't want to get rid of the storage-specific keyring altogether, because in
> the future moving to a less-privileged key for storage-access might be
> desirable.
>
> suggestions for better ways to handle this and more testing of various
> combinations welcome ;)
>
> PVE/Storage/RBDPlugin.pm | 14 ++++----------
> 1 file changed, 4 insertions(+), 10 deletions(-)
>
> diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
> index 791b1bd..decfbf5 100644
> --- a/PVE/Storage/RBDPlugin.pm
> +++ b/PVE/Storage/RBDPlugin.pm
> @@ -53,14 +53,12 @@ my $build_cmd = sub {
> push @$cmd, '-c', $pveceph_config;
> } else {
> push @$cmd, '-m', $hostlist->($scfg->{monhost}, ',');
> + push @$cmd, '--auth_supported', -e $keyring ? 'cephx' : 'none';
> }
>
> if (-e $keyring) {
> push @$cmd, '-n', "client.$username";
> push @$cmd, '--keyring', $keyring;
> - push @$cmd, '--auth_supported', 'cephx';
> - } else {
> - push @$cmd, '--auth_supported', 'none';
> }
>
> my $cephconfig = "/etc/pve/priv/ceph/${storeid}.conf";
> @@ -308,6 +306,7 @@ sub path {
>
> my $path = "rbd:$pool/$name";
> my $pveceph_managed = !defined($scfg->{monhost});
> + my $keyring = "/etc/pve/priv/ceph/${storeid}.keyring";
>
> if ($pveceph_managed) {
> $path .= ":conf=$pveceph_config";
> @@ -315,15 +314,10 @@ sub path {
> my $monhost = $hostlist->($scfg->{monhost}, ';');
> $monhost =~ s/:/\\:/g;
> $path .= ":mon_host=$monhost";
> + $path .= -e $keyring ? ":auth_supported=cephx" : ":auth_supported=none";
> }
>
> - my $keyring = "/etc/pve/priv/ceph/${storeid}.keyring";
> -
> - if (-e $keyring) {
> - $path .= ":id=$username:auth_supported=cephx:keyring=$keyring";
> - } else {
> - $path .= ":auth_supported=none";
> - }
> + $path .= ":id=$username:keyring=$keyring" if -e $keyring;
>
> my $cephconfig = "/etc/pve/priv/ceph/${storeid}.conf";
>
> --
> 2.11.0
More information about the pve-devel
mailing list