preserve the old behaviour of selecting auth_supported based on the
existence of the keyring, but limit it to external clusters.
this allows switching 'auth XXX required' in the pveceph-managed
ceph.conf while still automatically copying the keyring when adding a
storage.
Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
this is a bit of a workaround:
1.) auth_supported actually means auth_required (it sets all the
'auth XXX required' options)
this meant having a keyring file for a storage causes errors if the cluster is
actually using no authentication. since we now automatically create the keyring
file when adding a storage without monhost set, this would likely affect users
running with auth = none.
2.) mixing pveceph and external clusters causes weird fallbacks
since a pveceph managed ceph.conf contains a keyring line for the client.admin
key, even with authx configured access is possible without having a storage
specific keyring. this is not problematic per se, as cephx does not share the
key material during authentication even though the keys are symmetric.
I don't want to get rid of the storage-specific keyring altogether, because in
the future moving to a less-privileged key for storage-access might be
desirable.
suggestions for better ways to handle this and more testing of various
combinations welcome ;)
PVE/Storage/RBDPlugin.pm | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
index 791b1bd..decfbf5 100644
--- a/PVE/Storage/RBDPlugin.pm
+++ b/PVE/Storage/RBDPlugin.pm
@@ -53,14 +53,12 @@ my $build_cmd = sub {
push @$cmd, '-c', $pveceph_config;
} else {
push @$cmd, '-m', $hostlist->($scfg->{monhost}, ',');
+ push @$cmd, '--auth_supported', -e $keyring ? 'cephx' : 'none';
}
if (-e $keyring) {
push @$cmd, '-n', "client.$username";
push @$cmd, '--keyring', $keyring;
- push @$cmd, '--auth_supported', 'cephx';
- } else {
- push @$cmd, '--auth_supported', 'none';
}
my $cephconfig = "/etc/pve/priv/ceph/${storeid}.conf";
@@ -308,6 +306,7 @@ sub path {
my $path = "rbd:$pool/$name";
my $pveceph_managed = !defined($scfg->{monhost});
+ my $keyring = "/etc/pve/priv/ceph/${storeid}.keyring";
if ($pveceph_managed) {
$path .= ":conf=$pveceph_config";
@@ -315,15 +314,10 @@ sub path {
my $monhost = $hostlist->($scfg->{monhost}, ';');
$monhost =~ s/:/\\:/g;
$path .= ":mon_host=$monhost";
+ $path .= -e $keyring ? ":auth_supported=cephx" : ":auth_supported=none";
}
- my $keyring = "/etc/pve/priv/ceph/${storeid}.keyring";
-
- if (-e $keyring) {
- $path .= ":id=$username:auth_supported=cephx:keyring=$keyring";
- } else {
- $path .= ":auth_supported=none";
- }
+ $path .= ":id=$username:keyring=$keyring" if -e $keyring;
my $cephconfig = "/etc/pve/priv/ceph/${storeid}.conf";
--
2.11.0
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
