preserve the old behaviour of selecting auth_supported based on the existence of the keyring, but limit it to external clusters.
this allows switching 'auth XXX required' in the pveceph-managed ceph.conf while still automatically copying the keyring when adding a storage. Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com> --- this is a bit of a workaround: 1.) auth_supported actually means auth_required (it sets all the 'auth XXX required' options) this meant having a keyring file for a storage causes errors if the cluster is actually using no authentication. since we now automatically create the keyring file when adding a storage without monhost set, this would likely affect users running with auth = none. 2.) mixing pveceph and external clusters causes weird fallbacks since a pveceph managed ceph.conf contains a keyring line for the client.admin key, even with authx configured access is possible without having a storage specific keyring. this is not problematic per se, as cephx does not share the key material during authentication even though the keys are symmetric. I don't want to get rid of the storage-specific keyring altogether, because in the future moving to a less-privileged key for storage-access might be desirable. suggestions for better ways to handle this and more testing of various combinations welcome ;) PVE/Storage/RBDPlugin.pm | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm index 791b1bd..decfbf5 100644 --- a/PVE/Storage/RBDPlugin.pm +++ b/PVE/Storage/RBDPlugin.pm @@ -53,14 +53,12 @@ my $build_cmd = sub { push @$cmd, '-c', $pveceph_config; } else { push @$cmd, '-m', $hostlist->($scfg->{monhost}, ','); + push @$cmd, '--auth_supported', -e $keyring ? 'cephx' : 'none'; } if (-e $keyring) { push @$cmd, '-n', "client.$username"; push @$cmd, '--keyring', $keyring; - push @$cmd, '--auth_supported', 'cephx'; - } else { - push @$cmd, '--auth_supported', 'none'; } my $cephconfig = "/etc/pve/priv/ceph/${storeid}.conf"; @@ -308,6 +306,7 @@ sub path { my $path = "rbd:$pool/$name"; my $pveceph_managed = !defined($scfg->{monhost}); + my $keyring = "/etc/pve/priv/ceph/${storeid}.keyring"; if ($pveceph_managed) { $path .= ":conf=$pveceph_config"; @@ -315,15 +314,10 @@ sub path { my $monhost = $hostlist->($scfg->{monhost}, ';'); $monhost =~ s/:/\\:/g; $path .= ":mon_host=$monhost"; + $path .= -e $keyring ? ":auth_supported=cephx" : ":auth_supported=none"; } - my $keyring = "/etc/pve/priv/ceph/${storeid}.keyring"; - - if (-e $keyring) { - $path .= ":id=$username:auth_supported=cephx:keyring=$keyring"; - } else { - $path .= ":auth_supported=none"; - } + $path .= ":id=$username:keyring=$keyring" if -e $keyring; my $cephconfig = "/etc/pve/priv/ceph/${storeid}.conf"; -- 2.11.0 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel