rgw: add insecure option to the http client

This allows the http client to turn off ssl certificate peer checking,
which is turned on by default. This is useful in cases like when
Keystone is SSL terminated with a self signed certificate.
The option `rgw_keystone_verify_ssl` (default true) can be toggled if
self signed certs are used, so that swift and s3 apis using keystone
authentication can work.

Fixes: #14583
Reported-by: Karol Mroz <mroz.karol@gmail.com>
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index 75303a4fe1a9439766be3760bb07e5d2a4aca81d..4e8a0523550e012f669e75a34d78d2e3775c1d63 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -1192,6 +1192,7 @@ OPTION(rgw_keystone_api_version, OPT_INT, 2) // Version of Keystone API to use (
 OPTION(rgw_keystone_accepted_roles, OPT_STR, "Member, admin")  // roles required to serve requests
 OPTION(rgw_keystone_token_cache_size, OPT_INT, 10000)  // max number of entries in keystone token cache
 OPTION(rgw_keystone_revocation_interval, OPT_INT, 15 * 60)  // seconds between tokens revocation check
+OPTION(rgw_keystone_verify_ssl, OPT_BOOL, true) // should we try to verify keystone's ssl
 OPTION(rgw_s3_auth_use_rados, OPT_BOOL, true)  // should we try to use the internal credentials for s3?
 OPTION(rgw_s3_auth_use_keystone, OPT_BOOL, false)  // should we try to use keystone for s3?
 OPTION(rgw_admin_entry, OPT_STR, "admin")  // entry point for which a url is considered an admin request

diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc
index c04a47d9a4ec94d1a6279ce8e8566c062cafe10c..40fdb0cae5e78a4db1f338471d3f895eb76438ae 100644 (file)
--- a/src/rgw/rgw_http_client.cc
+++ b/src/rgw/rgw_http_client.cc
@@ -113,6 +113,12 @@ int RGWHTTPClient::process(const char *method, const char *url)
   if (has_send_len) {
     curl_easy_setopt(curl_handle, CURLOPT_INFILESIZE, (void *)send_len); 
   }
+  if (!verify_ssl) {
+    curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0L);
+    curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYHOST, 0L);
+    dout(20) << "ssl verification is set to off" << dendl;
+  }
+
   CURLcode status = curl_easy_perform(curl_handle);
   if (status) {
     dout(0) << "curl_easy_perform returned error: " << error_buf << dendl;

diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h
index 3235fe11540d678753d86d10b4306738b1df5a47..d2105cbf25937bf6c20dc12e989f946599e09b71 100644 (file)
--- a/src/rgw/rgw_http_client.h
+++ b/src/rgw/rgw_http_client.h
@@ -27,6 +27,7 @@ class RGWHTTPClient
 
   string last_method;
   string last_url;
+  bool verify_ssl; // Do not validate self signed certificates, default to false
 
 protected:
   CephContext *cct;
@@ -34,6 +35,7 @@ protected:
   list<pair<string, string> > headers;
   int init_request(const char *method, const char *url, rgw_http_req_data *req_data);
 public:
+
   static const long HTTP_STATUS_NOSTATUS     = 0;
   static const long HTTP_STATUS_UNAUTHORIZED = 401;
 
@@ -44,6 +46,7 @@ public:
       http_status(HTTP_STATUS_NOSTATUS),
       req_data(nullptr),
       user_info(nullptr),
+      verify_ssl(true),
       cct(_cct) {
   }
 
@@ -68,10 +71,15 @@ public:
     has_send_len = true;
   }
 
+
   long get_http_status() const {
     return http_status;
   }
 
+  void set_verify_ssl(bool flag) {
+    verify_ssl = flag;
+  }
+
   int process(const char *method, const char *url);
   int process(const char *url) { return process("GET", url); }
 

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 81ccc1db201fe2a035a85183e52ad95de09fc2cd..4adebb803fe36162eb2809808b91c6485614760f 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2773,6 +2773,9 @@ int RGW_Auth_S3_Keystone_ValidateToken::validate_s3token(
   append_header("X-Auth-Token", admin_token_id);
   append_header("Content-Type", "application/json");
 
+  /* check if we want to verify keystone's ssl certs */
+  set_verify_ssl(cct->_conf->rgw_keystone_verify_ssl);
+
   /* encode token */
   bufferlist token_buff;
   bufferlist token_encoded;

diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc
index 831fd5e52a7ba02af22b5937094ccc726a087aab..3d2e70708778571eb8944990288abdfd832edbbe 100644 (file)
--- a/src/rgw/rgw_swift.cc
+++ b/src/rgw/rgw_swift.cc
@@ -114,6 +114,9 @@ class RGWPostHTTPData : public RGWHTTPClient {
   std::string subject_token;
 public:
   RGWPostHTTPData(CephContext *_cct, bufferlist *_bl) : RGWHTTPClient(_cct), bl(_bl), post_data_index(0) {}
+  RGWPostHTTPData(CephContext *_cct, bufferlist *_bl, bool verify_ssl) : RGWHTTPClient(_cct), bl(_bl), post_data_index(0){
+    set_verify_ssl(verify_ssl);
+  }
 
   void set_post_data(const std::string& _post_data) {
     this->post_data = _post_data;
@@ -253,7 +256,7 @@ int RGWSwift::get_keystone_url(CephContext * const cct,
                                std::string& url)
 {
   bufferlist bl;
-  RGWGetRevokedTokens req(cct, &bl);
+  RGWGetRevokedTokens req(cct, &bl, cct->_conf->rgw_keystone_verify_ssl);
 
   url = cct->_conf->rgw_keystone_url;
   if (url.empty()) {
@@ -287,7 +290,7 @@ int RGWSwift::get_keystone_admin_token(CephContext * const cct,
     return 0;
   }
   bufferlist token_bl;
-  RGWGetKeystoneAdminToken token_req(cct, &token_bl);
+  RGWGetKeystoneAdminToken token_req(cct, &token_bl, cct->_conf->rgw_keystone_verify_ssl);
   token_req.append_header("Content-Type", "application/json");
   JSONFormatter jf;
 
@@ -548,7 +551,7 @@ int RGWSwift::validate_keystone_token(RGWRados *store, const string& token, stru
 
     /* can't decode, just go to the keystone server for validation */
 
-    RGWValidateKeystoneToken validate(cct, &bl);
+    RGWValidateKeystoneToken validate(cct, &bl, cct->_conf->rgw_keystone_verify_ssl);
 
     string url = g_conf->rgw_keystone_url;
     if (url.empty()) {