rgw: default auth_client_required=cephx

This makes this warning go away:

2021-08-09T15:51:52.882+0000 7f2373837400 -1 warn_if_insecure(): WARNING: rgw is configured to optionally allow insecure connections to the monitors (auth_supported, ms_mon_client_mode), ssl certificates stored at the monitor configuration could leak

7e22d2a31d277ab3eecff47b0864b206a32e2332 only fixed half of the problem.

Signed-off-by: Sage Weil <sage@newdream.net>

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 6298b8929229feaedf56c2c82988d230f63c6182..a99800edb8af70771c754e9551cdb8f36ecb144b 100644 (file)
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -386,3 +386,8 @@
   from Octopus) will be automatically migrated when the cluster is
   upgraded.  Note that the NFS ganesha daemons will be redeployed and
   it is possible that their IPs will change.
+
+* RGW now requires a secure connection to the monitor by default
+  (``auth_client_required=cephx`` and ``ms_mon_client_mode=secure``).
+  If you have cephx authentication disabled on your cluster, you may
+  need to adjust these settings for RGW.

diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc
index cf9295a88899b24ecedd852754d59dbac1dea246..1d569bfba237881b8ef9393f2554e7c4ccbb8b7e 100644 (file)
--- a/src/rgw/rgw_main.cc
+++ b/src/rgw/rgw_main.cc
@@ -191,7 +191,9 @@ int radosgw_Main(int argc, const char **argv)
     { "debug_rgw", "1/5" },
     { "keyring", "$rgw_data/keyring" },
     { "objecter_inflight_ops", "24576" },
-    { "ms_mon_client_mode", "secure" }
+    // require a secure mon connection by default
+    { "ms_mon_client_mode", "secure" },
+    { "auth_client_required", "cephx" }
   };
 
   vector<const char*> args;