rgw: default auth_client_required=cephx

This makes this warning go away:

2021-08-09T15:51:52.882+0000 7f2373837400 -1 warn_if_insecure(): WARNING: rgw is configured to optionally allow insecure connections to the monitors (auth_supported, ms_mon_client_mode), ssl certificates stored at the monitor configuration could leak

7e22d2a31d277ab3eecff47b0864b206a32e2332 only fixed half of the problem.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 6010eae66cd12358880fff64e2229a4265a5cf0a)

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 911b9a0c74dfb09ff60cff5e6663e45fc73d23f0..1ff5d73ba64d4e20905de219321e3e41d6d481ea 100644 (file)
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -444,3 +444,8 @@
   from Octopus) will be automatically migrated when the cluster is
   upgraded.  Note that the NFS ganesha daemons will be redeployed and
   it is possible that their IPs will change.
+
+* RGW now requires a secure connection to the monitor by default
+  (``auth_client_required=cephx`` and ``ms_mon_client_mode=secure``).
+  If you have cephx authentication disabled on your cluster, you may
+  need to adjust these settings for RGW.

diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc
index 3d1a992e9e70697da7ed9d2f808236e49ba180eb..e0379f1f800252ffd8863227a912a331c4200c34 100644 (file)
--- a/src/rgw/rgw_main.cc
+++ b/src/rgw/rgw_main.cc
@@ -196,7 +196,9 @@ int radosgw_Main(int argc, const char **argv)
     { "debug_rgw", "1/5" },
     { "keyring", "$rgw_data/keyring" },
     { "objecter_inflight_ops", "24576" },
-    { "ms_mon_client_mode", "secure" }
+    // require a secure mon connection by default
+    { "ms_mon_client_mode", "secure" },
+    { "auth_client_required", "cephx" }
   };
 
   vector<const char*> args;