From: Sage Weil Date: Mon, 14 May 2018 18:35:39 +0000 (-0500) Subject: cephx: update docs X-Git-Tag: v14.0.1~913^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1004c050a1d750d850379b7f66b8559302faac8b;p=ceph.git cephx: update docs Remove confusing references to ancient releases. Be a bit more clear about what signatures do/don't protect. Signed-off-by: Sage Weil --- diff --git a/doc/rados/configuration/auth-config-ref.rst b/doc/rados/configuration/auth-config-ref.rst index 590132db78ba..96ec83a60492 100644 --- a/doc/rados/configuration/auth-config-ref.rst +++ b/doc/rados/configuration/auth-config-ref.rst @@ -300,18 +300,16 @@ You can override these locations, but it is not recommended. Signatures ---------- -In Ceph Bobtail and subsequent versions, we prefer that Ceph authenticate all -ongoing messages between the entities using the session key set up for that -initial authentication. However, Argonaut and earlier Ceph daemons do not know -how to perform ongoing message authentication. To maintain backward -compatibility (e.g., running both Botbail and Argonaut daemons in the same -cluster), message signing is **off** by default. If you are running Bobtail or -later daemons exclusively, configure Ceph to require signatures. +Ceph performs a signature check that provides some limited protection +against messages being tampered with in flight (e.g., by a "man in the +middle" attack). Like other parts of Ceph authentication, Ceph provides fine-grained control so you can enable/disable signatures for service messages between the client and Ceph, and you can enable/disable signatures for messages between Ceph daemons. +Note that even with signatures enabled data is not encrypted in +flight. ``cephx require signatures`` @@ -319,6 +317,10 @@ Ceph, and you can enable/disable signatures for messages between Ceph daemons. traffic between the Ceph Client and the Ceph Storage Cluster, and between daemons comprising the Ceph Storage Cluster. + Ceph Argonaut and Linux kernel versions prior to 3.19 do + not support signatures; if such clients are in use this + option can be turned off to allow them to connect. + :Type: Boolean :Required: No :Default: ``false`` @@ -347,7 +349,7 @@ Ceph, and you can enable/disable signatures for messages between Ceph daemons. ``cephx sign messages`` :Description: If the Ceph version supports message signing, Ceph will sign - all messages so they cannot be spoofed. + all messages so they are more difficult to spoof. :Type: Boolean :Default: ``true``