From: Jiffin Tony Thottan Date: Mon, 22 Feb 2021 09:46:10 +0000 (+0530) Subject: rgw: add support for client cert and key for vault X-Git-Tag: v17.1.0~2207^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5b9139bd366d029871d29ca90971c5ad058fcf01;p=ceph.git rgw: add support for client cert and key for vault Authenticate vault with help of user supplied client cert and keys. Signed-off-by: Jiffin Tony Thottan --- diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index 847e0fdacef..6f7f769d579 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -2393,6 +2393,20 @@ options: services: - rgw with_legacy: true +- name: rgw_crypt_vault_ssl_clientcert + type: str + level: advanced + desc: Path for custom client certificate for accessing vault server + services: + - rgw + with_legacy: true +- name: rgw_crypt_vault_ssl_clientkey + type: str + level: advanced + desc: Path for private key required for client cert + services: + - rgw + with_legacy: true - name: rgw_crypt_kmip_addr type: str level: advanced diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc index dacf9fecadb..059a2091bbd 100644 --- a/src/rgw/rgw_http_client.cc +++ b/src/rgw/rgw_http_client.cc @@ -614,9 +614,21 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data) curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L); dout(20) << "ssl verification is set to off" << dendl; - } else if (!ca_path.empty()) { - curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str()); - dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl; + } else { + if (!ca_path.empty()) { + curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str()); + dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl; + } + if (!client_cert.empty()) { + if (!client_key.empty()) { + curl_easy_setopt(easy_handle, CURLOPT_SSLCERT, client_cert.c_str()); + curl_easy_setopt(easy_handle, CURLOPT_SSLKEY, client_key.c_str()); + dout(20) << "using custom client cert " << client_cert.c_str() + << " and private key " << client_key.c_str() << dendl; + } else { + dout(5) << "private key is missing for client certificate" << dendl; + } + } } curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data); curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout); diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h index 5782be6da5c..355e4181df9 100644 --- a/src/rgw/rgw_http_client.h +++ b/src/rgw/rgw_http_client.h @@ -42,6 +42,10 @@ class RGWHTTPClient : public RGWIOProvider, string ca_path; + string client_cert; + + string client_key; + std::atomic stopped { 0 }; @@ -178,6 +182,14 @@ public: void set_ca_path(const string& _ca_path) { ca_path = _ca_path; } + + void set_client_cert(const string& _client_cert) { + client_cert = _client_cert; + } + + void set_client_key(const string& _client_key) { + client_key = _client_key; + } }; diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc index 687adb7700b..dcdcf875115 100644 --- a/src/rgw/rgw_kms.cc +++ b/src/rgw/rgw_kms.cc @@ -258,6 +258,13 @@ protected: secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert); } + if (!cct->_conf->rgw_crypt_vault_ssl_clientcert.empty()) { + secret_req.set_client_cert(cct->_conf->rgw_crypt_vault_ssl_clientcert); + } + if (!cct->_conf->rgw_crypt_vault_ssl_clientkey.empty()) { + secret_req.set_client_key(cct->_conf->rgw_crypt_vault_ssl_clientkey); + } + res = secret_req.process(null_yield); if (res < 0) { ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;