From: Abhishek Lekshmanan Date: Thu, 25 Feb 2016 10:07:51 +0000 (+0100) Subject: rgw: add insecure option to the http client X-Git-Tag: v10.1.0~288^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5d4173543fe9ee2be0139f228cdc82d3e0135aad;p=ceph.git rgw: add insecure option to the http client This allows the http client to turn off ssl certificate peer checking, which is turned on by default. This is useful in cases like when Keystone is SSL terminated with a self signed certificate. The option `rgw_keystone_verify_ssl` (default true) can be toggled if self signed certs are used, so that swift and s3 apis using keystone authentication can work. Fixes: #14583 Reported-by: Karol Mroz Signed-off-by: Abhishek Lekshmanan --- diff --git a/src/common/config_opts.h b/src/common/config_opts.h index 75303a4fe1a94..4e8a0523550e0 100644 --- a/src/common/config_opts.h +++ b/src/common/config_opts.h @@ -1192,6 +1192,7 @@ OPTION(rgw_keystone_api_version, OPT_INT, 2) // Version of Keystone API to use ( OPTION(rgw_keystone_accepted_roles, OPT_STR, "Member, admin") // roles required to serve requests OPTION(rgw_keystone_token_cache_size, OPT_INT, 10000) // max number of entries in keystone token cache OPTION(rgw_keystone_revocation_interval, OPT_INT, 15 * 60) // seconds between tokens revocation check +OPTION(rgw_keystone_verify_ssl, OPT_BOOL, true) // should we try to verify keystone's ssl OPTION(rgw_s3_auth_use_rados, OPT_BOOL, true) // should we try to use the internal credentials for s3? OPTION(rgw_s3_auth_use_keystone, OPT_BOOL, false) // should we try to use keystone for s3? OPTION(rgw_admin_entry, OPT_STR, "admin") // entry point for which a url is considered an admin request diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc index c04a47d9a4ec9..40fdb0cae5e78 100644 --- a/src/rgw/rgw_http_client.cc +++ b/src/rgw/rgw_http_client.cc @@ -113,6 +113,12 @@ int RGWHTTPClient::process(const char *method, const char *url) if (has_send_len) { curl_easy_setopt(curl_handle, CURLOPT_INFILESIZE, (void *)send_len); } + if (!verify_ssl) { + curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0L); + curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYHOST, 0L); + dout(20) << "ssl verification is set to off" << dendl; + } + CURLcode status = curl_easy_perform(curl_handle); if (status) { dout(0) << "curl_easy_perform returned error: " << error_buf << dendl; diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h index 3235fe11540d6..d2105cbf25937 100644 --- a/src/rgw/rgw_http_client.h +++ b/src/rgw/rgw_http_client.h @@ -27,6 +27,7 @@ class RGWHTTPClient string last_method; string last_url; + bool verify_ssl; // Do not validate self signed certificates, default to false protected: CephContext *cct; @@ -34,6 +35,7 @@ protected: list > headers; int init_request(const char *method, const char *url, rgw_http_req_data *req_data); public: + static const long HTTP_STATUS_NOSTATUS = 0; static const long HTTP_STATUS_UNAUTHORIZED = 401; @@ -44,6 +46,7 @@ public: http_status(HTTP_STATUS_NOSTATUS), req_data(nullptr), user_info(nullptr), + verify_ssl(true), cct(_cct) { } @@ -68,10 +71,15 @@ public: has_send_len = true; } + long get_http_status() const { return http_status; } + void set_verify_ssl(bool flag) { + verify_ssl = flag; + } + int process(const char *method, const char *url); int process(const char *url) { return process("GET", url); } diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 81ccc1db201fe..4adebb803fe36 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -2773,6 +2773,9 @@ int RGW_Auth_S3_Keystone_ValidateToken::validate_s3token( append_header("X-Auth-Token", admin_token_id); append_header("Content-Type", "application/json"); + /* check if we want to verify keystone's ssl certs */ + set_verify_ssl(cct->_conf->rgw_keystone_verify_ssl); + /* encode token */ bufferlist token_buff; bufferlist token_encoded; diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc index 831fd5e52a7ba..3d2e707087785 100644 --- a/src/rgw/rgw_swift.cc +++ b/src/rgw/rgw_swift.cc @@ -114,6 +114,9 @@ class RGWPostHTTPData : public RGWHTTPClient { std::string subject_token; public: RGWPostHTTPData(CephContext *_cct, bufferlist *_bl) : RGWHTTPClient(_cct), bl(_bl), post_data_index(0) {} + RGWPostHTTPData(CephContext *_cct, bufferlist *_bl, bool verify_ssl) : RGWHTTPClient(_cct), bl(_bl), post_data_index(0){ + set_verify_ssl(verify_ssl); + } void set_post_data(const std::string& _post_data) { this->post_data = _post_data; @@ -253,7 +256,7 @@ int RGWSwift::get_keystone_url(CephContext * const cct, std::string& url) { bufferlist bl; - RGWGetRevokedTokens req(cct, &bl); + RGWGetRevokedTokens req(cct, &bl, cct->_conf->rgw_keystone_verify_ssl); url = cct->_conf->rgw_keystone_url; if (url.empty()) { @@ -287,7 +290,7 @@ int RGWSwift::get_keystone_admin_token(CephContext * const cct, return 0; } bufferlist token_bl; - RGWGetKeystoneAdminToken token_req(cct, &token_bl); + RGWGetKeystoneAdminToken token_req(cct, &token_bl, cct->_conf->rgw_keystone_verify_ssl); token_req.append_header("Content-Type", "application/json"); JSONFormatter jf; @@ -548,7 +551,7 @@ int RGWSwift::validate_keystone_token(RGWRados *store, const string& token, stru /* can't decode, just go to the keystone server for validation */ - RGWValidateKeystoneToken validate(cct, &bl); + RGWValidateKeystoneToken validate(cct, &bl, cct->_conf->rgw_keystone_verify_ssl); string url = g_conf->rgw_keystone_url; if (url.empty()) {