From: Sage Weil Date: Mon, 9 Aug 2021 15:59:54 +0000 (-0400) Subject: rgw: default auth_client_required=cephx X-Git-Tag: v17.1.0~1061^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=6010eae66cd12358880fff64e2229a4265a5cf0a;p=ceph.git rgw: default auth_client_required=cephx This makes this warning go away: 2021-08-09T15:51:52.882+0000 7f2373837400 -1 warn_if_insecure(): WARNING: rgw is configured to optionally allow insecure connections to the monitors (auth_supported, ms_mon_client_mode), ssl certificates stored at the monitor configuration could leak 7e22d2a31d277ab3eecff47b0864b206a32e2332 only fixed half of the problem. Signed-off-by: Sage Weil --- diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 6298b8929229..a99800edb8af 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -386,3 +386,8 @@ from Octopus) will be automatically migrated when the cluster is upgraded. Note that the NFS ganesha daemons will be redeployed and it is possible that their IPs will change. + +* RGW now requires a secure connection to the monitor by default + (``auth_client_required=cephx`` and ``ms_mon_client_mode=secure``). + If you have cephx authentication disabled on your cluster, you may + need to adjust these settings for RGW. diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc index cf9295a88899..1d569bfba237 100644 --- a/src/rgw/rgw_main.cc +++ b/src/rgw/rgw_main.cc @@ -191,7 +191,9 @@ int radosgw_Main(int argc, const char **argv) { "debug_rgw", "1/5" }, { "keyring", "$rgw_data/keyring" }, { "objecter_inflight_ops", "24576" }, - { "ms_mon_client_mode", "secure" } + // require a secure mon connection by default + { "ms_mon_client_mode", "secure" }, + { "auth_client_required", "cephx" } }; vector args;