From: Sage Weil Date: Mon, 9 Aug 2021 15:59:54 +0000 (-0400) Subject: rgw: default auth_client_required=cephx X-Git-Tag: v16.2.8~95^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F45439%2Fhead;p=ceph.git rgw: default auth_client_required=cephx This makes this warning go away: 2021-08-09T15:51:52.882+0000 7f2373837400 -1 warn_if_insecure(): WARNING: rgw is configured to optionally allow insecure connections to the monitors (auth_supported, ms_mon_client_mode), ssl certificates stored at the monitor configuration could leak 7e22d2a31d277ab3eecff47b0864b206a32e2332 only fixed half of the problem. Signed-off-by: Sage Weil (cherry picked from commit 6010eae66cd12358880fff64e2229a4265a5cf0a) --- diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 911b9a0c74d..1ff5d73ba64 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -444,3 +444,8 @@ from Octopus) will be automatically migrated when the cluster is upgraded. Note that the NFS ganesha daemons will be redeployed and it is possible that their IPs will change. + +* RGW now requires a secure connection to the monitor by default + (``auth_client_required=cephx`` and ``ms_mon_client_mode=secure``). + If you have cephx authentication disabled on your cluster, you may + need to adjust these settings for RGW. diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc index 3d1a992e9e7..e0379f1f800 100644 --- a/src/rgw/rgw_main.cc +++ b/src/rgw/rgw_main.cc @@ -196,7 +196,9 @@ int radosgw_Main(int argc, const char **argv) { "debug_rgw", "1/5" }, { "keyring", "$rgw_data/keyring" }, { "objecter_inflight_ops", "24576" }, - { "ms_mon_client_mode", "secure" } + // require a secure mon connection by default + { "ms_mon_client_mode", "secure" }, + { "auth_client_required", "cephx" } }; vector args;