From 77d704ab057c35e26004fe0a09386054da5235a4 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Mon, 9 Aug 2021 11:59:54 -0400 Subject: [PATCH] rgw: default auth_client_required=cephx This makes this warning go away: 2021-08-09T15:51:52.882+0000 7f2373837400 -1 warn_if_insecure(): WARNING: rgw is configured to optionally allow insecure connections to the monitors (auth_supported, ms_mon_client_mode), ssl certificates stored at the monitor configuration could leak 7e22d2a31d277ab3eecff47b0864b206a32e2332 only fixed half of the problem. Signed-off-by: Sage Weil (cherry picked from commit 6010eae66cd12358880fff64e2229a4265a5cf0a) --- PendingReleaseNotes | 5 +++++ src/rgw/rgw_main.cc | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 911b9a0c74dfb..1ff5d73ba64d4 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -444,3 +444,8 @@ from Octopus) will be automatically migrated when the cluster is upgraded. Note that the NFS ganesha daemons will be redeployed and it is possible that their IPs will change. + +* RGW now requires a secure connection to the monitor by default + (``auth_client_required=cephx`` and ``ms_mon_client_mode=secure``). + If you have cephx authentication disabled on your cluster, you may + need to adjust these settings for RGW. diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc index 3d1a992e9e706..e0379f1f80025 100644 --- a/src/rgw/rgw_main.cc +++ b/src/rgw/rgw_main.cc @@ -196,7 +196,9 @@ int radosgw_Main(int argc, const char **argv) { "debug_rgw", "1/5" }, { "keyring", "$rgw_data/keyring" }, { "objecter_inflight_ops", "24576" }, - { "ms_mon_client_mode", "secure" } + // require a secure mon connection by default + { "ms_mon_client_mode", "secure" }, + { "auth_client_required", "cephx" } }; vector args; -- 2.39.5