auth/cephx: rotate auth tickets less often

If unauthorized global_id (re)use is disallowed, a client that has been disconnected from the network long enough for keys to rotate and its auth ticket to expire (i.e. become invalid/unverifiable) would not be able to reconnect. The default TTL is 12 hours, resulting in a 12-24 hour reconnect window (the previous key is kept around, so the actual window can be up to double the TTL). The setting has stayed the same since 2009, but it also hasn't been enforced. Bump it to get a 72 hour reconnect window to cover for something breaking on Friday and not getting fixed until Monday. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> (cherry picked from commit 522a52e)
ceph · Apr 12, 2021 · 1f57617 · 1f57617
1 parent af560a1
commit 1f57617
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/common/options.cc b/src/common/options.cc
@@ -2257,7 +2257,7 @@ std::vector<Option> get_global_options() {
     .set_description(""),
 
     Option("auth_mon_ticket_ttl", Option::TYPE_FLOAT, Option::LEVEL_ADVANCED)
-    .set_default(12_hr)
+    .set_default(72_hr)
     .set_description(""),
 
     Option("auth_service_ticket_ttl", Option::TYPE_FLOAT, Option::LEVEL_ADVANCED)