Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rgw: add ssl support to beast frontend #20464

Merged
merged 4 commits into from Apr 6, 2018

Conversation

Projects
None yet
4 participants
@cbodley
Copy link
Contributor

commented Feb 16, 2018

adds frontend options ssl_certificate, ssl_private_key, ssl_port, ssl_endpoint

Fixes: http://tracker.ceph.com/issues/22832

(depends on one refactoring commit from #20449)

TODO:

  • make the openssl include/linkage optional in cmake
  • only initialize the openssl context if ssl_certificate is provided
  • add test support for teuthology (build on #20444)

@cbodley cbodley force-pushed the cbodley:wip-rgw-beast-ssl branch from d026397 to b6caa29 Feb 16, 2018

@cbodley cbodley force-pushed the cbodley:wip-rgw-beast-ssl branch from b6caa29 to 1ddaee3 Mar 1, 2018

@cbodley cbodley force-pushed the cbodley:wip-rgw-beast-ssl branch 2 times, most recently from abf1d27 to 2ed8e76 Mar 16, 2018

@cbodley cbodley added the needs-qa label Mar 21, 2018

@cbodley cbodley force-pushed the cbodley:wip-rgw-beast-ssl branch from 2ed8e76 to ea49882 Mar 27, 2018

const bool have_cert = cert != config.end();
if (have_cert) {
// only initialize the ssl context if it's going to be used
ssl_context = boost::in_place(ssl::context::tls);

This comment has been minimized.

Copy link
@cbodley

cbodley Mar 27, 2018

Author Contributor

use of ssl::context::tls here disables the ssl v2 and v3 protocols. our s3tests currently pin the python requests library at 0.14.0, which can only do up to ssl v3. this causes some of the s3tests to fail against beast with ssl handshake failed: wrong version number errors. fixed in ceph/s3-tests#217

@cbodley cbodley removed the needs-qa label Mar 27, 2018

@cbodley cbodley requested a review from theanalyst Mar 27, 2018

cbodley added some commits Jan 23, 2018

rgw: factor the tcp::socket out of ClientIO
remove ClientIO's dependency on a concrete socket type by moving it into
a derived StreamIO class in rgw_asio_frontend.cc

Signed-off-by: Casey Bodley <cbodley@redhat.com>
rgw: add ssl support to beast frontend
adds frontend options ssl_certificate, ssl_private_key, ssl_port, ssl_endpoint

Fixes: http://tracker.ceph.com/issues/22832

Signed-off-by: Casey Bodley <cbodley@redhat.com>
qa/rgw: verify suite tests beast with ssl
instead of adding special frontend configs like civetweb_ssl.yaml and
beast_ssl.yaml, added a new proto/ subdirectory for http.yaml and
https.yaml

Signed-off-by: Casey Bodley <cbodley@redhat.com>
rgw: beast frontend calls shutdown before closing connections
Signed-off-by: Casey Bodley <cbodley@redhat.com>

@cbodley cbodley force-pushed the cbodley:wip-rgw-beast-ssl branch from ea49882 to fe5fb47 Apr 5, 2018

@cbodley

This comment has been minimized.

Copy link
Contributor Author

commented Apr 6, 2018

jenkins test this please

1 similar comment
@cbodley

This comment has been minimized.

Copy link
Contributor Author

commented Apr 6, 2018

jenkins test this please

@cbodley

This comment has been minimized.

Copy link
Contributor Author

commented Apr 6, 2018

after ceph/s3-tests#217 merged, i cherry-picked to ceph-master but missed one of the commits. so the first teuthology run had some s3test failures before of that

and fixing ceph-master, the rerun was clean. so this one is finally ready!

@cbodley cbodley merged commit 072a9be into ceph:master Apr 6, 2018

4 of 5 checks passed

make check (arm64) make check failed
Details
Docs: build check OK - docs built
Details
Signed-off-by all commits in this PR are signed
Details
Unmodified Submodules submodules for project are unmodified
Details
make check make check succeeded
Details

@cbodley cbodley deleted the cbodley:wip-rgw-beast-ssl branch Apr 6, 2018

@cbodley

This comment has been minimized.

Copy link
Contributor Author

commented Apr 6, 2018

@theanalyst thanks for help with review/testing!

@Kriechi

This comment has been minimized.

Copy link
Contributor

commented Feb 15, 2019

@cbodley is it possible to reload the ssl_certificate without restarting the whole radosgw process?

@cbodley

This comment has been minimized.

Copy link
Contributor Author

commented Feb 18, 2019

no @Kriechi, the rgw_frontends config is only parsed once on startup when frontends are initialized

@Kriechi

This comment has been minimized.

Copy link
Contributor

commented Feb 18, 2019

@cbodley civetweb provides such functionality - my impression was that beast is the "new" frontend and civetweb will be phased out? If so, I think not having a cert reload without killing the process is a regression.

I tried to look at the beast source code to find something in this area - but didn't find anything useful so far.

@cbodley

This comment has been minimized.

Copy link
Contributor Author

commented Feb 18, 2019

can you explain how to accomplish that with civetweb in rgw? i hadn't seen any mechanism in radosgw to do it

@mattbenjamin

This comment has been minimized.

Copy link
Contributor

commented Feb 18, 2019

@Kriechi could you create a tracker ticket for this issue (as this is merged)?

Matt

@Kriechi

This comment has been minimized.

Copy link
Contributor

commented Feb 18, 2019

@cbodley I'm currently using this flag in the rgw frontend config section of ceph.conf:
https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md#ssl_short_trust-no

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.