mgr/dashboard: RGW proxy can't handle self-signed SSL certificates #22735
Conversation
| @@ -175,7 +175,8 @@ def __init__(self, # pylint: disable-msg=R0913 | |||
| self.admin_path = admin_path | |||
|
|
|||
| s3auth = S3Auth(access_key, secret_key, service_url=self.service_url) | |||
| super(RgwClient, self).__init__(host, port, 'RGW', ssl, s3auth) | |||
| # Disable SSL verification to support self-signed certificates. | |||
| super(RgwClient, self).__init__(host, port, 'RGW', ssl, s3auth, ssl_verify=False) | |||
There was a problem hiding this comment.
Disabling ssl_verify per default is not a good idea. An idea would be to make it configurable in a setting.
There was a problem hiding this comment.
@sebastian-philipp I agree, this should be configurable in some form.
|
Here is the fix in openATTIC: https://bitbucket.org/openattic/openattic/pull-requests/859/op-3161-openattic-fails-when-rgw-is/diff |
votdev
force-pushed
the
bug_24677
branch
4 times, most recently
from
9417aa3
to
d6943c1
Compare
|
@sebastian-philipp The SSL verification can be configured now. |
doc/mgr/dashboard.rst
Outdated
| @@ -236,6 +236,11 @@ exist and you may find yourself in the situation that you have to use them:: | |||
| $ ceph dashboard set-rgw-api-admin-resource <admin_resource> | |||
| $ ceph dashboard set-rgw-api-user-id <user_id> | |||
|
|
|||
| If you are using a self-signed certificate in your Object Gateway setup, then | |||
| you should disable SSL verification in the dashboard:: | |||
There was a problem hiding this comment.
s/SSL verification/certificate verification/ maybe?
And maybe explain why it should be disabled? To avoid errors?
doc/mgr/dashboard.rst
Outdated
| you should disable certificate verification in the dashboard to avoid refused | ||
| connections:: | ||
|
|
||
| $ ceph dashboard set-rgw-api-no-ssl-verify True |
There was a problem hiding this comment.
I'd suggest to rename this to rgw-api-cert-verification. You're verifying the certificate, not the SSL protocol per se :)
Also, I think we should avoid double negation to avoid confusion: instead of setting "no-ssl-verify" to "True", I suggest to use set the verification to "False" (disabled).
There was a problem hiding this comment.
I've adapted the name from various tools that support a knob called --no-ssl-verify:
https://git-scm.com/docs/git-config#git-config-httpsslVerify
https://puppet.com/docs/bolt/0.x/new_features.html#support-for-no-ssl-verify-flag-0-18-0
https://phab.enlightenment.org/w/efl.net/
https://www.icinga.com/docs/director/latest/vsphere/doc/04-CLI-Commands/
There was a problem hiding this comment.
I'd also prefer positive names for boolean variables and I think that it's a difference if a command line flag is called --no-ssl-verify which disables a features without having to provide a value than using a negated variable name and having to provide a value.
http://truelogic.org/wordpress/2009/02/27/how-not-to-name-a-boolean-variable/
https://stackoverflow.com/questions/1227998/naming-conventions-what-to-name-a-boolean-variable
http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
votdev
force-pushed
the
bug_24677
branch
2 times, most recently
from
0ef4eb4
to
1eeb3b8
Compare
|
All comments have been adressed. Please re-review the PR. |
|
Hey @votdev, I guess you didn't add |
Fixes tracker.ceph.com/issues/24677 Signed-off-by: Volker Theile <vtheile@suse.com>
|
@s0nea Thx. Arghhh, seems to happen everytime when doing a rebase. This git submodules makes me crazy. |
votdev
dismissed
LenzGr’s stale review
The requested changes have been adressed.
Fixes https://tracker.ceph.com/issues/24677
The SSL certificate verification can be disabled via
ceph dashboard set-rgw-api-no-ssl-verify Trueand the current setting can be checked viaceph dashboard get-rgw-api-no-ssl-verify.Signed-off-by: Volker Theile vtheile@suse.com