New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mgr/dashboard: RGW proxy can't handle self-signed SSL certificates #22735
Conversation
@@ -175,7 +175,8 @@ def __init__(self, # pylint: disable-msg=R0913 | |||
self.admin_path = admin_path | |||
|
|||
s3auth = S3Auth(access_key, secret_key, service_url=self.service_url) | |||
super(RgwClient, self).__init__(host, port, 'RGW', ssl, s3auth) | |||
# Disable SSL verification to support self-signed certificates. | |||
super(RgwClient, self).__init__(host, port, 'RGW', ssl, s3auth, ssl_verify=False) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Disabling ssl_verify
per default is not a good idea. An idea would be to make it configurable in a setting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sebastian-philipp I agree, this should be configurable in some form.
Here is the fix in openATTIC: https://bitbucket.org/openattic/openattic/pull-requests/859/op-3161-openattic-fails-when-rgw-is/diff |
9417aa3
to
d6943c1
Compare
@sebastian-philipp The SSL verification can be configured now. |
doc/mgr/dashboard.rst
Outdated
@@ -236,6 +236,11 @@ exist and you may find yourself in the situation that you have to use them:: | |||
$ ceph dashboard set-rgw-api-admin-resource <admin_resource> | |||
$ ceph dashboard set-rgw-api-user-id <user_id> | |||
|
|||
If you are using a self-signed certificate in your Object Gateway setup, then | |||
you should disable SSL verification in the dashboard:: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/SSL verification/certificate verification/ maybe?
And maybe explain why it should be disabled? To avoid errors?
doc/mgr/dashboard.rst
Outdated
you should disable certificate verification in the dashboard to avoid refused | ||
connections:: | ||
|
||
$ ceph dashboard set-rgw-api-no-ssl-verify True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest to rename this to rgw-api-cert-verification
. You're verifying the certificate, not the SSL protocol per se :)
Also, I think we should avoid double negation to avoid confusion: instead of setting "no-ssl-verify" to "True", I suggest to use set the verification to "False" (disabled).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've adapted the name from various tools that support a knob called --no-ssl-verify
:
https://git-scm.com/docs/git-config#git-config-httpsslVerify
https://puppet.com/docs/bolt/0.x/new_features.html#support-for-no-ssl-verify-flag-0-18-0
https://phab.enlightenment.org/w/efl.net/
https://www.icinga.com/docs/director/latest/vsphere/doc/04-CLI-Commands/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd also prefer positive names for boolean variables and I think that it's a difference if a command line flag is called --no-ssl-verify
which disables a features without having to provide a value than using a negated variable name and having to provide a value.
http://truelogic.org/wordpress/2009/02/27/how-not-to-name-a-boolean-variable/
https://stackoverflow.com/questions/1227998/naming-conventions-what-to-name-a-boolean-variable
http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
0ef4eb4
to
1eeb3b8
Compare
All comments have been adressed. Please re-review the PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Hey @votdev, I guess you didn't add |
Fixes tracker.ceph.com/issues/24677 Signed-off-by: Volker Theile <vtheile@suse.com>
@s0nea Thx. Arghhh, seems to happen everytime when doing a rebase. This git submodules makes me crazy. |
The requested changes have been adressed.
Fixes https://tracker.ceph.com/issues/24677
The SSL certificate verification can be disabled via
ceph dashboard set-rgw-api-no-ssl-verify True
and the current setting can be checked viaceph dashboard get-rgw-api-no-ssl-verify
.Signed-off-by: Volker Theile vtheile@suse.com