ceph · yuvalif · Aug 25, 2022 · Oct 6, 2021 · cbodley · Aug 15, 2022
diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
@@ -3575,3 +3575,18 @@ options:
   - rgw
   - osd
   with_legacy: true
+- name: rgw_allow_notification_secrets_in_cleartext
+  type: bool
+  level: advanced
+  desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages.
+  long_desc: When bucket notification endpoint require secrets (e.g. passwords),
+    we allow the topic creation only over HTTPS messages. 
+    This parameter can be set to "true" to bypass this check.
+    Use this only if radosgw is on a trusted private network, and the message 
+    broker cannot be configured without password authentication. Otherwise, this will 
+    leak the credentials of your message broker and compromise its security.
+  default: false
+  services:
+  - rgw
+  see_also:
+  - rgw_trust_forwarded_https
@@ -10,6 +10,15 @@
 #define dout_context g_ceph_context
 #define dout_subsys ceph_subsys_rgw
 
+bool verify_transport_security(CephContext *cct, const RGWEnv& env) {
+  const auto is_secure = rgw_transport_is_secure(cct, env);
+  if (!is_secure && g_conf().get_val<bool>("rgw_allow_notification_secrets_in_cleartext")) {
+    ldout(cct, 0) << "WARNING: bypassing endpoint validation, allow sending password over insecure transport" << dendl;
+    return true;
+  }
+  return is_secure;
+}
+
 bool validate_and_update_endpoint_secret(rgw_pubsub_sub_dest& dest, CephContext *cct, const RGWEnv& env) {
   if (dest.push_endpoint.empty()) {
       return true;
@@ -24,7 +33,7 @@ bool validate_and_update_endpoint_secret(rgw_pubsub_sub_dest& dest, CephContext
   ceph_assert(user.empty() == password.empty());
   if (!user.empty()) {
       dest.stored_secret = true;
-      if (!rgw_transport_is_secure(cct, env)) {
+      if (!verify_transport_security(cct, env)) {
         ldout(cct, 1) << "endpoint validation error: sending password over insecure transport" << dendl;
         return false;
       }
@@ -71,7 +80,7 @@ void RGWPSListTopicsOp::execute(optional_yield y) {
     ldpp_dout(this, 1) << "failed to get topics, ret=" << op_ret << dendl;
     return;
   }
-  if (topics_has_endpoint_secret(result) && !rgw_transport_is_secure(s->cct, *(s->info.env))) {
+  if (topics_has_endpoint_secret(result) && !verify_transport_security(s->cct, *(s->info.env))) {
     ldpp_dout(this, 1) << "topics contain secret and cannot be sent over insecure transport" << dendl;
     op_ret = -EPERM;
     return;
@@ -86,7 +95,7 @@ void RGWPSGetTopicOp::execute(optional_yield y) {
   }
   ps.emplace(static_cast<rgw::sal::RadosStore*>(store), s->owner.get_id().tenant);
   op_ret = ps->get_topic(topic_name, &result);
-  if (topic_has_endpoint_secret(result) && !rgw_transport_is_secure(s->cct, *(s->info.env))) {
+  if (topic_has_endpoint_secret(result) && !verify_transport_security(s->cct, *(s->info.env))) {
     ldpp_dout(this, 1) << "topic '" << topic_name << "' contain secret and cannot be sent over insecure transport" << dendl;
     op_ret = -EPERM;
     return;
@@ -135,7 +144,7 @@ void RGWPSGetSubOp::execute(optional_yield y) {
   ps.emplace(static_cast<rgw::sal::RadosStore*>(store), s->owner.get_id().tenant);
   auto sub = ps->get_sub(sub_name);
   op_ret = sub->get_conf(&result);
-  if (subscription_has_endpoint_secret(result) && !rgw_transport_is_secure(s->cct, *(s->info.env))) {
+  if (subscription_has_endpoint_secret(result) && !verify_transport_security(s->cct, *(s->info.env))) {
     ldpp_dout(this, 1) << "subscription '" << sub_name << "' contain secret and cannot be sent over insecure transport" << dendl;
     op_ret = -EPERM;
     return;