[pve-devel] [RFC storage] rbd: support auth=none if pveceph-managed

[Fabian Grünbichler]

preserve the old behaviour of selecting auth_supported based on the
existence of the keyring, but limit it to external clusters.

this allows switching 'auth XXX required' in the pveceph-managed
ceph.conf while still automatically copying the keyring when adding a
storage.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
this is a bit of a workaround:

1.) auth_supported actually means auth_required (it sets all the
'auth XXX required' options)

this meant having a keyring file for a storage causes errors if the cluster is
actually using no authentication. since we now automatically create the keyring
file when adding a storage without monhost set, this would likely affect users
running with auth = none.

2.) mixing pveceph and external clusters causes weird fallbacks

since a pveceph managed ceph.conf contains a keyring line for the client.admin
key, even with authx configured access is possible without having a storage
specific keyring. this is not problematic per se, as cephx does not share the
key material during authentication even though the keys are symmetric.

I don't want to get rid of the storage-specific keyring altogether, because in
the future moving to a less-privileged key for storage-access might be
desirable.

suggestions for better ways to handle this and more testing of various
combinations welcome ;)

 PVE/Storage/RBDPlugin.pm | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/PVE/Storage/RBDPlugin.pm b/PVE/Storage/RBDPlugin.pm
index 791b1bd..decfbf5 100644
--- a/PVE/Storage/RBDPlugin.pm
+++ b/PVE/Storage/RBDPlugin.pm
@@ -53,14 +53,12 @@ my $build_cmd = sub {
 	push @$cmd, '-c', $pveceph_config;
     } else {
 	push @$cmd, '-m', $hostlist->($scfg->{monhost}, ',');
+	push @$cmd, '--auth_supported', -e $keyring ? 'cephx' : 'none';
     }
 
     if (-e $keyring) {
 	push @$cmd, '-n', "client.$username";
 	push @$cmd, '--keyring', $keyring;
-	push @$cmd, '--auth_supported', 'cephx';
-    } else {
-	push @$cmd, '--auth_supported', 'none';
     }
 
     my $cephconfig = "/etc/pve/priv/ceph/${storeid}.conf";
@@ -308,6 +306,7 @@ sub path {
 
     my $path = "rbd:$pool/$name";
     my $pveceph_managed = !defined($scfg->{monhost});
+    my $keyring = "/etc/pve/priv/ceph/${storeid}.keyring";
 
     if ($pveceph_managed) {
 	$path .= ":conf=$pveceph_config";
@@ -315,15 +314,10 @@ sub path {
 	my $monhost = $hostlist->($scfg->{monhost}, ';');
 	$monhost =~ s/:/\\:/g;
 	$path .= ":mon_host=$monhost";
+	$path .= -e $keyring ? ":auth_supported=cephx" : ":auth_supported=none";
     }
 
-    my $keyring = "/etc/pve/priv/ceph/${storeid}.keyring";
-
-    if (-e $keyring) {
-        $path .= ":id=$username:auth_supported=cephx:keyring=$keyring";
-    } else {
-	$path .= ":auth_supported=none";
-    }
+    $path .= ":id=$username:keyring=$keyring" if -e $keyring;
 
     my $cephconfig = "/etc/pve/priv/ceph/${storeid}.conf";
 
-- 
2.11.0