* running without cephx
@ 2012-10-23 20:14 Dan Mick
2012-10-23 20:22 ` Yehuda Sadeh
0 siblings, 1 reply; 5+ messages in thread
From: Dan Mick @ 2012-10-23 20:14 UTC (permalink / raw)
To: ceph-devel
So, I've discovered that to make "no cephx" work, you need to explicitly
set "none" for the three options (thanks to Yehuda for the tip):
auth cluster required = none
auth service required = none
auth supported = none
Since "blank" is not an error, but leads to a disagreement about
authentication that's fairly hard to diagnose, should we make it an
error to specify a blank entry for those items?
I'll also be hacking at vstart.sh to set things this way in the presence
of -X.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: running without cephx
2012-10-23 20:14 running without cephx Dan Mick
@ 2012-10-23 20:22 ` Yehuda Sadeh
2012-10-23 20:24 ` Yehuda Sadeh
0 siblings, 1 reply; 5+ messages in thread
From: Yehuda Sadeh @ 2012-10-23 20:22 UTC (permalink / raw)
To: Dan Mick; +Cc: ceph-devel
On Tue, Oct 23, 2012 at 1:14 PM, Dan Mick <dan.mick@inktank.com> wrote:
> So, I've discovered that to make "no cephx" work, you need to explicitly set
> "none" for the three options (thanks to Yehuda for the tip):
>
> auth cluster required = none
> auth service required = none
> auth supported = none
>
> Since "blank" is not an error, but leads to a disagreement about
> authentication that's fairly hard to diagnose, should we make it an error to
> specify a blank entry for those items?
>
Maybe fix it so that blank entries would be equivalent to 'none'?
Yehuda
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: running without cephx
2012-10-23 20:22 ` Yehuda Sadeh
@ 2012-10-23 20:24 ` Yehuda Sadeh
2012-10-23 20:51 ` Joao Eduardo Luis
0 siblings, 1 reply; 5+ messages in thread
From: Yehuda Sadeh @ 2012-10-23 20:24 UTC (permalink / raw)
To: Dan Mick; +Cc: ceph-devel
On Tue, Oct 23, 2012 at 1:22 PM, Yehuda Sadeh <yehuda@inktank.com> wrote:
> On Tue, Oct 23, 2012 at 1:14 PM, Dan Mick <dan.mick@inktank.com> wrote:
>> So, I've discovered that to make "no cephx" work, you need to explicitly set
>> "none" for the three options (thanks to Yehuda for the tip):
>>
>> auth cluster required = none
>> auth service required = none
>> auth supported = none
>>
>> Since "blank" is not an error, but leads to a disagreement about
>> authentication that's fairly hard to diagnose, should we make it an error to
>> specify a blank entry for those items?
>>
> Maybe fix it so that blank entries would be equivalent to 'none'?
>
> Yehuda
That should do it:
diff --git a/src/auth/AuthMethodList.cc b/src/auth/AuthMethodList.cc
index e23ac40..53c8d66 100644
--- a/src/auth/AuthMethodList.cc
+++ b/src/auth/AuthMethodList.cc
@@ -35,6 +35,8 @@ AuthMethodList::AuthMethodList(CephContext *cct, string str)
lderr(cct) << "WARNING: unknown auth protocol defined: " <<
*iter << dendl;
}
}
+ if (auth_supported.empty())
+ auth_supported.push_back(CEPH_AUTH_NONE);
}
bool AuthMethodList::is_supported_auth(int auth_type)
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: running without cephx
2012-10-23 20:24 ` Yehuda Sadeh
@ 2012-10-23 20:51 ` Joao Eduardo Luis
2012-10-23 21:53 ` Sage Weil
0 siblings, 1 reply; 5+ messages in thread
From: Joao Eduardo Luis @ 2012-10-23 20:51 UTC (permalink / raw)
To: Yehuda Sadeh; +Cc: Dan Mick, ceph-devel
On 10/23/2012 09:24 PM, Yehuda Sadeh wrote:
> On Tue, Oct 23, 2012 at 1:22 PM, Yehuda Sadeh <yehuda@inktank.com> wrote:
>> On Tue, Oct 23, 2012 at 1:14 PM, Dan Mick <dan.mick@inktank.com> wrote:
>>> So, I've discovered that to make "no cephx" work, you need to explicitly set
>>> "none" for the three options (thanks to Yehuda for the tip):
>>>
>>> auth cluster required = none
>>> auth service required = none
>>> auth supported = none
>>>
>>> Since "blank" is not an error, but leads to a disagreement about
>>> authentication that's fairly hard to diagnose, should we make it an error to
>>> specify a blank entry for those items?
>>>
>> Maybe fix it so that blank entries would be equivalent to 'none'?
>>
>> Yehuda
>
> That should do it:
>
> diff --git a/src/auth/AuthMethodList.cc b/src/auth/AuthMethodList.cc
> index e23ac40..53c8d66 100644
> --- a/src/auth/AuthMethodList.cc
> +++ b/src/auth/AuthMethodList.cc
> @@ -35,6 +35,8 @@ AuthMethodList::AuthMethodList(CephContext *cct, string str)
> lderr(cct) << "WARNING: unknown auth protocol defined: " <<
> *iter << dendl;
> }
> }
> + if (auth_supported.empty())
> + auth_supported.push_back(CEPH_AUTH_NONE);
> }
>
> bool AuthMethodList::is_supported_auth(int auth_type)
I, for one, believe that when it comes to configuration files, leaving
blank values defaulting to something is not the best idea. I would
rather have a blank value spitting out an error, as it gives room for
someone leaving it blank assuming it will use 'none', as others may
assume it will default to 'cephx'.
-Joao
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: running without cephx
2012-10-23 20:51 ` Joao Eduardo Luis
@ 2012-10-23 21:53 ` Sage Weil
0 siblings, 0 replies; 5+ messages in thread
From: Sage Weil @ 2012-10-23 21:53 UTC (permalink / raw)
To: Joao Eduardo Luis; +Cc: Yehuda Sadeh, Dan Mick, ceph-devel
On Tue, 23 Oct 2012, Joao Eduardo Luis wrote:
> On 10/23/2012 09:24 PM, Yehuda Sadeh wrote:
> > On Tue, Oct 23, 2012 at 1:22 PM, Yehuda Sadeh <yehuda@inktank.com> wrote:
> >> On Tue, Oct 23, 2012 at 1:14 PM, Dan Mick <dan.mick@inktank.com> wrote:
> >>> So, I've discovered that to make "no cephx" work, you need to explicitly set
> >>> "none" for the three options (thanks to Yehuda for the tip):
> >>>
> >>> auth cluster required = none
> >>> auth service required = none
> >>> auth supported = none
> >>>
> >>> Since "blank" is not an error, but leads to a disagreement about
> >>> authentication that's fairly hard to diagnose, should we make it an error to
> >>> specify a blank entry for those items?
> >>>
> >> Maybe fix it so that blank entries would be equivalent to 'none'?
> >>
> >> Yehuda
> >
> > That should do it:
> >
> > diff --git a/src/auth/AuthMethodList.cc b/src/auth/AuthMethodList.cc
> > index e23ac40..53c8d66 100644
> > --- a/src/auth/AuthMethodList.cc
> > +++ b/src/auth/AuthMethodList.cc
> > @@ -35,6 +35,8 @@ AuthMethodList::AuthMethodList(CephContext *cct, string str)
> > lderr(cct) << "WARNING: unknown auth protocol defined: " <<
> > *iter << dendl;
> > }
> > }
> > + if (auth_supported.empty())
> > + auth_supported.push_back(CEPH_AUTH_NONE);
> > }
> >
> > bool AuthMethodList::is_supported_auth(int auth_type)
>
> I, for one, believe that when it comes to configuration files, leaving
> blank values defaulting to something is not the best idea. I would
> rather have a blank value spitting out an error, as it gives room for
> someone leaving it blank assuming it will use 'none', as others may
> assume it will default to 'cephx'.
The situation before 66bda162e1acad34d37fa97e3a91e277df174f42 was
auth cluster required =
auth service required =
auth supported = none
Now it is
auth cluster required = cephx
auth service required = cephx
auth supported =
(auth support is the deprecated option that kicks in if 'auth * required'
is blank).
Perhaps just documenting the first above block as the way to disable cephx
is the way to go.
sage
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-10-23 21:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-23 20:14 running without cephx Dan Mick
2012-10-23 20:22 ` Yehuda Sadeh
2012-10-23 20:24 ` Yehuda Sadeh
2012-10-23 20:51 ` Joao Eduardo Luis
2012-10-23 21:53 ` Sage Weil
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.