* running without cephx
@ 2012-10-23 20:14 Dan Mick
2012-10-23 20:22 ` Yehuda Sadeh
0 siblings, 1 reply; 5+ messages in thread
From: Dan Mick @ 2012-10-23 20:14 UTC (permalink / raw)
To: ceph-devel
So, I've discovered that to make "no cephx" work, you need to explicitly
set "none" for the three options (thanks to Yehuda for the tip):
auth cluster required = none
auth service required = none
auth supported = none
Since "blank" is not an error, but leads to a disagreement about
authentication that's fairly hard to diagnose, should we make it an
error to specify a blank entry for those items?
I'll also be hacking at vstart.sh to set things this way in the presence
of -X.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: running without cephx 2012-10-23 20:14 running without cephx Dan Mick @ 2012-10-23 20:22 ` Yehuda Sadeh 2012-10-23 20:24 ` Yehuda Sadeh 0 siblings, 1 reply; 5+ messages in thread From: Yehuda Sadeh @ 2012-10-23 20:22 UTC (permalink / raw) To: Dan Mick; +Cc: ceph-devel On Tue, Oct 23, 2012 at 1:14 PM, Dan Mick <dan.mick@inktank.com> wrote: > So, I've discovered that to make "no cephx" work, you need to explicitly set > "none" for the three options (thanks to Yehuda for the tip): > > auth cluster required = none > auth service required = none > auth supported = none > > Since "blank" is not an error, but leads to a disagreement about > authentication that's fairly hard to diagnose, should we make it an error to > specify a blank entry for those items? > Maybe fix it so that blank entries would be equivalent to 'none'? Yehuda ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: running without cephx 2012-10-23 20:22 ` Yehuda Sadeh @ 2012-10-23 20:24 ` Yehuda Sadeh 2012-10-23 20:51 ` Joao Eduardo Luis 0 siblings, 1 reply; 5+ messages in thread From: Yehuda Sadeh @ 2012-10-23 20:24 UTC (permalink / raw) To: Dan Mick; +Cc: ceph-devel On Tue, Oct 23, 2012 at 1:22 PM, Yehuda Sadeh <yehuda@inktank.com> wrote: > On Tue, Oct 23, 2012 at 1:14 PM, Dan Mick <dan.mick@inktank.com> wrote: >> So, I've discovered that to make "no cephx" work, you need to explicitly set >> "none" for the three options (thanks to Yehuda for the tip): >> >> auth cluster required = none >> auth service required = none >> auth supported = none >> >> Since "blank" is not an error, but leads to a disagreement about >> authentication that's fairly hard to diagnose, should we make it an error to >> specify a blank entry for those items? >> > Maybe fix it so that blank entries would be equivalent to 'none'? > > Yehuda That should do it: diff --git a/src/auth/AuthMethodList.cc b/src/auth/AuthMethodList.cc index e23ac40..53c8d66 100644 --- a/src/auth/AuthMethodList.cc +++ b/src/auth/AuthMethodList.cc @@ -35,6 +35,8 @@ AuthMethodList::AuthMethodList(CephContext *cct, string str) lderr(cct) << "WARNING: unknown auth protocol defined: " << *iter << dendl; } } + if (auth_supported.empty()) + auth_supported.push_back(CEPH_AUTH_NONE); } bool AuthMethodList::is_supported_auth(int auth_type) ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: running without cephx 2012-10-23 20:24 ` Yehuda Sadeh @ 2012-10-23 20:51 ` Joao Eduardo Luis 2012-10-23 21:53 ` Sage Weil 0 siblings, 1 reply; 5+ messages in thread From: Joao Eduardo Luis @ 2012-10-23 20:51 UTC (permalink / raw) To: Yehuda Sadeh; +Cc: Dan Mick, ceph-devel On 10/23/2012 09:24 PM, Yehuda Sadeh wrote: > On Tue, Oct 23, 2012 at 1:22 PM, Yehuda Sadeh <yehuda@inktank.com> wrote: >> On Tue, Oct 23, 2012 at 1:14 PM, Dan Mick <dan.mick@inktank.com> wrote: >>> So, I've discovered that to make "no cephx" work, you need to explicitly set >>> "none" for the three options (thanks to Yehuda for the tip): >>> >>> auth cluster required = none >>> auth service required = none >>> auth supported = none >>> >>> Since "blank" is not an error, but leads to a disagreement about >>> authentication that's fairly hard to diagnose, should we make it an error to >>> specify a blank entry for those items? >>> >> Maybe fix it so that blank entries would be equivalent to 'none'? >> >> Yehuda > > That should do it: > > diff --git a/src/auth/AuthMethodList.cc b/src/auth/AuthMethodList.cc > index e23ac40..53c8d66 100644 > --- a/src/auth/AuthMethodList.cc > +++ b/src/auth/AuthMethodList.cc > @@ -35,6 +35,8 @@ AuthMethodList::AuthMethodList(CephContext *cct, string str) > lderr(cct) << "WARNING: unknown auth protocol defined: " << > *iter << dendl; > } > } > + if (auth_supported.empty()) > + auth_supported.push_back(CEPH_AUTH_NONE); > } > > bool AuthMethodList::is_supported_auth(int auth_type) I, for one, believe that when it comes to configuration files, leaving blank values defaulting to something is not the best idea. I would rather have a blank value spitting out an error, as it gives room for someone leaving it blank assuming it will use 'none', as others may assume it will default to 'cephx'. -Joao ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: running without cephx 2012-10-23 20:51 ` Joao Eduardo Luis @ 2012-10-23 21:53 ` Sage Weil 0 siblings, 0 replies; 5+ messages in thread From: Sage Weil @ 2012-10-23 21:53 UTC (permalink / raw) To: Joao Eduardo Luis; +Cc: Yehuda Sadeh, Dan Mick, ceph-devel On Tue, 23 Oct 2012, Joao Eduardo Luis wrote: > On 10/23/2012 09:24 PM, Yehuda Sadeh wrote: > > On Tue, Oct 23, 2012 at 1:22 PM, Yehuda Sadeh <yehuda@inktank.com> wrote: > >> On Tue, Oct 23, 2012 at 1:14 PM, Dan Mick <dan.mick@inktank.com> wrote: > >>> So, I've discovered that to make "no cephx" work, you need to explicitly set > >>> "none" for the three options (thanks to Yehuda for the tip): > >>> > >>> auth cluster required = none > >>> auth service required = none > >>> auth supported = none > >>> > >>> Since "blank" is not an error, but leads to a disagreement about > >>> authentication that's fairly hard to diagnose, should we make it an error to > >>> specify a blank entry for those items? > >>> > >> Maybe fix it so that blank entries would be equivalent to 'none'? > >> > >> Yehuda > > > > That should do it: > > > > diff --git a/src/auth/AuthMethodList.cc b/src/auth/AuthMethodList.cc > > index e23ac40..53c8d66 100644 > > --- a/src/auth/AuthMethodList.cc > > +++ b/src/auth/AuthMethodList.cc > > @@ -35,6 +35,8 @@ AuthMethodList::AuthMethodList(CephContext *cct, string str) > > lderr(cct) << "WARNING: unknown auth protocol defined: " << > > *iter << dendl; > > } > > } > > + if (auth_supported.empty()) > > + auth_supported.push_back(CEPH_AUTH_NONE); > > } > > > > bool AuthMethodList::is_supported_auth(int auth_type) > > I, for one, believe that when it comes to configuration files, leaving > blank values defaulting to something is not the best idea. I would > rather have a blank value spitting out an error, as it gives room for > someone leaving it blank assuming it will use 'none', as others may > assume it will default to 'cephx'. The situation before 66bda162e1acad34d37fa97e3a91e277df174f42 was auth cluster required = auth service required = auth supported = none Now it is auth cluster required = cephx auth service required = cephx auth supported = (auth support is the deprecated option that kicks in if 'auth * required' is blank). Perhaps just documenting the first above block as the way to disable cephx is the way to go. sage ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-10-23 21:53 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-10-23 20:14 running without cephx Dan Mick 2012-10-23 20:22 ` Yehuda Sadeh 2012-10-23 20:24 ` Yehuda Sadeh 2012-10-23 20:51 ` Joao Eduardo Luis 2012-10-23 21:53 ` Sage Weil
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.