Bug #38528
closedmgr/dashboard: Unable to disable SSL support
0%
Description
I did some local testing in a vstart environment (which automatically starts an SSL-enabled dashboard) and noticed the following: running "ceph config set mgr mgr/dashboard/ssl false" does not seem to have an effect at all. After restarting the dashboard via "ceph mgr module disable/enable dashboard", it still uses SSL:
╰─# ./bin/ceph mgr services *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH *** 2019-02-28 17:52:18.553 7f3ba1ce1700 -1 WARNING: all dangerous and experimental features are enabled. 2019-02-28 17:52:18.601 7f3ba1ce1700 -1 WARNING: all dangerous and experimental features are enabled. { "dashboard": "https://localhost:41106/", "prometheus": "http://localhost:9283/", "restful": "https://ceph-1:42106/" } ╭─root@ceph-1 /ceph/build ‹master*› ╰─# ╭─root@ceph-1 /ceph/build ‹master*› ╰─# ./bin/ceph mgr services *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH *** 2019-02-28 17:54:31.093 7f0e44055700 -1 WARNING: all dangerous and experimental features are enabled. 2019-02-28 17:54:31.137 7f0e44055700 -1 WARNING: all dangerous and experimental features are enabled. { "dashboard": "https://localhost:41106/", "prometheus": "http://localhost:9283/", "restful": "https://ceph-1:42106/" } ╭─root@ceph-1 /ceph/build ‹master*› ╰─# ./bin/ceph config set mgr mgr/dashboard/ssl false *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH *** 2019-02-28 17:54:36.073 7fe48ebc2700 -1 WARNING: all dangerous and experimental features are enabled. 2019-02-28 17:54:36.133 7fe48ebc2700 -1 WARNING: all dangerous and experimental features are enabled. ╭─root@ceph-1 /ceph/build ‹master*› ╰─# ./bin/ceph mgr module disable dashboard *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH *** 2019-02-28 17:54:47.042 7fb4049b9700 -1 WARNING: all dangerous and experimental features are enabled. 2019-02-28 17:54:47.102 7fb4049b9700 -1 WARNING: all dangerous and experimental features are enabled. ╭─root@ceph-1 /ceph/build ‹master*› ╰─# ./bin/ceph mgr module enable dashboard *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH *** 2019-02-28 17:55:02.970 7f39fa00d700 -1 WARNING: all dangerous and experimental features are enabled. 2019-02-28 17:55:03.034 7f39fa00d700 -1 WARNING: all dangerous and experimental features are enabled. ╭─root@ceph-1 /ceph/build ‹master*› ╰─# ./bin/ceph mgr services *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH *** 2019-02-28 17:55:18.994 7fd1e4ca0700 -1 WARNING: all dangerous and experimental features are enabled. 2019-02-28 17:55:19.042 7fd1e4ca0700 -1 WARNING: all dangerous and experimental features are enabled. { "dashboard": "https://localhost:41106/", "prometheus": "http://localhost:9283/", "restful": "https://ceph-1:42106/" } <pre>
Updated by Volker Theile about 5 years ago
As a temporary workaround use the following key:
mgr/dashboard/<MGR_ID>/ssl
Example (using vstart cluster):
$ ceph config set mgr mgr/dashboard/x/ssl false
Updated by Volker Theile about 5 years ago
I think this issue in a generic problem how module config options are handled now.
The current issue is caused because of this:
The global config kv-store is queried for the localized module option. The key is 'mgr/dashboard/<MGR_ID>/ssl' in this case. If this is not set then the current implementation looks for the key 'ssl' in the local MODULE_OPTIONS kv-store, and there the value is defined as 'True'. See https://github.com/ceph/ceph/blob/master/src/pybind/mgr/mgr_module.py#L907 and https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/module.py#L258 for the code. If there were no default value, the current implementation would do another query in the global kv-store with the key 'mgr/dashboard/ssl' which would finally return the configured and expected value 'False'.
Updated by Volker Theile about 5 years ago
Added comment to the commit that is responsible for this behaviour:
https://github.com/ceph/ceph/commit/0f814f38e5d811d84fe07fe2d443c1038d53ca9a
https://github.com/ceph/ceph/commit/0f814f38e5d811d84fe07fe2d443c1038d53ca9a#r32541122
The previously intended workflow of ``get_localized_module_option()`` that would lookup for localized config options with a fallback to global config options is broken now if there is a ``default`` defined in ``MODULE_OPTIONS``. The problem is that a user must explicitly configure the localized key if he wants to override something, it's not possible anymore to use the global key to do that IF there is a default set in ``MODULE_OPTIONS``.
Let's assume the following scenario:
- 'ssl' in MODULE_OPTIONS defaults to 'True'
- User configures 'mgr/dashboard/ssl' to 'False'
The module implementation queries the localized config option via
``get_localized_module_option()``. In this case the following happens:
1) get_localized_module_option(key='ssl', default='True')
2) _get_localized(key='ssl', default='True', setter=_get_module_option)
3) _get_module_option(key='<MGR_ID>/ssl', default=None)
4) _ceph_get_module_option('dashboard', '<MGR_ID>/ssl') returns None
5) MODULE_OPTION_DEFAULTS.get('ssl', None) returns True
Finally the called of the function will get 'True', but this is not the expected result IMHO. I expected to get ``False`` from ``mgr/dashboard/ssl``.
If ``ssl`` wouldn't be configured in ``MODULE_OPTIONS``, then the following code
path will be executed and returns the expected value.
5) MODULE_OPTION_DEFAULTS.get('ssl', None) returns None
6) _get_module_option(key='ssl', 'True') returns False
I don't know if you have this in mind when implementing this feature. If this is the intended behavior, then we should explicitly document this somewhere.
Updated by Sebastian Wagner about 5 years ago
- Related to Bug #24674: mgr/dashboard: Unable to disable SSL for proxy environments added
Updated by Volker Theile about 5 years ago
- Related to Bug #38560: mgr: get_localized_module_option function is broken added
Updated by Volker Theile about 5 years ago
- Status changed from New to Resolved
- Pull request ID set to 26736
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard