Project

General

Profile

Bug #38528

mgr/dashboard: Unable to disable SSL support

Added by Lenz Grimmer 4 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
Start date:
03/01/2019
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
Yes
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

I did some local testing in a vstart environment (which automatically starts an SSL-enabled dashboard) and noticed the following: running "ceph config set mgr mgr/dashboard/ssl false" does not seem to have an effect at all. After restarting the dashboard via "ceph mgr module disable/enable dashboard", it still uses SSL:

╰─# ./bin/ceph mgr services                          
*** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
2019-02-28 17:52:18.553 7f3ba1ce1700 -1 WARNING: all dangerous and experimental features are enabled.
2019-02-28 17:52:18.601 7f3ba1ce1700 -1 WARNING: all dangerous and experimental features are enabled.
{
    "dashboard": "https://localhost:41106/",
    "prometheus": "http://localhost:9283/",
    "restful": "https://ceph-1:42106/" 
}
╭─root@ceph-1 /ceph/build  ‹master*› 
╰─# 
╭─root@ceph-1 /ceph/build  ‹master*› 
╰─# ./bin/ceph mgr services
*** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
2019-02-28 17:54:31.093 7f0e44055700 -1 WARNING: all dangerous and experimental features are enabled.
2019-02-28 17:54:31.137 7f0e44055700 -1 WARNING: all dangerous and experimental features are enabled.
{
    "dashboard": "https://localhost:41106/",
    "prometheus": "http://localhost:9283/",
    "restful": "https://ceph-1:42106/" 
}
╭─root@ceph-1 /ceph/build  ‹master*› 
╰─# ./bin/ceph config set mgr mgr/dashboard/ssl false
*** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
2019-02-28 17:54:36.073 7fe48ebc2700 -1 WARNING: all dangerous and experimental features are enabled.
2019-02-28 17:54:36.133 7fe48ebc2700 -1 WARNING: all dangerous and experimental features are enabled.
╭─root@ceph-1 /ceph/build  ‹master*› 
╰─# ./bin/ceph mgr module disable dashboard          
*** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
2019-02-28 17:54:47.042 7fb4049b9700 -1 WARNING: all dangerous and experimental features are enabled.
2019-02-28 17:54:47.102 7fb4049b9700 -1 WARNING: all dangerous and experimental features are enabled.
╭─root@ceph-1 /ceph/build  ‹master*› 
╰─# ./bin/ceph mgr module enable dashboard           
*** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
2019-02-28 17:55:02.970 7f39fa00d700 -1 WARNING: all dangerous and experimental features are enabled.
2019-02-28 17:55:03.034 7f39fa00d700 -1 WARNING: all dangerous and experimental features are enabled.
╭─root@ceph-1 /ceph/build  ‹master*› 
╰─# ./bin/ceph mgr services                          
*** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
2019-02-28 17:55:18.994 7fd1e4ca0700 -1 WARNING: all dangerous and experimental features are enabled.
2019-02-28 17:55:19.042 7fd1e4ca0700 -1 WARNING: all dangerous and experimental features are enabled.
{
    "dashboard": "https://localhost:41106/",
    "prometheus": "http://localhost:9283/",
    "restful": "https://ceph-1:42106/" 
}
<pre>

Related issues

Related to mgr - Bug #24674: mgr/dashboard: Unable to disable SSL for proxy environments Resolved 06/27/2018
Related to mgr - Bug #38560: mgr: get_localized_module_option function is broken Resolved 03/04/2019

History

#1 Updated by Volker Theile 4 months ago

As a temporary workaround use the following key:

mgr/dashboard/<MGR_ID>/ssl

Example (using vstart cluster):
$ ceph config set mgr mgr/dashboard/x/ssl false

#2 Updated by Volker Theile 4 months ago

I think this issue in a generic problem how module config options are handled now.

The current issue is caused because of this:

The global config kv-store is queried for the localized module option. The key is 'mgr/dashboard/<MGR_ID>/ssl' in this case. If this is not set then the current implementation looks for the key 'ssl' in the local MODULE_OPTIONS kv-store, and there the value is defined as 'True'. See https://github.com/ceph/ceph/blob/master/src/pybind/mgr/mgr_module.py#L907 and https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/module.py#L258 for the code. If there were no default value, the current implementation would do another query in the global kv-store with the key 'mgr/dashboard/ssl' which would finally return the configured and expected value 'False'.

#3 Updated by Volker Theile 4 months ago

Added comment to the commit that is responsible for this behaviour:

https://github.com/ceph/ceph/commit/0f814f38e5d811d84fe07fe2d443c1038d53ca9a
https://github.com/ceph/ceph/commit/0f814f38e5d811d84fe07fe2d443c1038d53ca9a#r32541122

The previously intended workflow of ``get_localized_module_option()`` that would lookup for localized config options with a fallback to global config options is broken now if there is a ``default`` defined in ``MODULE_OPTIONS``. The problem is that a user must explicitly configure the localized key if he wants to override something, it's not possible anymore to use the global key to do that IF there is a default set in ``MODULE_OPTIONS``.

Let's assume the following scenario:

- 'ssl' in MODULE_OPTIONS defaults to 'True'
- User configures 'mgr/dashboard/ssl' to 'False'

The module implementation queries the localized config option via
``get_localized_module_option()``. In this case the following happens:

1) get_localized_module_option(key='ssl', default='True')
2) _get_localized(key='ssl', default='True', setter=_get_module_option)
3) _get_module_option(key='<MGR_ID>/ssl', default=None)
4) _ceph_get_module_option('dashboard', '<MGR_ID>/ssl') returns None
5) MODULE_OPTION_DEFAULTS.get('ssl', None) returns True

Finally the called of the function will get 'True', but this is not the expected result IMHO. I expected to get ``False`` from ``mgr/dashboard/ssl``.

If ``ssl`` wouldn't be configured in ``MODULE_OPTIONS``, then the following code
path will be executed and returns the expected value.

5) MODULE_OPTION_DEFAULTS.get('ssl', None) returns None
6) _get_module_option(key='ssl', 'True') returns False

I don't know if you have this in mind when implementing this feature. If this is the intended behavior, then we should explicitly document this somewhere.

#4 Updated by Sebastian Wagner 4 months ago

  • Related to Bug #24674: mgr/dashboard: Unable to disable SSL for proxy environments added

#5 Updated by Volker Theile 4 months ago

  • Related to Bug #38560: mgr: get_localized_module_option function is broken added

#6 Updated by Volker Theile 3 months ago

  • Status changed from New to Resolved
  • Pull request ID set to 26736

Also available in: Atom PDF