Ceph » mgr

cephadm has already support to enable security across all the monitoring stack (including all the components). The configuration variable is mgr/cephadm/secure_monitoring_stack maybe it's just a documentation effort in this case.

Redouane Kachach Elhichou wrote:

cephadm has already support to enable security across all the monitoring stack (including all the components). The configuration variable is mgr/cephadm/secure_monitoring_stack maybe it's just a documentation effort in this case.

I am not sure really. What does this setting actually do for the various components?

Looking at https://github.com/ceph/ceph/blob/main/src/pybind/mgr/cephadm/services/monitoring.py it appears it's using https to reach the service_discovery of the mgr or adds authentication to Prometheus + Alertmanager.

But is there any TLS added? Looking at https://docs.ceph.com/en/reef/mgr/dashboard/#dashboard-ssl-tls-support I see that the dashboards does support TLS certificates. But the Prometheus module apparently does not have this capability: https://docs.ceph.com/en/reef/mgr/prometheus/#prometheus-module

Also the ceph-exporter distributed to Ceph node and exposes metrics for the local Ceph daemons. But it seems there is no authentication or TLS encryption support if you look at the code and the configuration options: https://github.com/ceph/ceph/blob/main/src/exporter/ceph_exporter.cc

Christian Rohmann wrote:

Redouane Kachach Elhichou wrote:

cephadm has already support to enable security across all the monitoring stack (including all the components). The configuration variable is mgr/cephadm/secure_monitoring_stack maybe it's just a documentation effort in this case.

I am not sure really. What does this setting actually do for the various components?

It enables security (SSL/TLS and basic auth) for all the monitoring components.

Looking at https://github.com/ceph/ceph/blob/main/src/pybind/mgr/cephadm/services/monitoring.py it appears it's using https to reach the service_discovery of the mgr or adds authentication to Prometheus + Alertmanager.

But is there any TLS added? Looking at https://docs.ceph.com/en/reef/mgr/dashboard/#dashboard-ssl-tls-support I see that the dashboards does support TLS certificates. But the Prometheus module apparently does not have this capability: https://docs.ceph.com/en/reef/mgr/prometheus/#prometheus-module

That's right. Docs need to be updated to reflect how to enable security and how the components are impacted.

Also the ceph-exporter distributed to Ceph node and exposes metrics for the local Ceph daemons. But it seems there is no authentication or TLS encryption support if you look at the code and the configuration options: https://github.com/ceph/ceph/blob/main/src/exporter/ceph_exporter.cc

That's a known issue. In case of small clusters you can disable ceph-exporter by using exclude_perf_counters configuration parameter: https://docs.ceph.com/en/latest/mgr/prometheus/#confval-mgr-prometheus-exclude_perf_counters

Redouane Kachach Elhichou wrote:

But is there any TLS added? Looking at https://docs.ceph.com/en/reef/mgr/dashboard/#dashboard-ssl-tls-support I see that the dashboards does support TLS certificates. But the Prometheus module apparently does not have this capability: https://docs.ceph.com/en/reef/mgr/prometheus/#prometheus-module

That's right. Docs need to be updated to reflect how to enable security and how the components are impacted.

So the prometheus mgr module actually does support TLS? Just to serve or also for client cert auth?
Is there any issue tracking these missing docs?

Also the ceph-exporter distributed to Ceph node and exposes metrics for the local Ceph daemons. But it seems there is no authentication or TLS encryption support if you look at the code and the configuration options: https://github.com/ceph/ceph/blob/main/src/exporter/ceph_exporter.cc

That's a known issue. In case of small clusters you can disable ceph-exporter by using exclude_perf_counters configuration parameter: https://docs.ceph.com/en/latest/mgr/prometheus/#confval-mgr-prometheus-exclude_perf_counters

If this is a known issue, is there an issue or Trello card to track?

Christian Rohmann wrote:

Redouane Kachach Elhichou wrote:

But is there any TLS added? Looking at https://docs.ceph.com/en/reef/mgr/dashboard/#dashboard-ssl-tls-support I see that the dashboards does support TLS certificates. But the Prometheus module apparently does not have this capability: https://docs.ceph.com/en/reef/mgr/prometheus/#prometheus-module

That's right. Docs need to be updated to reflect how to enable security and how the components are impacted.

So the prometheus mgr module actually does support TLS? Just to serve or also for client cert auth?
Is there any issue tracking these missing docs?

No, there's not. I'm going to open ticket this week (and probably also submit the docs PR).

Also the ceph-exporter distributed to Ceph node and exposes metrics for the local Ceph daemons. But it seems there is no authentication or TLS encryption support if you look at the code and the configuration options: https://github.com/ceph/ceph/blob/main/src/exporter/ceph_exporter.cc

That's a known issue. In case of small clusters you can disable ceph-exporter by using exclude_perf_counters configuration parameter: https://docs.ceph.com/en/latest/mgr/prometheus/#confval-mgr-prometheus-exclude_perf_counters

If this is a known issue, is there an issue or Trello card to track?

I had some discussions with the developer working on ceph-exporter about the lack of SSL/TLS and we agreed that he will be opening a tracker for that. However I can't find the issue. I'll double check with him.

Anyway, I'll recommend playing with the security feature by enabling the mgr/cephadm/secure_monitoring_stack and see if that fullfill your needs or not. It's relatively a new feature and any kind of feedback will be more than welcome.

Redouane Kachach Elhichou wrote in #note-5:

Christian Rohmann wrote:

Redouane Kachach Elhichou wrote:

So the prometheus mgr module actually does support TLS? Just to serve or also for client cert auth?
Is there any issue tracking these missing docs?

No, there's not. I'm going to open ticket this week (and probably also submit the docs PR).

May I ask if you did you open a ticket about adding support for TLS (server and client certs) to mgr/prometheus?