Bug #24228: RGW fails to start on Fedora 28 from default configuration - rgw - Ceph

Actions

Copy link

Bug #24228

closed

RGW fails to start on Fedora 28 from default configuration

Added by Marc Spencer almost 6 years ago. Updated about 5 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Matt Benjamin

Target version:

% Done:

Source:

Community (user)

Tags:

Backport:

mimic luminous

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

Ceph - v12.2.5

ceph-qa-suite:

Pull request ID:

25796

Crash signature (v1):

Crash signature (v2):

Description

The default configuration for rgw_ldap_secret seems to be set to /etc/openldap/secret, which on my system is empty:

ceph-conf -D | grep ldap
rgw_ldap_binddn = uid=admin,cn=users,dc=example,dc=com
rgw_ldap_dnattr = uid
rgw_ldap_searchdn = cn=users,cn=accounts,dc=example,dc=com
rgw_ldap_searchfilter =
rgw_ldap_secret = /etc/openldap/secret
rgw_ldap_uri = ldaps://<ldap.your.domain>
rgw_s3_auth_use_ldap = false

cat /etc/openldap/secret
cat: /etc/openldap/secret: No such file or directory

The code assumes that if it is set, the named file has content. Since it doesn’t, safe_read_file() asserts.

I set it to nothing (rgw_ldap_secret = ) in my configuration, and everything seems happy.

std::string parse_rgw_ldap_bindpw(CephContext* ctx) {
string ldap_bindpw;
string ldap_secret = ctx->_conf->rgw_ldap_secret;

if (ldap_secret.empty()) {
    ldout(ctx, 10)
      << func << " LDAP auth no rgw_ldap_secret file found in conf" 
      << dendl;
    } else {
      char bindpw[1024];
      memset(bindpw, 0, 1024);
      int pwlen = safe_read_file("" /* base */, ldap_secret.c_str(),
                                 bindpw, 1023);
    if (pwlen) {
      ldap_bindpw = bindpw;
      boost::algorithm::trim(ldap_bindpw);
      if (ldap_bindpw.back() == '\n')
        ldap_bindpw.pop_back();
    }
  }

return ldap_bindpw;
}

Related issues 3 (0 open — 3 closed)

Actions

Copy link

Updated by Abhishek Lekshmanan almost 6 years ago

Assignee set to Matt Benjamin

Actions

Copy link

Updated by Giulio Fidente over 5 years ago

I am not sure how the /etc/openldap/secret default was chosen but the code does indeed have a check to exit in case the value is unset; would it make sense to default rgw_ldap_secret to empty string instead?

Actions

Copy link

Updated by Giulio Fidente over 5 years ago

Giulio Fidente wrote:

I am not sure how the /etc/openldap/secret default was chosen but the code does indeed have a check to exit in case the value is unset; would it make sense to default rgw_ldap_secret to empty string instead?

to me it's also unclear why that code is executing at all given [1]

1. https://github.com/ceph/ceph/blob/luminous/src/rgw/rgw_auth_s3.h#L82-L85

Actions

Copy link

Updated by Matt Benjamin over 5 years ago

Status changed from New to In Progress

The crash is easy to avoid (Casey's check for negative pwlen is fine), but agree, we also should not enter this code unless rgw_s3_auth_use_ldap is true in the config, which presumably is not the case. Will resolve.

Matt

Actions

Copy link