Project

General

Profile

Bug #24228

RGW fails to start on Fedora 28 from default configuration

Added by Marc Spencer about 1 year ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
Start date:
05/22/2018
Due date:
% Done:

0%

Source:
Community (user)
Tags:
Backport:
mimic luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

The default configuration for rgw_ldap_secret seems to be set to /etc/openldap/secret, which on my system is empty:

  1. ceph-conf -D | grep ldap
    rgw_ldap_binddn = uid=admin,cn=users,dc=example,dc=com
    rgw_ldap_dnattr = uid
    rgw_ldap_searchdn = cn=users,cn=accounts,dc=example,dc=com
    rgw_ldap_searchfilter =
    rgw_ldap_secret = /etc/openldap/secret
    rgw_ldap_uri = ldaps://<ldap.your.domain>
    rgw_s3_auth_use_ldap = false
  1. cat /etc/openldap/secret
    cat: /etc/openldap/secret: No such file or directory

The code assumes that if it is set, the named file has content. Since it doesn’t, safe_read_file() asserts.

I set it to nothing (rgw_ldap_secret = ) in my configuration, and everything seems happy.

std::string parse_rgw_ldap_bindpw(CephContext* ctx) {
string ldap_bindpw;
string ldap_secret = ctx->_conf->rgw_ldap_secret;

if (ldap_secret.empty()) {
ldout(ctx, 10)
<< func << " LDAP auth no rgw_ldap_secret file found in conf"
<< dendl;
} else {
char bindpw[1024];
memset(bindpw, 0, 1024);
int pwlen = safe_read_file("" /* base */, ldap_secret.c_str(),
bindpw, 1023);
if (pwlen) {
ldap_bindpw = bindpw;
boost::algorithm::trim(ldap_bindpw);
if (ldap_bindpw.back() == '\n')
ldap_bindpw.pop_back();
}
}
return ldap_bindpw;
}

Related issues

Duplicated by rgw - Bug #38033: RGW "Caught signal (Aborted)" when running vstart with RGW option Duplicate 01/24/2019
Copied to rgw - Backport #38038: luminous: RGW fails to start on Fedora 28 from default configuration Resolved
Copied to rgw - Backport #38039: mimic: RGW fails to start on Fedora 28 from default configuration Resolved

History

#1 Updated by Abhishek Lekshmanan about 1 year ago

  • Assignee set to Matt Benjamin

#2 Updated by Giulio Fidente 6 months ago

I am not sure how the /etc/openldap/secret default was chosen but the code does indeed have a check to exit in case the value is unset; would it make sense to default rgw_ldap_secret to empty string instead?

#3 Updated by Giulio Fidente 6 months ago

Giulio Fidente wrote:

I am not sure how the /etc/openldap/secret default was chosen but the code does indeed have a check to exit in case the value is unset; would it make sense to default rgw_ldap_secret to empty string instead?

to me it's also unclear why that code is executing at all given [1]

1. https://github.com/ceph/ceph/blob/luminous/src/rgw/rgw_auth_s3.h#L82-L85

#4 Updated by Matt Benjamin 6 months ago

  • Status changed from New to In Progress

The crash is easy to avoid (Casey's check for negative pwlen is fine), but agree, we also should not enter this code unless rgw_s3_auth_use_ldap is true in the config, which presumably is not the case. Will resolve.

Matt

#6 Updated by Matt Benjamin 6 months ago

  • Status changed from In Progress to Need Review

#7 Updated by Nathan Cutler 6 months ago

  • Pull request ID set to 25796

#8 Updated by Casey Bodley 6 months ago

  • Status changed from Need Review to Pending Backport
  • Backport set to mimic luminous

#9 Updated by Casey Bodley 6 months ago

  • Duplicated by Bug #38033: RGW "Caught signal (Aborted)" when running vstart with RGW option added

#10 Updated by Nathan Cutler 6 months ago

  • Copied to Backport #38038: luminous: RGW fails to start on Fedora 28 from default configuration added

#11 Updated by Nathan Cutler 6 months ago

  • Copied to Backport #38039: mimic: RGW fails to start on Fedora 28 from default configuration added

#12 Updated by Nathan Cutler 5 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF