Bug #24228
closedRGW fails to start on Fedora 28 from default configuration
0%
Description
The default configuration for rgw_ldap_secret seems to be set to /etc/openldap/secret, which on my system is empty:
- ceph-conf -D | grep ldap
rgw_ldap_binddn = uid=admin,cn=users,dc=example,dc=com
rgw_ldap_dnattr = uid
rgw_ldap_searchdn = cn=users,cn=accounts,dc=example,dc=com
rgw_ldap_searchfilter =
rgw_ldap_secret = /etc/openldap/secret
rgw_ldap_uri = ldaps://<ldap.your.domain>
rgw_s3_auth_use_ldap = false
- cat /etc/openldap/secret
cat: /etc/openldap/secret: No such file or directory
The code assumes that if it is set, the named file has content. Since it doesn’t, safe_read_file() asserts.
I set it to nothing (rgw_ldap_secret = ) in my configuration, and everything seems happy.
std::string parse_rgw_ldap_bindpw(CephContext* ctx)
{
string ldap_bindpw;
string ldap_secret = ctx->_conf->rgw_ldap_secret;
if (ldap_secret.empty()) {
ldout(ctx, 10)
<< func << " LDAP auth no rgw_ldap_secret file found in conf"
<< dendl;
} else {
char bindpw[1024];
memset(bindpw, 0, 1024);
int pwlen = safe_read_file("" /* base */, ldap_secret.c_str(),
bindpw, 1023);
if (pwlen) {
ldap_bindpw = bindpw;
boost::algorithm::trim(ldap_bindpw);
if (ldap_bindpw.back() == '\n')
ldap_bindpw.pop_back();
}
}
return ldap_bindpw;
}
Updated by Giulio Fidente over 5 years ago
I am not sure how the /etc/openldap/secret default was chosen but the code does indeed have a check to exit in case the value is unset; would it make sense to default rgw_ldap_secret to empty string instead?
Updated by Giulio Fidente over 5 years ago
Giulio Fidente wrote:
I am not sure how the /etc/openldap/secret default was chosen but the code does indeed have a check to exit in case the value is unset; would it make sense to default rgw_ldap_secret to empty string instead?
to me it's also unclear why that code is executing at all given [1]
1. https://github.com/ceph/ceph/blob/luminous/src/rgw/rgw_auth_s3.h#L82-L85
Updated by Matt Benjamin over 5 years ago
- Status changed from New to In Progress
The crash is easy to avoid (Casey's check for negative pwlen is fine), but agree, we also should not enter this code unless rgw_s3_auth_use_ldap is true in the config, which presumably is not the case. Will resolve.
Matt
Updated by Matt Benjamin over 5 years ago
Updated by Matt Benjamin over 5 years ago
- Status changed from In Progress to Fix Under Review
Updated by Casey Bodley about 5 years ago
- Status changed from Fix Under Review to Pending Backport
- Backport set to mimic luminous
Updated by Casey Bodley about 5 years ago
- Has duplicate Bug #38033: RGW "Caught signal (Aborted)" when running vstart with RGW option added
Updated by Nathan Cutler about 5 years ago
- Copied to Backport #38038: luminous: RGW fails to start on Fedora 28 from default configuration added
Updated by Nathan Cutler about 5 years ago
- Copied to Backport #38039: mimic: RGW fails to start on Fedora 28 from default configuration added
Updated by Nathan Cutler about 5 years ago
- Status changed from Pending Backport to Resolved