Actions
Fix #53588
openallow specifying ssl certificate for radosgw-admin operations, for example multi-site [realm/period] [pull/update]
% Done:
0%
Source:
Tags:
ssl
Backport:
Reviewed:
Affected Versions:
Description
add the ability to specify ssl certificate to be used by radosgw-admin when acting as https client to radosgw which frontend is configured as https endpoint
(currently there is no mechanism to specify such certificate and such radosgw-admin operations are performed with --rgw_verify_ssl=false)
example MS mstart flow (--rgw_verify_ssl=false --> --rgw_verify_ssl_cacert=./cert.pem):
# PRE-REQ: prepare cert.pem: openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout key.pem -out cert.pem -subj "/CN=localhost" -days 3650 cat key.pem >> cert.pem # restart: ../src/mstop.sh c1 ; ../src/mstop.sh c2 kill --verbose -9 $(ps -ef | grep 'bin\/radosgw' | grep "800[12]" | awk '{ print $2 }') ps -ef | grep '[r]adosgw' ; ps -ef | grep '[c]eph' /usr/bin/rm -rf ./run/* ### ZONE 1 ### export CEPH_DEV=0 env MON=1 OSD=1 MDS=0 MGR=1 RGW=1 ../src/mstart.sh c1 -n -o bluestore_block_size=536870912000 --without-dashboard | ccze -A -onolookups ../src/mrun c1 radosgw-admin realm create --rgw-realm=gold --default | jq ../src/mrun c1 radosgw-admin zonegroup create --rgw-zonegroup=us --endpoints=https://localhost:1443 --master --default | jq ../src/mrun c1 radosgw-admin zone create --rgw-zonegroup=us --rgw-zone=us-east --endpoints=https://localhost:1443 --access-key a2345678901234567890 --secret a234567890123456789012345678901234567890 --master --default | jq ../src/mrun c1 radosgw-admin user create --uid=realm.admin --display-name=RealmAdmin --access-key a2345678901234567890 --secret a234567890123456789012345678901234567890 --system | jq ../src/mrun c1 radosgw-admin period update --commit | jq ../src/mrun c1 radosgw-admin user create --display-name="Test Id" --uid=testid --access-key b2345678901234567890 --secret b234567890123456789012345678901234567890 | jq ../src/mrun c1 radosgw-admin user modify --uid=testid --max-buckets=0 | jq # restart radosgw: pgrep -a ceph ; pgrep -a rados | ccze kill $(ps -ef | grep radosgw | grep 8001 | awk '{ print $2 }') kill $(ps -ef | grep radosgw | grep 7001 | awk '{ print $2 }') truncate -s0 ./run/c1/out/radosgw.7001.log ../src/mrgw.sh c1 7001 1443 --debug-rgw=20 --debug-ms=0 --debug_rgw_sync=0 --rgw-zone=us-east #--rgw_verify_ssl_cacert=./cert.pem #--rgw_verify_ssl=false pgrep -a ceph ; pgrep -a rados | ccze ps -ef | grep "[r]adosgw" ../src/mrun c1 ceph status | ccze -A -onolookups ; ../src/mrun c1 ceph df | ccze -A -onolookups ### ZONE 2 ### env MON=1 OSD=1 MDS=0 MGR=1 RGW=1 ../src/mstart.sh c2 -n -o bluestore_block_size=536870912000 --without-dashboard | ccze -A -onolookups ../src/mrun c2 radosgw-admin realm pull --url=https://localhost:1443 --access-key a2345678901234567890 --secret a234567890123456789012345678901234567890 --default --rgw_verify_ssl_cacert=./cert.pem | jq #--rgw_verify_ssl=false | jq ../src/mrun c2 radosgw-admin period pull --url=https://localhost:1443 --access-key a2345678901234567890 --secret a234567890123456789012345678901234567890 --default --rgw_verify_ssl_cacert=./cert.pem | jq #--rgw_verify_ssl=false | jq ../src/mrun c2 radosgw-admin zone create --rgw-zonegroup=us --rgw-zone=us-west --endpoints=https://localhost:2443 --access-key=a2345678901234567890 --secret=a234567890123456789012345678901234567890 --default | jq ../src/mrun c2 radosgw-admin period update --commit --rgw_verify_ssl_cacert=./cert.pem | jq #--rgw_verify_ssl=false | jq # restart radosgw pgrep -a ceph ; pgrep -a rados | ccze kill $(ps -ef | grep radosgw | grep 8002 | awk '{ print $2 }') kill $(ps -ef | grep radosgw | grep 7002 | awk '{ print $2 }') truncate -s0 ./run/c2/out/radosgw.7002.log ../src/mrgw.sh c2 7002 2443 --debug-rgw=20 --debug-ms=0 --debug_rgw_sync=0 --rgw-zone=us-west #--rgw_verify_ssl_cacert=./cert.pem #--rgw_verify_ssl=false pgrep -a ceph ; pgrep -a rados | ccze ps -ef | grep "[r]adosgw" ../src/mrun c1 ceph status | ccze -A -onolookups ; ../src/mrun c2 ceph df | ccze -A -onolookups sleep 4 ../src/mrun c2 radosgw-admin sync status --rgw_verify_ssl_cacert=./cert.pem | ccze -Aonolookups
Updated by Casey Bodley over 2 years ago
- Status changed from In Progress to Fix Under Review
- Tags set to ssl
Actions