mirror of
https://git.proxmox.com/git/ceph.git
synced 2025-10-31 09:26:59 +00:00
86a553d66e
This patch allows the dashboard to work again with TLS enabled; it however disables the possibility to create self-signed certs via the `ceph` CLI. This means that users will have to supply the correct key/cert pair themselves, which are just a few extra steps instead. [0] Users that try to generate a self-signed cert via the `ceph` CLI are instead provided with instructions on how to generate and configure a key/cert pair themselves. Additionally, the check whether the cert and key match is removed during the dashboard's launch. See the patch for additional details. [0]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support Signed-off-by: Max Carrara <m.carrara@proxmox.com>
102 lines
4.2 KiB
Diff
102 lines
4.2 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Max Carrara <m.carrara@proxmox.com>
|
|
Date: Thu, 4 Jan 2024 17:37:50 +0100
|
|
Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS
|
|
key/cert pairs
|
|
|
|
In order to avoid running into PyO3-related issues [0] with PyOpenSSL,
|
|
the ability to create self-signed certs is disabled - the command
|
|
`ceph dashboard create-self-signed-cert` is made to always return an
|
|
error.
|
|
|
|
The command's error message contains the manual steps the user may
|
|
follow in order to set the certificate themselves, as well as a link
|
|
to the Ceph Dashboard documentation regarding TLS support. [1]
|
|
|
|
Furthermore, the check on start-up, that verifies that the configured
|
|
key/cert pair actually match, is also removed. This means that users
|
|
need to ensure themselves that the correct pair is supplied -
|
|
otherwise their browser will complain.
|
|
|
|
These changes allow the dashboard to launch with TLS enabled again.
|
|
|
|
[0]: https://tracker.ceph.com/issues/63529
|
|
[1]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
|
|
|
|
Signed-off-by: Max Carrara <m.carrara@proxmox.com>
|
|
---
|
|
src/pybind/mgr/dashboard/module.py | 41 ++++++++++++++++++++----------
|
|
1 file changed, 27 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py
|
|
index 68725be6e35..9db55a3ee93 100644
|
|
--- a/src/pybind/mgr/dashboard/module.py
|
|
+++ b/src/pybind/mgr/dashboard/module.py
|
|
@@ -23,8 +23,7 @@ if TYPE_CHECKING:
|
|
|
|
from mgr_module import CLIReadCommand, CLIWriteCommand, HandleCommandResult, \
|
|
MgrModule, MgrStandbyModule, NotifyType, Option, _get_localized_key
|
|
-from mgr_util import ServerConfigException, build_url, \
|
|
- create_self_signed_cert, get_default_addr, verify_tls_files
|
|
+from mgr_util import ServerConfigException, build_url, get_default_addr
|
|
|
|
from . import mgr
|
|
from .controllers import Router, json_error_page
|
|
@@ -172,11 +171,14 @@ class CherryPyConfig(object):
|
|
else:
|
|
pkey_fname = self.get_localized_module_option('key_file') # type: ignore
|
|
|
|
- verify_tls_files(cert_fname, pkey_fname)
|
|
-
|
|
# Create custom SSL context to disable TLS 1.0 and 1.1.
|
|
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
|
- context.load_cert_chain(cert_fname, pkey_fname)
|
|
+
|
|
+ try:
|
|
+ context.load_cert_chain(cert_fname, pkey_fname)
|
|
+ except ssl.SSLError:
|
|
+ raise ServerConfigException("No certificate configured")
|
|
+
|
|
if sys.version_info >= (3, 7):
|
|
if Settings.UNSAFE_TLS_v1_2:
|
|
context.minimum_version = ssl.TLSVersion.TLSv1_2
|
|
@@ -473,15 +475,26 @@ class Module(MgrModule, CherryPyConfig):
|
|
|
|
@CLIWriteCommand("dashboard create-self-signed-cert")
|
|
def set_mgr_created_self_signed_cert(self):
|
|
- cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard')
|
|
- result = HandleCommandResult(*self.set_ssl_certificate(inbuf=cert))
|
|
- if result.retval != 0:
|
|
- return result
|
|
-
|
|
- result = HandleCommandResult(*self.set_ssl_certificate_key(inbuf=pkey))
|
|
- if result.retval != 0:
|
|
- return result
|
|
- return 0, 'Self-signed certificate created', ''
|
|
+ from textwrap import dedent
|
|
+
|
|
+ err = """
|
|
+ Creating self-signed certificates is currently not available.
|
|
+ However, you can still set a key and certificate pair manually:
|
|
+
|
|
+ 1. Generate a private key and self-signed certificate:
|
|
+ # openssl req -newkey rsa:2048 -nodes -x509 \\
|
|
+ -keyout /root/dashboard-key.pem -out /root/dashboard-cert.pem -sha512 \\
|
|
+ -days 3650 -subj "/CN=IT/O=ceph-mgr-dashboard" -utf8
|
|
+
|
|
+ 2. Set the corresponding config keys for the key/cert pair:
|
|
+ # ceph config-key set mgr/dashboard/key -i /root/dashboard-key.pem
|
|
+ # ceph config-key set mgr/dashboard/crt -i /root/dashboard-crt.pem
|
|
+
|
|
+ For more information on how to configure TLS for the dashboard, visit:
|
|
+ https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
|
|
+ """
|
|
+
|
|
+ return -errno.ENOTSUP, '', dedent(err).strip()
|
|
|
|
@CLIWriteCommand("dashboard set-rgw-credentials")
|
|
def set_rgw_credentials(self):
|
|
--
|
|
2.39.2
|
|
|