Hi,
On 06/12/2012 11:31 AM, John Axel Eriksson wrote:
I asked a similar question in a previous email but I didn't get any
satisfying answers. What exactly does cephx auth secure?
I wanted to get back on your e-mail from yesterday, but you beat me to
it! :)
From the wiki I just get "this makes your cluster more secure", well
from what? If I run on an internal network accessible only
by a few trusted people - what does cephx auth secure in such a scenario?
Never ever trust anything, even in a local network. Security has more
aspects then just uninvited guests accessing or modifying your data.
Like I said in the previous e-mail, it prevents you from having an old
machine or just a plain configuration error on a client disrupting
cluster service.
In that previous email I got the answer that it secures the cluster
from mistakenly connecting to wrong cluster with rados and
accidentally deleting a pool... well, can rados really "accidentally"
connect to the wrong cluster? Only if I have the wrong config
file right? And if I have the wrong config-file won't it be possible
that I also have the "wrong" key in that case?
The "rados" command doesn't really need a config file, you can also
specify the monitor address manually.
$ rados -p <mon address> rmpool data
If you'd issue that with the wrong monitor address while playing in your
local network you could remove the pool on the wrong cluster.
With cephx in place you also have to specify the correct key, it's just
a second layer in place from preventing something like this happening.
Another scenario would be if I take down an OSD that just sits in
storage for say 6 months and then someone starts that machine
again - with key-based auth that OSD wouldn't be able to
connect(somehow? but if it has a working key?) but without auth it
could
possibly connect and wreak havoc in the cluster (since it is so much
behind perhaps in both version of software and what's stored on it).
I thought marking and OSD as down or out would do that?
If you mark an OSD out it will get marked as "in" again when you start
up the OSD, but that also depends on your settings like "noautoin".
When you take an OSD out of production with cephx you would also remove
the corresponding OSD key from the cluster keyring.
Are those the main reasons for having cephx auth? Is it to secure the
cluster against people (myself included) making mistakes or from
hacking, or is there some technical reason that I don't know of or understand?
It can serve multiple purposes. In a bigger env you should never trust
any machine. So if you have a client which only has access to the "rbd"
pool for running Virtual Machines, it shouldn't get more permissions
than that.
So yes, it's again human error, but if a machine gets hacked, you can
prevent that machine from ruining your whole cluster.
The reason I'm asking is because having cephx enabled makes cluster
setup much more complicated...
cephx might be complicated at first glance, but it isn't really that hard.
It is up to you if you enable it, but take the recommendations above
into account when making your decision.
Wido
Thanks,
John
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
