On Wed, 27 Jun 2018, Piotr Dałek wrote: > On 18-06-27 02:28 PM, Sage Weil wrote: > > The idea is to lock an authentication key (e.g., client.foo) so that it is > > only usable from a specific host or network. At a minimum, it would mean > > modifying the MonCap to include a host field with a CIDR network/mask. > > For example, > > > > [client.foo] > > key = ... > > caps mon = allow profile rbd host 1.2.3.4/32 > > caps osd = allow profile rbd > > > > https://pad.ceph.com/p/pin_caps_to_network > > > > I see two options, one easy and one slightly harder. The first is we only > > add the host restriction to the mon cap, under the reasoning that if you > > can't get tickets from the mon then you can't talk to everyone else > > anyway, and if you do and then tunnel your OSD session (or whatever) > > through a different network who really cares. The second is that we add > > the host clause to OSDCap and MDSCap too, just because. > > > > Does this seems like a reasonable approach? > > Usually cluster hosts have firewalls in place to prevent connections from > outside of trusted networks. This also prevents - among other things - > exhausting/locking out mon servers with Slowloris attacks (AFAIK there's no > timeout on banner exchange/initial handshake in Ceph protocol) comming from > unauthorized hosts. Knowing that, what's the value in having similar > restrictions on Ceph side? The specific use-case driving this is a cluster where the operator wants to restruct the privileged keys (e.g., client.admin) from a restricted set of hosts. I can imagine doing something similar where there are different trust domains that access the same cluster. For example, one network has read-only access to the cluster while another has read/write access; a firewall can't enforce that. sage
