On Thu, 28 Jun 2018, Gregory Farnum wrote: > On Wed, Jun 27, 2018 at 5:28 AM, Sage Weil <sweil@xxxxxxxxxx> wrote: > > The idea is to lock an authentication key (e.g., client.foo) so that it is > > only usable from a specific host or network. At a minimum, it would mean > > modifying the MonCap to include a host field with a CIDR network/mask. > > For example, > > > > [client.foo] > > key = ... > > caps mon = allow profile rbd host 1.2.3.4/32 > > caps osd = allow profile rbd > > > > https://pad.ceph.com/p/pin_caps_to_network > > > > I see two options, one easy and one slightly harder. The first is we only > > add the host restriction to the mon cap, under the reasoning that if you > > can't get tickets from the mon then you can't talk to everyone else > > anyway, and if you do and then tunnel your OSD session (or whatever) > > through a different network who really cares. The second is that we add > > the host clause to OSDCap and MDSCap too, just because. > > > > Does this seems like a reasonable approach? > > I think if we’re going to do this we should enforce the IP check on > every daemon. It’s better for defense in depth. > That does leave us with two options though: 1) we just invisibly > propagate the IP check from the monitor cap (or some non-specific > cap?) into all the others either when we import it or when we hand out > the cephx bundle, or 2) we let users specify a source IP in each > daemon cap they want to check it on. > > (1) is simple for users to understand and safer, in that they can’t > mess it up. But (2) allows more fine-grained stuff that might be > useful in weird network layouts? https://github.com/ceph/ceph/pull/22879 implements (1). I'm inclined to leave it simple until we have a compelling use-case for (2). sage
