On Wed, 14 May 2014, Brian Rak wrote: > Why are the defaults for 'cephx require signatures' and similar still false? > Is it still necessary to maintain backwards compatibility with very old > clients by default? It seems like from a security POV, you'd want everything > to be more secure out of the box, and require the user to explicitly disable > security if they need backwards compatibility with ancient clients. The Linux kernel client does not yet support the signatures extension. Until this is merged and in kernels that are in some/many/most people's hands, we're opted to leave this off. If you are not using native kernel clients, you can safely enable this. The userland clients (librados, librbd, etc) have supported this since around Bobtail. sage
 |