Re: BUG #51821 - client is using insecure global_id reclaim

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Did you follow the fix/recommendation when applying patches as per
the documentation in the CVE security post [1] ?

Best regards

[1] https://docs.ceph.com/en/latest/security/CVE-2021-20288/

> On 9 Aug 2021, at 02:26, Richard Bade <hitrich@xxxxxxxxx> wrote:
> 
> Hi Daniel,
> I had a similar issue last week after upgrading my test cluster from
> 14.2.13 to 14.2.22 which included this fix for Global ID reclaim in
> .20. My issue was a rados gw that I was re-deploying on the latest
> version. The problem seemed to be related with cephx authentication.
> It kept displaying the error message you have and the service wouldn't
> start.
> I ended up stopping and removing the old rgw service, deleting all the
> keys in /etc/ceph/ and all data in /var/lib/ceph/radosgw/ and
> re-deploying the radosgw. This used the new rgw bootstrap keys and new
> key for this radosgw.
> So, I would suggest you double and triple check which keys your
> clients are using and that cephx is enabled correctly on your cluster.
> Check your admin key in /etc/ceph as well, as that's what's being used
> for ceph status.
> 
> Regards,
> Rich
> 
> On Sun, 8 Aug 2021 at 05:01, Daniel Persson <mailto.woden@xxxxxxxxx> wrote:
>> 
>> Hi everyone.
>> 
>> I suggested asking for help here instead of in the bug tracker so that I
>> will try it.
>> 
>> https://tracker.ceph.com/issues/51821?next_issue_id=51820&prev_issue_id=51824
>> 
>> I have a problem that I can't seem to figure out how to resolve the issue.
>> 
>> AUTH_INSECURE_GLOBAL_ID_RECLAIM: client is using insecure global_id reclaim
>> AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED: mons are allowing insecure
>> global_id reclaim
>> 
>> 
>> Both of these have to do with reclaiming ID and securing that no client
>> could steal or reuse another client's ID. I understand the reason for this
>> and want to resolve the issue.
>> 
>> Currently, I have three different clients.
>> 
>> * One Windows client using the latest Ceph-Dokan build. (ceph version
>> 15.0.0-22274-g5656003758 (5656003758614f8fd2a8c49c2e7d4f5cd637b0ea) pacific
>> (rc))
>> * One Linux Debian build using the built packages for that kernel. (
>> 4.19.0-17-amd64)
>> * And one client that I've built from source for a raspberry PI as there is
>> no arm build for the Pacific release. (5.11.0-1015-raspi)
>> 
>> If I switch over to not allow global id reclaim, none of these clients
>> could connect, and using the command "ceph status" on one of my nodes will
>> also fail.
>> 
>> All of them giving the same error message:
>> 
>> monclient(hunting): handle_auth_bad_method server allowed_methods [2]
>> but i only support [2]
>> 
>> 
>> Has anyone encountered this problem and have any suggestions?
>> 
>> PS. The reason I have 3 different hosts is that this is a test environment
>> where I try to resolve and look at issues before we upgrade our production
>> environment to pacific. DS.
>> 
>> Best regards
>> Daniel
>> _______________________________________________
>> ceph-users mailing list -- ceph-users@xxxxxxx
>> To unsubscribe send an email to ceph-users-leave@xxxxxxx
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx

_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux