Bug 1783271
| Summary: | [RFE] support for key rotation | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | John Fulton <johfulto> |
| Component: | Cephadm | Assignee: | Adam King <adking> |
| Status: | CLOSED ERRATA | QA Contact: | Vinayak Papnoi <vpapnoi> |
| Severity: | medium | Docs Contact: | Akash Raj <akraj> |
| Priority: | medium | ||
| Version: | 3.3 | CC: | adking, akraj, alisauxbpn53, anharris, aschoen, ceph-eng-bugs, flucifre, gcharot, gjose, gmeno, jwakely, kjosy, msaini, nojha, nthomas, prprakas, sostapov, vereddy |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | 6.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ceph-17.2.6-5.el9cp | Doc Type: | Enhancement |
| Doc Text: |
.Users can now rotate the authentication key for Ceph daemons
For security reasons, some users might desire to occasionally rotate the authentication key used for daemons in the storage cluster.
With this release, the ability to rotate the authentication key for ceph daemons using the `ceph orch daemon rotate-key _DAEMON_NAME_` command is introduced. For MDS, OSD, and MGR daemons, this does not require a daemon restart. However, for other daemons, such as Ceph Object Gateway daemons, the daemon might require restarting to switch to the new key.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-15 09:15:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2180567 | ||
| Bug Blocks: | 2192813 | ||
|
Description
John Fulton
2019-12-13 13:45:12 UTC
Please specify the severity of this bug. Severity is defined here: https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity. candidate for 4.2. I think the desired behavior (as described in the BZ description) was implemented in https://github.com/ceph/ceph/pull/40941 . Please make sure you're not talking about https://tracker.ceph.com/issues/44869 here. It's more accurate to say that I'm talking about https://tracker.ceph.com/issues/44869. Details: The original description involved rotating the CephAdminKey (director's variable for the admin key) and which seems to be covered by [1] and not [2]. The original description also involved rotating client keys and I see that [2] gave us commands like `ceph orch client-keyring {ls,set,rm}` however, we're no longer using ceph-ansible to distribute client keys and we're not using cephadm to distribute client keys. This RFE was requested in the context of OSP13/16, when ceph-ansible was controlling OpenStack cephx client keys, i.e. e.g. updating compute nodes ceph.conf and cephx keys. For OSP17/RHCSv5 director manages client keys [3] so the context is now different. Our process is now: 1. let cephadm create the admin key during bootstrap 2. use the ceph_key module to create OpenStack keys using the ceph_key module from ceph-ansible which is now in tripleo [4] 3. use the tripleo_ceph_client [3] to distribute the client cephx keys created in the previous step Once we have [1] which rotates the CephAdminKey, we would follow a variation of the steps above for update, not create, letting [1] take care of step 1, and then use a variation of 2 and 3 to do the update. We could use [2] to implement step 2 above differently, but that's not sufficient to address the admin key rotation so we'd still need [1]. [1] https://tracker.ceph.com/issues/44869 [2] https://github.com/ceph/ceph/pull/40941 [3] https://docs.openstack.org/tripleo-ansible/latest/roles/role-tripleo_ceph_client.html [4] https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/roles/tripleo_cephadm/tasks/keys.yaml Neha, this needs a feature in RADOS to have two cephx keys for a brief period in time. Do you want to take it? (In reply to Sebastian Wagner from comment #14) > Neha, this needs a feature in RADOS to have two cephx keys for a brief > period in time. Do you want to take it? Hi Sebastian, IIRC, we discussed this at CDS and Sage added details in https://trello.com/c/dU24gHyD/302-automatic-key-rotation-for-daemons and here's the corresponding BZ https://bugzilla.redhat.com/show_bug.cgi?id=1943506. Is this what you are talking about? Moving to 5.2 as I don't think we can get this into 5.1 anymore *** Bug 1943506 has been marked as a duplicate of this bug. *** Thanks for sharing that. https://www.telltims.net/ All info on this redhat website is really help provied by us. https://www.paybyplatema.one/ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Ceph Storage 6.1 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:3623 If you have encountered this bug or request for enhancement in a particular software product, I recommend reaching out to the official support channels or the development team responsible for maintaining the software. They will be better equipped to provide you with information, updates, or potential solutions related to this bug or feature request. https://www.myaarpmedicare.dev/ Thanks and regards AnjanetteRhymer Hello @John Fulton Here is a solution for your query : To create a ceph-ansible playbook that supports changing Ceph security keys with minimal service interruption, you’ll need to follow these general steps: Create a New Playbook: Start by creating a new Ansible playbook dedicated to updating Ceph security keys. Gather Facts: Use the gather_facts module to collect information about the Ceph nodes and clients. Update Keys: Write tasks that use the ceph command or appropriate modules to update the keys in the keyring files on each Ceph node. Ensure that the playbook updates keys for all roles, including admin, client, manila, mds, mon, and rgw. Synchronize Clients: Include tasks to update the keys on any client nodes, such as OpenStack Nova nodes, that use the Ceph keys. Handle QEMU Tokens: Address the issue of qemu guests being blocked from I/O by either restarting the QEMU process or updating the tokens, if possible. Test the Playbook: Run the playbook in a test environment to ensure it works as expected without causing significant downtime. Documentation: Document the playbook, detailing its purpose, usage, and any considerations or warnings. Version Control: Add the playbook to your version control system for tracking changes and collaboration. Community Contribution: Consider contributing the playbook back to the ceph-ansible project or sharing it with the community for feedback and improvements. Best Regards Carol https://www.myaarpmedicares.us/ Regarding Bug 1783271, the recent update allowing key rotation for Ceph daemons using the ceph orch daemon rotate-key command is a notable improvement. However, it's observed that while MDS, OSD, and MGR daemons do not need a restart, Ceph Object Gateway daemons still do https://www.subwaybogocode.com Streamlining this process to avoid service interruptions would be beneficial. |