Description of problem: Currently calamari serves an API of HTTP and it's method of authentication is a session-based auth. This requires POSTing credentials in the clear. We should make calamari serve traffic over SSL to protect authentication. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I've begun a quick branch to show that gevent Wsgi can indeed do SSL https://github.com/ceph/calamari/tree/wip-gevent-ssl I believe the next action is for my setup script to generate and install a self-signed cert doing something like https://devcenter.heroku.com/articles/ssl-certificate-self for example. that way there is some measure of protection. If customers was more they can drop in their own cert to a configurable location. My colleague suggests that there is someone here who is much more knowledgeable then me on this topic perhaps they could tell if I'm going about this wrong and if so how to proceed instead.
Siddharth Would you please review my plan and comment?
https://github.com/ceph/calamari/pull/437
With this change requests to http:// will error with connection reset. All traffic must be sent to https://
Harish this is configuration error. Probably due to the docs being incorrect. If you correct the line ssl_cert = /etc/calamari/ssl/certs/calamari-lite-bundled.crt it will work as intended. [shadowman@magna090 ~]$ curl -k https://0.0.0.0:8002/api/v2/ curl: (35) TCP connection reset by peer [shadowman@magna090 ~]$ sudo find /etc/calamari/ssl/ /etc/calamari/ssl/ /etc/calamari/ssl/certs /etc/calamari/ssl/certs/calamari-lite-bundled.crt /etc/calamari/ssl/private /etc/calamari/ssl/private/calamari-lite.key [shadowman@magna090 ~]$ grep ssl /etc/calamari/calamari.conf ssl_cert = /etc/calamari/ssl/private/calamari-lite-bundled.crt ssl_key = /etc/calamari/ssl/private/calamari-lite.key [shadowman@magna090 ~]$ sudo sed 's;ssl_cert.*$;ssl_cert = /etc/calamari/ssl/certs/calamari-lite-bundled.crt;' -i /etc/calamari/calamari.conf [shadowman@magna090 ~]$ sudo supervisorctl restart calamari-lite calamari-lite: stopped calamari-lite: started [shadowman@magna090 ~]$ curl -k https://0.0.0.0:8002/api/v2/ {"detail": "Authentication credentials were not provided."}[shadowman@magna090 ~]$
I made a comment on the docs https://gitlab.cee.redhat.com/red-hat-ceph-storage-documentation/doc-Red_Hat_Ceph_Storage_2-Installation_Guide/commit/bde1932e94b59d609b1f633b3ab465800f1d449c John would you please update that?
Created attachment 1169911 [details] selfsigned_ssl_cert_browser_msg1
Created attachment 1169912 [details] selfsigned_ssl_cert_browser_msg2
Created attachment 1169913 [details] selfsigned_ssl_cert_browser_msg3
Harish, as Ken said those warnings are expected behavior with self signed certificates.
APIs are accessible only via https. moving to verified state Tested on: calamari-server-1.4.2-1.el7cp.x86_64 calamari-server 1.4.2-2redhat1xenial ceph version 10.2.2-5.el7cp
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1755.html
*** Bug 1319487 has been marked as a duplicate of this bug. ***