From: Max Carrara <m.carrara@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v3 ceph 2/2] mgr/dashboard: add patch that removes PyOpenSSL-related usages
Date: Fri, 5 Jan 2024 15:07:33 +0100 [thread overview]
Message-ID: <20240105140733.380258-3-m.carrara@proxmox.com> (raw)
In-Reply-To: <20240105140733.380258-1-m.carrara@proxmox.com>
This patch allows the dashboard to work again with TLS enabled; it
however disables the possibility to create self-signed certs via the
`ceph` CLI. This means that users will have to supply the correct
key/cert pair themselves, which are just a few extra steps instead. [0]
Users that try to generate a self-signed cert via the `ceph` CLI are
instead provided with instructions on how to generate and configure a
key/cert pair themselves.
Additionally, the check whether the cert and key match is removed during
the dashboard's launch.
See the patch for additional details.
[0]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
Signed-off-by: Max Carrara <m.carrara@proxmox.com>
---
...move-ability-to-create-and-check-TLS.patch | 101 ++++++++++++++++++
patches/series | 1 +
2 files changed, 102 insertions(+)
create mode 100644 patches/0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
diff --git a/patches/0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch b/patches/0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
new file mode 100644
index 000000000..59c5263da
--- /dev/null
+++ b/patches/0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
@@ -0,0 +1,101 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Max Carrara <m.carrara@proxmox.com>
+Date: Thu, 4 Jan 2024 17:37:50 +0100
+Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS
+ key/cert pairs
+
+In order to avoid running into PyO3-related issues [0] with PyOpenSSL,
+the ability to create self-signed certs is disabled - the command
+`ceph dashboard create-self-signed-cert` is made to always return an
+error.
+
+The command's error message contains the manual steps the user may
+follow in order to set the certificate themselves, as well as a link
+to the Ceph Dashboard documentation regarding TLS support. [1]
+
+Furthermore, the check on start-up, that verifies that the configured
+key/cert pair actually match, is also removed. This means that users
+need to ensure themselves that the correct pair is supplied -
+otherwise their browser will complain.
+
+These changes allow the dashboard to launch with TLS enabled again.
+
+[0]: https://tracker.ceph.com/issues/63529
+[1]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
+
+Signed-off-by: Max Carrara <m.carrara@proxmox.com>
+---
+ src/pybind/mgr/dashboard/module.py | 41 ++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 14 deletions(-)
+
+diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py
+index 68725be6e35..9db55a3ee93 100644
+--- a/src/pybind/mgr/dashboard/module.py
++++ b/src/pybind/mgr/dashboard/module.py
+@@ -23,8 +23,7 @@ if TYPE_CHECKING:
+
+ from mgr_module import CLIReadCommand, CLIWriteCommand, HandleCommandResult, \
+ MgrModule, MgrStandbyModule, NotifyType, Option, _get_localized_key
+-from mgr_util import ServerConfigException, build_url, \
+- create_self_signed_cert, get_default_addr, verify_tls_files
++from mgr_util import ServerConfigException, build_url, get_default_addr
+
+ from . import mgr
+ from .controllers import Router, json_error_page
+@@ -172,11 +171,14 @@ class CherryPyConfig(object):
+ else:
+ pkey_fname = self.get_localized_module_option('key_file') # type: ignore
+
+- verify_tls_files(cert_fname, pkey_fname)
+-
+ # Create custom SSL context to disable TLS 1.0 and 1.1.
+ context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+- context.load_cert_chain(cert_fname, pkey_fname)
++
++ try:
++ context.load_cert_chain(cert_fname, pkey_fname)
++ except ssl.SSLError:
++ raise ServerConfigException("No certificate configured")
++
+ if sys.version_info >= (3, 7):
+ if Settings.UNSAFE_TLS_v1_2:
+ context.minimum_version = ssl.TLSVersion.TLSv1_2
+@@ -473,15 +475,26 @@ class Module(MgrModule, CherryPyConfig):
+
+ @CLIWriteCommand("dashboard create-self-signed-cert")
+ def set_mgr_created_self_signed_cert(self):
+- cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard')
+- result = HandleCommandResult(*self.set_ssl_certificate(inbuf=cert))
+- if result.retval != 0:
+- return result
+-
+- result = HandleCommandResult(*self.set_ssl_certificate_key(inbuf=pkey))
+- if result.retval != 0:
+- return result
+- return 0, 'Self-signed certificate created', ''
++ from textwrap import dedent
++
++ err = """
++ Creating self-signed certificates is currently not available.
++ However, you can still set a key and certificate pair manually:
++
++ 1. Generate a private key and self-signed certificate:
++ # openssl req -newkey rsa:2048 -nodes -x509 \\
++ -keyout /root/dashboard-key.pem -out /root/dashboard-cert.pem -sha512 \\
++ -days 3650 -subj "/CN=IT/O=ceph-mgr-dashboard" -utf8
++
++ 2. Set the corresponding config keys for the key/cert pair:
++ # ceph config-key set mgr/dashboard/key -i /root/dashboard-key.pem
++ # ceph config-key set mgr/dashboard/crt -i /root/dashboard-crt.pem
++
++ For more information on how to configure TLS for the dashboard, visit:
++ https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
++ """
++
++ return -errno.ENOTSUP, '', dedent(err).strip()
+
+ @CLIWriteCommand("dashboard set-rgw-credentials")
+ def set_rgw_credentials(self):
+--
+2.39.2
+
diff --git a/patches/series b/patches/series
index 93354a011..924f3dadd 100644
--- a/patches/series
+++ b/patches/series
@@ -10,3 +10,4 @@
0010-debian-add-missing-bcrypt-to-manager-.requires.patch
0011-fix-compatibility-with-CPUs-not-supporting-SSE-4.1-i.patch
0012-backport-mgr-dashboard-simplify-authentication-proto.patch
+0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
--
2.39.2
next prev parent reply other threads:[~2024-01-05 14:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-05 14:07 [pve-devel] [PATCH v3 ceph 0/2] Complete Workaround For Ceph Dashboard Max Carrara
2024-01-05 14:07 ` [pve-devel] [PATCH v3 ceph 1/2] mgr/dashboard: add backport that allows the dashboard to work again Max Carrara
2024-01-05 14:07 ` Max Carrara [this message]
2024-01-15 16:48 ` [pve-devel] applied-series: [PATCH v3 ceph 0/2] Complete Workaround For Ceph Dashboard Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240105140733.380258-3-m.carrara@proxmox.com \
--to=m.carrara@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.