|
|
|
ceph -s 出现mon is allowing insecure global_id reclaim异常 Patched monitors now properly require that clients securely reclaim their global_id when the auth_allow_insecure_global_id_reclaim is false. Initially, by default, this option is set to true so that existing clients can continue to function without disruption until all clients have been upgraded. When this option is set to false, then an unpatched client will not be able to reconnect to the cluster after an intermittent network disruption breaking its connect to a monitor, or be able to renew its authentication ticket when it times out (by default, after 72 hours). Patched monitors raise the AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED health alert if auth_allow_insecure_global_id_reclaim is enabled. This health alert can be muted with: ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 1w
) s5 ^8 c. z3 i- S! M' R" d+ f& Z
Although it is not recommended, the alert can also be disabled with: ceph config set mon mon_warn_on_insecure_global_id_reclaim_allowed falsePatched monitors can disconnect new clients right after they have authenticated (forcing them to reconnect and reclaim) in order to determine whether they securely reclaim global_ids. This allows the cluster and users to discover quickly whether clients would be affected by requiring secure global_id reclaim: most clients will report an authentication error immediately. This behavior can be disabled by setting auth_expose_insecure_global_id_reclaim to false: ceph config set mon auth_expose_insecure_global_id_reclaim falsePatched monitors will raise the AUTH_INSECURE_GLOBAL_ID_RECLAIM health alert for any clients or daemons that are not securely reclaiming their global_id. These clients should be upgraded before disabling the auth_allow_insecure_global_id_reclaim option to avoid disrupting client access. By default (if auth_expose_insecure_global_id_reclaim has not been disabled), clients’ failure to securely reclaim global_id will immediately be exposed and raise this health alert. However, if auth_expose_insecure_global_id_reclaim has been disabled, this alert will not be triggered for a client until it is forced to reconnect to a monitor (e.g., due to a network disruption) or the client renews its authentication ticket (by default, after 72 hours). The default time-to-live (TTL) for authentication tickets has been increased from 12 hours to 72 hours. Because we previously were not ensuring that a client’s prior ticket was valid when reclaiming their global_id, a client could tolerate a network outage that lasted longer than the ticket TTL and still reclaim its global_id. Once the cluster starts requiring secure global_id reclaim, a client that is disconnected for longer than the TTL may fail to reclaim its global_id, fail to reauthenticate, and be unable to continue communicating with the cluster until it is restarted. The default TTL was increased to minimize the impact of this change on users. 7 B6 B" R/ ]! c" D4 ]
( w) Q3 a% ?- _% @) u* w* ^RECOMMENDATIONSUsers should upgrade to a patched version of Ceph at their earliest convenience. Users should upgrade any unpatched clients at their earliest convenience. By default, these clients can be easily identified by checking the ceph health detail output for the AUTH_INSECURE_GLOBAL_ID_RECLAIM alert. If all clients cannot be upgraded immediately, the health alerts can be temporarily muted with: ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM 1w # 1 week9 W. A$ D$ a; ~' l. L' G6 p
ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 1w # 1 week1 ]& Q! N3 N+ j; L" j
- W9 @- x0 H: j! T( Y
8 H7 J) q! K; o* J! ~; ~ S- p
: `. q: x T A8 q2 V7 s
: H3 l$ L5 h2 h8 A* q; I; l: P, \; s
' @8 h4 G o2 G, x! j8 ?- g
_6 c6 q1 z0 ^" ]8 m3 Q
$ v& e( g6 ~+ ~7 B! m |
|
发表于 2021-5-23 10:29:56