Reef: mgr/dashboard: Simplify authentication protocol#55689
Reef: mgr/dashboard: Simplify authentication protocol#55689nizamial09 merged 3 commits intoceph:reeffrom
Conversation
No, there were no conflicts cherry-picking the three commits from the original PR. |
By removing the dependency to PyJWT we also remove the dependency to the cryptographic library which in the dashboard module will create a crash. In newer implementations of the library PyO3 is used to run rust code in order to encrypt with Elliptic Curves. This is never used in the dashboard communication so a much simpler implementation where we only use the hmac sha256 algorithm to create the signed JWT message could be used. Fixes: https://forum.proxmox.com/threads/ceph-warning-post-upgrade-to-v8.129371 Signed-off-by: Daniel Persson <mailto.woden@gmail.com> (cherry picked from commit c616a9d)
Move the JWT requirement to the test requirements file. Also remove JWT from ceph specification and debian build. Signed-off-by: Daniel Persson <mailto.woden@gmail.com> (cherry picked from commit c1ea66f)
Seemed that the test dependencies was separated in two different requirements files one for the testing and one for linting. Added the JWT dependency in the linting file as well. Signed-off-by: Daniel Persson <mailto.woden@gmail.com> (cherry picked from commit 06765e6)
90fb753 to
04b3792
Compare
|
jenkins retest this please |
|
@nizamial09 I don't know why the Pull Request Triage job is failing ("Could not resolve to a ProjectV2 with the number 2.") but I think that's a CI thing rather than a problem with the MR. |
you can ignore that failure (i remember fixing it in the main branch before and probably missed to backport it in other branches). once the other required checks like make check and api tests are passed, I'll merge this. thank you! |
|
@nizamial09 I'm not sure about the dashboard tests - I don't have permissions to view the images from the dashboard test job, and the e2e error log looks like a docker issue rather than a problem with this MR... |
the failures are known. so its okay. I'll trigger a shaman run just to make sure we are on the safe side here |
|
shaman build passed ✔️ |
Removes the (limited) runtime usages of python-jwt, and therefore, python-cryptography from the mgr dashboard module. This should restore dashboard functionality, if used alongside a patched pyo3 for python-bcrypt. Upstream-Ref: ceph/ceph@33d8bef References: ceph/ceph#55689 References: https://tracker.ceph.com/issues/63529 References: #20 References: https://git.st8l.com/luxolus/pyo3/commit/44d6919168621b46e4e884130ca43338655b020c
Removes the (limited) runtime usages of python-jwt, and therefore, python-cryptography from the mgr dashboard module. This should restore dashboard functionality, if used alongside a patched pyo3 for python-bcrypt. Upstream-Ref: ceph/ceph@33d8bef References: ceph/ceph#55689 References: https://tracker.ceph.com/issues/63529 References: #20 References: https://git.st8l.com/luxolus/pyo3/commit/44d6919168621b46e4e884130ca43338655b020c
Removes the (limited) runtime usages of python-jwt, and therefore, python-cryptography from the mgr dashboard module. This should restore dashboard functionality, if used alongside a patched pyo3 for python-bcrypt. Upstream-Ref: ceph/ceph@33d8bef References: ceph/ceph#55689 References: https://tracker.ceph.com/issues/63529 References: #20 References: https://git.st8l.com/luxolus/pyo3/commit/44d6919168621b46e4e884130ca43338655b020c
|
Dashboard still does not work in I haven't dug into the patch here, what it does, where it went, but new users cannot bring up a new instance of ceph-dashboard in reef, because they can't mint a new X509 certificate w/ python/cryptography. Root cause appears to be that the use of python subinterpreters in ceph was a design flaw, because the PyO3 rust/python bindings don't support subinterpreters, and at current rate of progress, are likely not to support subinterpreters maybe for years or maybe basically forever. I'm trying to track the many tendrils here: pyca/cryptography#12080 |
This is a backport of #54710
Which is a partial fix for https://tracker.ceph.com/issues/63529
While it's not a total fix, it will enable the dashboard in reef on systems with a recent PyO3 (e.g. Debian Bookworm, Arch), so I think is a useful backport for reef.
Conflicts:
All three commits cherry-picked cleanly with no conflicts.