From a967b9dd66fad5b055b071794a4b059feed9fe90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Nasiadka?= <mnasiadka@gmail.com>
Date: Fri, 23 Apr 2021 16:17:33 +0200
Subject: [PATCH] cephadm: Set auth_allow_insecure_global_id_reclaim to true

Background in [1].
Ubuntu uses pre 15.2.11 client and new 15.2.11 installs default that to false,
therefore not allowing Ubuntu clients to connect.

[1]: https://docs.ceph.com/en/latest/security/CVE-2021-20288/

Change-Id: Ic251b447026262eab4b406b8432cc009ca97ae82
---
 roles/cephadm/tasks/main.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/roles/cephadm/tasks/main.yml b/roles/cephadm/tasks/main.yml
index d8795050e1..06675186a3 100644
--- a/roles/cephadm/tasks/main.yml
+++ b/roles/cephadm/tasks/main.yml
@@ -79,6 +79,17 @@
   become: True
   loop: "{{ cephadm_ceph_osd_devices }}"
 
+# NOTE(mnasiadka): Ubuntu uses pre 15.2.11 Octopus client code and suffers from
+#                  https://docs.ceph.com/en/latest/security/CVE-2021-20288/
+
+- name: Set auth_allow_insecure_global_id_reclaim to True
+  command:
+    cmd: >
+         cephadm shell --
+         ceph config set mon auth_allow_insecure_global_id_reclaim true
+  become: true
+  when: ansible_distribution == "Ubuntu"
+
 - name: Create and initialise pools for OpenStack services
   command:
     cmd: >