Bug 1119995

Summary: [RFE][cinder]: Introduce secure NFS environment support for Cinder
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: openstack-cinderAssignee: Eric Harney <eharney>
Status: CLOSED CURRENTRELEASE QA Contact: Yogev Rabl <yrabl>
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: eharney, markmc, nlevinki, scohen, yeylon
Target Milestone: z5Keywords: FutureFeature, Triaged, ZStream
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/cinder/+spec/secure-nfs
Whiteboard: upstream_milestone_next upstream_definition_obsolete upstream_status_needs-code-review
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-26 16:14:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description RHOS Integration 2014-07-16 04:08:34 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/cinder/+spec/secure-nfs.

Description:

The current Cinder NFS model requires root level access and wide open file permissions, create an insecure NFS environment. This blueprint proposes Cinder modifications to enable the OpenStack user to setup a secure NFS environment wherein root access to the NFS server (backend storage) is squashed, the Cinder NFS process does not run as root, but rather as the configured "stack" user, and NFS file permissions are set to owner and group access only.

This proposal removes root level execution from Cinder when it is RemoteFS based operations. It sets file permissions to 660 rather than 666 and would implement a configuration flag to allow the OpenStack administrator to control whether the new, more strict, permissions are used or to continue using the wide open permissions. The implementation will also require a modification too the emulation service (e.g., qemu) to specify that it run as the stack user and that it not change file ownership: this allows the NFS client-server secure environment operations.

Specification URL (additional information):

None
Comment 8 Lon Hohberger 2016-01-26 16:14:53 UTC 
This was resolved by openstack-cinder-2015.1.2-5.el7ost, available from the OpenStack 7 repository.