This is the openstack-nova clone of the following openstack-cinder RFE that will be used to cover the required changes in the n-cpu service, specifically pulling down the unique users keyring, creating the associated libvirt secret etc.
+++ This bug was initially created as a clone of Bug #1877288 +++
Description of problem:
The current implementation of the rbd volume driver provides a static auth_username and shared (already configured on the computes) static secret_uuid in the connection_info for each volume. There is also legacy support in the computes for pulling these values from the local nova.conf but these should be overridden by the above connection_info c-vol provided values for all but legacy volumes at present.
This essentially means that all rbd volumes in an environment are connected to using the same credentials across all instances. This can become an issue if a single instance is compromised through a QEMU vulnerability such as:
CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets
https://bugzilla.redhat.com/show_bug.cgi?id=1869201
This could give an attacker access to all volumes in an environment.
This RFE looks to improve this situation by having the rbd c-vol driver create a unique rbd user per attachment (not volume), providing that user via auth_username and dropping the secret_uuid field entirely from connection_info.
n-cpu will then need to fetch the user keyring on the compute and create a unique libvirt secret for the attachment when connecting the volume and clean up while disconnecting. I'll clone this RFE against openstack-nova shortly to cover this part of the implementation.
(In reply to Yaniv Kaul from comment #2)
> Have we discussed this with the Ceph team, to understand the scale limits
> they may have?
That's something for the storage folks to discuss in bug #1877288 as they would control that interaction with Ceph, Nova just plumbs things in on the compute via libvirt.