Bug 1973356

Summary: [RFE] Change manila ceph client user capabilities for OSP 17
Product: Red Hat OpenStack Reporter: Goutham Pacha Ravi <gouthamr>
Component: tripleo-ansibleAssignee: Francesco Pantano <fpantano>
Status: CLOSED ERRATA QA Contact: lkuchlan <lkuchlan>
Severity: high Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: gcharot, gfidente, gouthamr, jamsmith, lkuchlan, mariel, nlevinki, rheslop, spower, vhariria, vimartin
Target Milestone: AlphaKeywords: FutureFeature, Triaged
Target Release: 17.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: tripleo-ansible-3.3.1-0.20210821014206.8733ac0.el8ost Doc Type: Enhancement
Doc Text:
This security enhancement reduces the user privilege level required by the OpenStack Shared File System service (manila). You no longer need permissions to create and manipulate Ceph users, because the Shared File Systems service now uses the APIs exposed by the `Ceph Manager` service for this purpose.
 Story Points: ---
Clone Of:
: 1973458 (view as bug list) Environment:
Last Closed: 2022-09-21 12:16:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1767084    
Bug Blocks:    

Description Goutham Pacha Ravi 2021-06-17 16:45:48 UTC 
Description of problem:

The manila CephFS drivers (Native CephFS and CephFS-via-NFS-Ganesha) saw a major revamp in the wallaby release. They now interact with Ceph clusters via the Ceph Manager "Volumes" interface. To do this, the ceph client user configured for manila no longer needs to be as permissive as it was in the past. 


Old Capabilities: https://opendev.org/openstack/tripleo-ansible/src/commit/4ce6fda21b08bfcb8cfa319e7522fb9eb19c0178/tripleo_ansible/roles/tripleo_ceph_work_dir/tasks/build_keys.yml#L39-L45


New Capabilities required are documented here:
https://docs.openstack.org/manila/latest/admin/cephfs_driver.html#authorizing-the-driver-to-communicate-with-ceph


Fixing these capabilities will make our deployments more secure and prevent any abuse via the manila service ceph client user. 


Version-Release number of selected component (if applicable): 17
Comment 1 Goutham Pacha Ravi 2021-06-17 16:57:28 UTC 
*** Bug 1973355 has been marked as a duplicate of this bug. ***
Comment 7 lkuchlan 2022-07-25 12:03:17 UTC 
From cephadm-extra-vars-ansible.yml
===================================
tripleo_cephadm_keys: [{'name': 'client.openstack', 'key': 'AQA+S91iAAAAABAAtezM/9nA2W4mvEQOCHEyUw==', 'mode': '0600', 'caps': {'mgr': 'allow *', 'mon': 'profile rbd', 'osd': 'profile rbd pool=vms, profile rbd pool=volumes, profile rbd pool=images, profile rbd pool=backups'}}, {'name': 'client.radosgw', 'key': 'AQA+S91iAAAAABAAqj/LlUtXyFXPaeR4624CrQ==', 'mode': '0600', 'caps': {'mgr': 'allow *', 'mon': 'allow rw', 'osd': 'allow rwx'}}, {'name': 'client.manila', 'key': 'AQA+S91iAAAAABAAsIfPZW0zeCtOiVI9rjCWZQ==', 'mode': '0600', 'caps': {'mgr': 'allow rw', 'mon': 'allow r', 'osd': 'allow rw pool manila_data'}}]
Comment 12 errata-xmlrpc 2022-09-21 12:16:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543