Bug 1973458

Summary: [OSP 16.2] Change manila ceph client user capabilities for OSP 16.x
Product: Red Hat OpenStack Reporter: Victoria Martinez de la Cruz <vimartin>
Component: tripleo-ansibleAssignee: Francesco Pantano <fpantano>
Status: CLOSED WONTFIX QA Contact: lkuchlan <lkuchlan>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.2 (Train)CC: fpantano, gfidente, gouthamr, jhakimra, kecarter, lkuchlan, tbarron, vhariria, vimartin
Target Milestone: z2Keywords: FeatureBackport, Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1973356 Environment:
Last Closed: 2021-08-18 09:49:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1973456    
Bug Blocks:    

Description Victoria Martinez de la Cruz 2021-06-17 21:16:34 UTC 
+++ This bug was initially created as a clone of Bug #1973356 +++

Description of problem:

The manila CephFS drivers (Native CephFS and CephFS-via-NFS-Ganesha) saw a major revamp in the wallaby release. They now interact with Ceph clusters via the Ceph Manager "Volumes" interface. To do this, the ceph client user configured for manila no longer needs to be as permissive as it was in the past. 

Old Capabilities: https://opendev.org/openstack/tripleo-ansible/src/commit/4ce6fda21b08bfcb8cfa319e7522fb9eb19c0178/tripleo_ansible/roles/tripleo_ceph_work_dir/tasks/build_keys.yml#L39-L45

New Capabilities required are documented here:
https://docs.openstack.org/manila/latest/admin/cephfs_driver.html#authorizing-the-driver-to-communicate-with-ceph

Fixing these capabilities will make our deployments more secure and prevent any abuse via the manila service ceph client user.