Bug 1996829
| Summary: | Permissions assigned to ceph auth principals when using external storage are too broad | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat OpenShift Data Foundation | Reporter: | Lars Kellogg-Stedman <lars> |
| Component: | rook | Assignee: | Parth Arora <paarora> |
| Status: | CLOSED ERRATA | QA Contact: | Vijay Avuthu <vavuthu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.8 | CC: | bniver, gmeno, madam, mrajanna, muagarwa, nberry, ocs-bugs, odf-bz-bot, paarora, rcyriac, shan, sostapov, tnielsen |
| Target Milestone: | --- | ||
| Target Release: | ODF 4.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 4.10.0-113 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-24 13:48:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Based on request from engineering, the 'installation' component has been deprecated Parth Can you take a look? Please add doc text As decided we will not be exposing this feature to customers by any documentation, because of QE and doc team limitations at this point of time. And it is okay to keep it in the build because it's an optional feature. Thanks! Moving to 4.11 as the verification is still pending for the core product Verified with ocs-registry:4.11.0-113 Job: https://ocs4-jenkins-csb-odf-qe.apps.ocp-c1.prod.psi.redhat.com/job/qe-deploy-ocs-cluster/14657/console 2022-07-15 12:24:33 06:54:33 - MainThread - ocs_ci.utility.connection - INFO - Executing cmd: python3 /tmp/external-cluster-details-exporter-hdkjadkg.py --rbd-data-pool-name rbd --rgw-endpoint 10.1.xxx.xx7:8080 --cluster-name vavuthu2-1996829 --cephfs-filesystem-name cephfs --restricted-auth-permission true on 10.1.xxx.xx9 csi users: ========== client.csi-cephfs-node-vavuthu2-1996829-cephfs key: AQApD9FiAo8pFBAA7nUkaEgvgeSupWvsZvkfOg== caps: [mds] allow rw caps: [mgr] allow rw caps: [mon] allow r, allow command 'osd blocklist' caps: [osd] allow rw tag cephfs *=cephfs client.csi-cephfs-provisioner-vavuthu2-1996829-cephfs key: AQApD9FiODzTFBAAiv17o1f8rPClrQz8jXjZpQ== caps: [mgr] allow rw caps: [mon] allow r, allow command 'osd blocklist' caps: [osd] allow rw tag cephfs metadata=cephfs client.csi-rbd-node-vavuthu2-1996829-rbd key: AQApD9FiGf3cEhAAF5r1AI5uJkP5LzkNZa3WDg== caps: [mon] profile rbd, allow command 'osd blocklist' caps: [osd] profile rbd pool=rbd client.csi-rbd-provisioner-vavuthu2-1996829-rbd key: AQApD9FimUGDExAA36F7aTLzJzsvQnCFveVPzQ== caps: [mgr] allow rw caps: [mon] profile rbd, allow command 'osd blocklist' caps: [osd] profile rbd pool=rbd $ oc -n openshift-storage get StorageClass ocs-external-storagecluster-cephfs -n openshift-storage -o yaml allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass . . . parameters: clusterID: openshift-storage csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner-vavuthu2-1996829-cephfs csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node-vavuthu2-1996829-cephfs csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner-vavuthu2-1996829-cephfs csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage fsName: cephfs pool: cephfs_data provisioner: openshift-storage.cephfs.csi.ceph.com reclaimPolicy: Delete volumeBindingMode: Immediate $ oc -n openshift-storage get StorageClass ocs-external-storagecluster-ceph-rbd -n openshift-storage -o yaml allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass . . . parameters: clusterID: openshift-storage csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner-vavuthu2-1996829-rbd csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage csi.storage.k8s.io/fstype: ext4 csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node-vavuthu2-1996829-rbd csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner-vavuthu2-1996829-rbd csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage imageFeatures: layering,deep-flatten,exclusive-lock,object-map,fast-diff imageFormat: "2" pool: rbd provisioner: openshift-storage.rbd.csi.ceph.com reclaimPolicy: Delete volumeBindingMode: Immediate Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:6156 |
The `ceph-external-cluster-details-exporter.py` creates several authentication principals in the target cluster. The permissions assigned to these principals are too broad; they should be scoped to the specific resources that will be used by the cluster. That is, instead of: ceph auth add client.csi-rbd-provisioner \ mgr "allow rw" \ mon "profile rbd" \ osd "profile rbd" We should be creating something like: ceph auth add client.csi-rbd-provisioner \ mgr "allow rw" \ mon "profile rbd" \ osd "profile rbd pool=mycluster-rbd-pool" When the external Ceph cluster provides service to clients other than OpenShift cluster, the broad default permissions pose both a security and maintenance risk (e.g., an administrator accidentally deleting objects from the wrong rbd pool).