Bug 1119995 - [RFE][cinder]: Introduce secure NFS environment support for Cinder
Summary: [RFE][cinder]: Introduce secure NFS environment support for Cinder
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-cinder
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: z5
: 7.0 (Kilo)
Assignee: Eric Harney
QA Contact: Yogev Rabl
URL: https://blueprints.launchpad.net/cind...
Whiteboard: upstream_milestone_next upstream_defi...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-16 04:08 UTC by RHOS Integration
Modified: 2016-04-26 21:46 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2016-01-26 16:14:53 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 107693 None None None Never

Description RHOS Integration 2014-07-16 04:08:34 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/cinder/+spec/secure-nfs.


The current Cinder NFS model requires root level access and wide open file permissions, create an insecure NFS environment. This blueprint proposes Cinder modifications to enable the OpenStack user to setup a secure NFS environment wherein root access to the NFS server (backend storage) is squashed, the Cinder NFS process does not run as root, but rather as the configured "stack" user, and NFS file permissions are set to owner and group access only.

This proposal removes root level execution from Cinder when it is RemoteFS based operations. It sets file permissions to 660 rather than 666 and would implement a configuration flag to allow the OpenStack administrator to control whether the new, more strict, permissions are used or to continue using the wide open permissions. The implementation will also require a modification too the emulation service (e.g., qemu) to specify that it run as the stack user and that it not change file ownership: this allows the NFS client-server secure environment operations.

Specification URL (additional information):


Comment 8 Lon Hohberger 2016-01-26 16:14:53 UTC
This was resolved by openstack-cinder-2015.1.2-5.el7ost, available from the OpenStack 7 repository.

Note You need to log in before you can comment on or make changes to this bug.