Cloned from launchpad blueprint https://blueprints.launchpad.net/cinder/+spec/secure-nfs.
The current Cinder NFS model requires root level access and wide open file permissions, create an insecure NFS environment. This blueprint proposes Cinder modifications to enable the OpenStack user to setup a secure NFS environment wherein root access to the NFS server (backend storage) is squashed, the Cinder NFS process does not run as root, but rather as the configured "stack" user, and NFS file permissions are set to owner and group access only.
This proposal removes root level execution from Cinder when it is RemoteFS based operations. It sets file permissions to 660 rather than 666 and would implement a configuration flag to allow the OpenStack administrator to control whether the new, more strict, permissions are used or to continue using the wide open permissions. The implementation will also require a modification too the emulation service (e.g., qemu) to specify that it run as the stack user and that it not change file ownership: this allows the NFS client-server secure environment operations.
Specification URL (additional information):
This was resolved by openstack-cinder-2015.1.2-5.el7ost, available from the OpenStack 7 repository.