The Ceph documentation states that clients should use "allow r" mon caps[1][2][3], which will grant full read access to all config-keys stored in the monitor -- including the LUKS encryption keys for OSD. This is in contrast to the original dm-crypt key management feature[4], which indicates that these keys should be restricted to only the lockbox user. Upstream Documentation: [1] http://docs.ceph.com/docs/master/cephfs/client-auth/ [2] http://docs.ceph.com/docs/emperor/rados/operations/authentication/#add-a-key [3] http://docs.ceph.com/docs/master/rados/operations/user-management/#add-a-user [4] https://tracker.ceph.com/projects/ceph/wiki/Osd_-_simple_ceph-mon_dm-crypt_key_management
External References: https://ceph.com/releases/13-2-4-mimic-released
Created ceph tracking bugs for this issue: Affects: fedora-all [bug 1665972]
upstream fix https://github.com/ceph/ceph/commit/a2acedd2a7e12d58af6db35edbd8a9d29c557578
This issue has been addressed in the following products: Red Hat Ceph Storage 3.3 Via RHSA-2019:2538 https://access.redhat.com/errata/RHSA-2019:2538
This issue has been addressed in the following products: Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7 Via RHSA-2019:2541 https://access.redhat.com/errata/RHSA-2019:2541
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-14662