Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1656263

Summary: Security issue - cephfs keyring
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Jos Collin <jcollin>
Component: DocumentationAssignee: Ranjini M N <rmandyam>
Status: CLOSED CURRENTRELEASE QA Contact: Yogesh Mane <ymane>
Severity: low Docs Contact: Aron Gunn <agunn>
Priority: medium    
Version: 3.1CC: agunn, asriram, dn-infra-peta-pers, jbrier, kdreyer, mmurthy, rmandyam, ymane
Target Milestone: z4Flags: rmandyam: needinfo-
Target Release: 3.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-21 13:30:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1809203    

Description Jos Collin 2018-12-05 05:13:39 UTC 
Description of problem:
The customer reports -
CephFS documentation [1] is not clear enough that every cephfs keyring should **only** allow cephfs client's writes to the cephfs data pool(s). Failing to do so could potentially lead to disastrous consequences.

Here is the related part of the CephFS documentation:
"To restrict the client to only mount and work within a certain directory:"  <------- this has the admin thinking that the keyring will only allow cephfs access but it actually allows any other kind of writes including destructive on any pools in the cluster.

"To restrict the client to only write to and read from a particular pool in the cluster:" <------- this looks like this part is optional.

[1] https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-single/ceph_file_system_guide/index#creating-ceph-file-system-client-users

Version-Release number of selected component (if applicable):
RHCS3.1

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 John Brier 2018-12-06 17:00:44 UTC 
Thanks for the report Jos.

We'll take a look and let you know what we can do to address this issue.
Comment 4 Giridhar Ramaraju 2019-08-05 13:11:10 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 5 Giridhar Ramaraju 2019-08-05 13:12:11 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri