Bug 1734513 - all users has access to read ceph manager client keyring files
Summary: all users has access to read ceph manager client keyring files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Ceph-Ansible
Version: 3.3
Hardware: x86_64
OS: Linux
high
high
Target Milestone: z2
: 3.3
Assignee: Guillaume Abrioux
QA Contact: Ameena Suhani S H
URL:
Whiteboard:
Depends On:
Blocks: 1578730
TreeView+ depends on / blocked
 
Reported: 2019-07-30 18:01 UTC by Yogev Rabl
Modified: 2019-12-19 17:59 UTC (History)
11 users (show)

Fixed In Version: RHEL: ceph-ansible-3.2.36-1.el7cp Ubuntu: ceph-ansible_3.2.36-2redhat1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-19 17:59:09 UTC
Embargoed:

Attachments (Terms of Use)
Ansible logs (5.40 MB, text/plain)
2019-11-12 07:11 UTC, Ameena Suhani S H 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github ceph ceph-ansible pull 4471 0 'None' closed mon: use ceph_key module for containerized mgr keyring creation 2021-02-05 12:27:52 UTC
Github ceph ceph-ansible pull 4736 0 'None' closed ceph_key: restore file mode after a key is fetched 2021-02-05 12:27:52 UTC
Red Hat Product Errata RHSA-2019:4353 0 None None None 2019-12-19 17:59:28 UTC

Description Yogev Rabl 2019-07-30 18:01:36 UTC 
Description of problem:
in a containerized deployment of Ceph the permissions are set wrong, enabling all users in the OS to read ceph.mgr keyrings:

-rw-------. 1 ceph ceph  161 Jul 18 19:04 ceph.client.admin.keyring
-rw-------. 1 ceph ceph  268 Jul 18 19:12 ceph.client.manila.keyring
-rw-------. 1 ceph ceph  253 Jul 18 19:12 ceph.client.openstack.keyring
-rw-------. 1 ceph ceph  134 Jul 18 19:12 ceph.client.radosgw.keyring
-rw-r--r--. 1 root root 1546 Jul 18 19:04 ceph.conf
-rw-r--r--. 1 root root   67 Jul 18 19:05 ceph.mgr.controller-0.keyring
-rw-r--r--. 1 root root   67 Jul 18 19:05 ceph.mgr.controller-1.keyring
-rw-r--r--. 1 root root   67 Jul 18 19:04 ceph.mgr.controller-2.keyring
-rw-------. 1 ceph ceph  690 Jul 18 19:04 ceph.mon.keyring
-rw-r--r--. 1 root root   92 Aug  3  2018 rbdmap

With a non containerized deployment the permissions are different:
-rw-------. 1 ceph ceph  63 Jul 17 11:50 ceph.client.admin.keyring
-rw-r--r--. 1 ceph ceph 997 Jul 17 11:49 ceph.conf
-rw-------. 1 ceph ceph 139 Jul 18 12:22 ceph.mgr.cephserver1.keyring
-rw-------. 1 ceph ceph 139 Jul 18 12:22 ceph.mgr.cephserver2.keyring
-rw-------. 1 ceph ceph 139 Jul 18 12:22 ceph.mgr.cephserver3.keyring
-rw-r--r--. 1 root root  92 Apr 25 17:34 rbdmap


Version-Release number of selected component (if applicable):
ceph-ansible-3.2.15-1.el7cp.noarch

How reproducible:
unknown

Steps to Reproduce:
1. Deploy containerized ceph with TripleO in the Overcloud


Actual results:
The permissions are too permissive

Expected results:
The permissions should be only rw to the ceph user

Additional info:
Comment 4 Ameena Suhani S H 2019-11-12 07:11:34 UTC 
Created attachment 1635197 [details]
Ansible logs

Hi,
I tried with ceph-ansible-3.2.34-1.el7cp.noarch. The issue is still seen.

#ls -la /etc/ceph/

-rw-r--r--.   1 root root   447 Nov 11 16:12 ceph.conf
-rw-r--r--.   1 root root   139 Nov 12 05:14 ceph.mgr.magna124.keyring
-rw-r--r--.   1 root root   139 Nov 12 05:14 ceph.mgr.magna125.keyring
-rw-r--r--.   1 root root   139 Nov 12 05:14 ceph.mgr.magna126.keyring
-rw-------.   1  167  167   690 Nov 11 16:12 ceph.mon.keyring
Comment 13 errata-xmlrpc 2019-12-19 17:59:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:4353
Note You need to log in before you can comment on or make changes to this bug.