Description of problem: The current implementation of the rbd volume driver provides a static auth_username and shared (already configured on the computes) static secret_uuid in the connection_info for each volume. There is also legacy support in the computes for pulling these values from the local nova.conf but these should be overridden by the above connection_info c-vol provided values for all but legacy volumes at present. This essentially means that all rbd volumes in an environment are connected to using the same credentials across all instances. This can become an issue if a single instance is compromised through a QEMU vulnerability such as: CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets https://bugzilla.redhat.com/show_bug.cgi?id=1869201 This could give an attacker access to all volumes in an environment. This RFE looks to improve this situation by having the rbd c-vol driver create a unique rbd user per attachment (not volume), providing that user via auth_username and dropping the secret_uuid field entirely from connection_info. n-cpu will then need to fetch the user keyring on the compute and create a unique libvirt secret for the attachment when connecting the volume and clean up while disconnecting. I'll clone this RFE against openstack-nova shortly to cover this part of the implementation.
Removing the rhos-18, this RFE will be revisit in a later release.