Description of problem: The manila CephFS drivers (Native CephFS and CephFS-via-NFS-Ganesha) saw a major revamp in the wallaby release. They now interact with Ceph clusters via the Ceph Manager "Volumes" interface. To do this, the ceph client user configured for manila no longer needs to be as permissive as it was in the past. Old Capabilities: https://opendev.org/openstack/tripleo-ansible/src/commit/4ce6fda21b08bfcb8cfa319e7522fb9eb19c0178/tripleo_ansible/roles/tripleo_ceph_work_dir/tasks/build_keys.yml#L39-L45 New Capabilities required are documented here: https://docs.openstack.org/manila/latest/admin/cephfs_driver.html#authorizing-the-driver-to-communicate-with-ceph Fixing these capabilities will make our deployments more secure and prevent any abuse via the manila service ceph client user. Version-Release number of selected component (if applicable): 17
*** Bug 1973355 has been marked as a duplicate of this bug. ***
From cephadm-extra-vars-ansible.yml =================================== tripleo_cephadm_keys: [{'name': 'client.openstack', 'key': 'AQA+S91iAAAAABAAtezM/9nA2W4mvEQOCHEyUw==', 'mode': '0600', 'caps': {'mgr': 'allow *', 'mon': 'profile rbd', 'osd': 'profile rbd pool=vms, profile rbd pool=volumes, profile rbd pool=images, profile rbd pool=backups'}}, {'name': 'client.radosgw', 'key': 'AQA+S91iAAAAABAAqj/LlUtXyFXPaeR4624CrQ==', 'mode': '0600', 'caps': {'mgr': 'allow *', 'mon': 'allow rw', 'osd': 'allow rwx'}}, {'name': 'client.manila', 'key': 'AQA+S91iAAAAABAAsIfPZW0zeCtOiVI9rjCWZQ==', 'mode': '0600', 'caps': {'mgr': 'allow rw', 'mon': 'allow r', 'osd': 'allow rw pool manila_data'}}]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543