Bug 1973458 - [OSP 16.2] Change manila ceph client user capabilities for OSP 16.x
Summary: [OSP 16.2] Change manila ceph client user capabilities for OSP 16.x
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: tripleo-ansible
Version: 16.2 (Train)
Hardware: All
OS: All
medium
medium
Target Milestone: z2
: ---
Assignee: Francesco Pantano
QA Contact: lkuchlan
URL:
Whiteboard:
Depends On: 1973456
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-17 21:16 UTC by Victoria Martinez de la Cruz
Modified: 2022-04-13 12:46 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1973356
Environment:
Last Closed: 2021-08-18 09:49:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-5291 0 None None None 2022-04-13 12:46:48 UTC

Description Victoria Martinez de la Cruz 2021-06-17 21:16:34 UTC 
+++ This bug was initially created as a clone of Bug #1973356 +++

Description of problem:

The manila CephFS drivers (Native CephFS and CephFS-via-NFS-Ganesha) saw a major revamp in the wallaby release. They now interact with Ceph clusters via the Ceph Manager "Volumes" interface. To do this, the ceph client user configured for manila no longer needs to be as permissive as it was in the past. 

Old Capabilities: https://opendev.org/openstack/tripleo-ansible/src/commit/4ce6fda21b08bfcb8cfa319e7522fb9eb19c0178/tripleo_ansible/roles/tripleo_ceph_work_dir/tasks/build_keys.yml#L39-L45

New Capabilities required are documented here:
https://docs.openstack.org/manila/latest/admin/cephfs_driver.html#authorizing-the-driver-to-communicate-with-ceph

Fixing these capabilities will make our deployments more secure and prevent any abuse via the manila service ceph client user.
Note You need to log in before you can comment on or make changes to this bug.