The `ceph-external-cluster-details-exporter.py` creates several authentication principals in the target cluster. The permissions assigned to these principals are too broad; they should be scoped to the specific resources that will be used by the cluster. That is, instead of: ceph auth add client.csi-rbd-provisioner \ mgr "allow rw" \ mon "profile rbd" \ osd "profile rbd" We should be creating something like: ceph auth add client.csi-rbd-provisioner \ mgr "allow rw" \ mon "profile rbd" \ osd "profile rbd pool=mycluster-rbd-pool" When the external Ceph cluster provides service to clients other than OpenShift cluster, the broad default permissions pose both a security and maintenance risk (e.g., an administrator accidentally deleting objects from the wrong rbd pool).
Based on request from engineering, the 'installation' component has been deprecated
Parth Can you take a look?
Part of https://github.com/red-hat-storage/rook/tree/release-4.10
Please add doc text
As decided we will not be exposing this feature to customers by any documentation, because of QE and doc team limitations at this point of time. And it is okay to keep it in the build because it's an optional feature. Thanks!
Moving to 4.11 as the verification is still pending for the core product
Verified with ocs-registry:4.11.0-113 Job: https://ocs4-jenkins-csb-odf-qe.apps.ocp-c1.prod.psi.redhat.com/job/qe-deploy-ocs-cluster/14657/console 2022-07-15 12:24:33 06:54:33 - MainThread - ocs_ci.utility.connection - INFO - Executing cmd: python3 /tmp/external-cluster-details-exporter-hdkjadkg.py --rbd-data-pool-name rbd --rgw-endpoint 10.1.xxx.xx7:8080 --cluster-name vavuthu2-1996829 --cephfs-filesystem-name cephfs --restricted-auth-permission true on 10.1.xxx.xx9 csi users: ========== client.csi-cephfs-node-vavuthu2-1996829-cephfs key: AQApD9FiAo8pFBAA7nUkaEgvgeSupWvsZvkfOg== caps: [mds] allow rw caps: [mgr] allow rw caps: [mon] allow r, allow command 'osd blocklist' caps: [osd] allow rw tag cephfs *=cephfs client.csi-cephfs-provisioner-vavuthu2-1996829-cephfs key: AQApD9FiODzTFBAAiv17o1f8rPClrQz8jXjZpQ== caps: [mgr] allow rw caps: [mon] allow r, allow command 'osd blocklist' caps: [osd] allow rw tag cephfs metadata=cephfs client.csi-rbd-node-vavuthu2-1996829-rbd key: AQApD9FiGf3cEhAAF5r1AI5uJkP5LzkNZa3WDg== caps: [mon] profile rbd, allow command 'osd blocklist' caps: [osd] profile rbd pool=rbd client.csi-rbd-provisioner-vavuthu2-1996829-rbd key: AQApD9FimUGDExAA36F7aTLzJzsvQnCFveVPzQ== caps: [mgr] allow rw caps: [mon] profile rbd, allow command 'osd blocklist' caps: [osd] profile rbd pool=rbd $ oc -n openshift-storage get StorageClass ocs-external-storagecluster-cephfs -n openshift-storage -o yaml allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass . . . parameters: clusterID: openshift-storage csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner-vavuthu2-1996829-cephfs csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node-vavuthu2-1996829-cephfs csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner-vavuthu2-1996829-cephfs csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage fsName: cephfs pool: cephfs_data provisioner: openshift-storage.cephfs.csi.ceph.com reclaimPolicy: Delete volumeBindingMode: Immediate $ oc -n openshift-storage get StorageClass ocs-external-storagecluster-ceph-rbd -n openshift-storage -o yaml allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass . . . parameters: clusterID: openshift-storage csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner-vavuthu2-1996829-rbd csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage csi.storage.k8s.io/fstype: ext4 csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node-vavuthu2-1996829-rbd csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner-vavuthu2-1996829-rbd csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage imageFeatures: layering,deep-flatten,exclusive-lock,object-map,fast-diff imageFormat: "2" pool: rbd provisioner: openshift-storage.rbd.csi.ceph.com reclaimPolicy: Delete volumeBindingMode: Immediate
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:6156