TripleO deploys ceph client keyring with 644 permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Keith Schincke |
Bug Description
When following steps to deploy OpenStack with Ceph, either an external ceph cluster or one deployed by TripleO:
https:/
https:/
The ceph.client.
[root@
-rw-r--r--. root root system_
-rw-------. root root system_
-rw-r--r--. root root system_
-rwxr-xr-x. root root unconfined_
This means that any local user can access to ceph cluster as 'client.openstack'. Though there is no remote exploit and if there is local access to overcloud nodes there is a bigger problem, the permissions on this key could be more restrictive; e.g. 600 with ACLs set to allow users like Nova, Cinder, etc to read they key.
tags: | added: newton-backport-potential ocata-backport-potential pike-backport-potential |
Changed in tripleo: | |
assignee: | John Fulton (jfulton-org) → Keith Schincke (keith-schincke) |
Changed in tripleo: | |
assignee: | Keith Schincke (keith-schincke) → John Fulton (jfulton-org) |
Changed in tripleo: | |
assignee: | John Fulton (jfulton-org) → Keith Schincke (keith-schincke) |
Changed in tripleo: | |
assignee: | Keith Schincke (keith-schincke) → John Fulton (jfulton-org) |
Changed in tripleo: | |
assignee: | John Fulton (jfulton-org) → Keith Schincke (keith-schincke) |
Changed in tripleo: | |
assignee: | Keith Schincke (keith-schincke) → John Fulton (jfulton-org) |
Changed in tripleo: | |
assignee: | John Fulton (jfulton-org) → Keith Schincke (keith-schincke) |
Changed in tripleo: | |
assignee: | Keith Schincke (keith-schincke) → John Fulton (jfulton-org) |
Changed in tripleo: | |
assignee: | John Fulton (jfulton-org) → Keith Schincke (keith-schincke) |
Changed in tripleo: | |
milestone: | queens-1 → queens-2 |
Changed in tripleo: | |
assignee: | Keith Schincke (keith-schincke) → John Fulton (jfulton-org) |
Changed in tripleo: | |
assignee: | John Fulton (jfulton-org) → Keith Schincke (keith-schincke) |
Changed in tripleo: | |
assignee: | Keith Schincke (keith-schincke) → John Fulton (jfulton-org) |
Changed in tripleo: | |
assignee: | Keith Schincke (keith-schincke) → John Fulton (jfulton-org) |
Changed in tripleo: | |
assignee: | John Fulton (jfulton-org) → Keith Schincke (keith-schincke) |
Changed in tripleo: | |
milestone: | queens-2 → queens-3 |
Changed in tripleo: | |
milestone: | queens-3 → queens-rc1 |
Fix proposed to branch: master /review. openstack. org/508975
Review: https:/