OpenStack Shared File Systems Service (Manila)

Calls directed to the wrong Ceph daemon

Bug #1923181 reported by Victoria Martinez de la Cruz on 2021-04-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	Fix Released	High	Victoria Martinez de la Cruz	OpenStack Shared File Systems Service (Manila) xena-1

Bug Description

The mgr-commands are directed at the mon instead of at the mgr in the Ceph drivers. If mgr-commands are directed at the mgr, there is no need to keep the extra mon write caps, limiting driver user's caps and hardening the overall driver security.

See original description

Tags:

Victoria Martinez de la Cruz (vkmc) on 2021-04-09

Changed in manila:
importance:	Undecided → Critical
assignee:	nobody → Victoria Martinez de la Cruz (vkmc)

Victoria Martinez de la Cruz (vkmc) on 2021-04-09

Changed in manila:
importance:	Critical → High

Revision history for this message

Goutham Pacha Ravi (gouthamr) wrote on 2021-04-09:

Fix proposed to branch: master
https://review.opendev.org/c/openstack/manila/+/785623

Changed in manila:
milestone:	none → xena-1
status:	New → In Progress

Victoria Martinez de la Cruz (vkmc) on 2021-04-09

description:	updated
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-19: Fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/785623
Committed: https://opendev.org/openstack/manila/commit/3ea5d50a2383d298cf64db3c035a63865e091119
Submitter: "Zuul (22348)"
Branch: master

commit 3ea5d50a2383d298cf64db3c035a63865e091119
Author: Victoria Martinez de la Cruz <email address hidden>
Date: Fri Apr 9 11:12:43 2021 +0000

Direct mgr commands to the mgr daemon

Commands in the Ceph driver are directed at the mon
daemon instead of at the mgr daemon.

    The driver's rados_command() calls json_command() and,
    by default, json_command() calls the python
    rados client's mon_command() instead of mgr_command().

    By passing the target as mon-mgr, the python rados
    client's mgr_command() is called as desired, and we
    avoid the need of extra MON write caps.

Closes-Bug: #1923181

    Co-Authored-By: Victoria Martinez de la Cruz <email address hidden>
    Co-Authored-By: Ramana Raja <email address hidden>
    Co-Authored-By: Tom Barron <email address hidden>
    Change-Id: I5bca68070ca1eb539d53dd31cb92588840e925e8

Changed in manila:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-19: Fix proposed to manila (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/manila/+/786912

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-20: Fix merged to manila (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/manila/+/786912
Committed: https://opendev.org/openstack/manila/commit/9a9a2c2467fd167bd3277c911357569ef3cdb20d
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 9a9a2c2467fd167bd3277c911357569ef3cdb20d
Author: Victoria Martinez de la Cruz <email address hidden>
Date: Fri Apr 9 11:12:43 2021 +0000

Direct mgr commands to the mgr daemon

Commands in the Ceph driver are directed at the mon
daemon instead of at the mgr daemon.

    The driver's rados_command() calls json_command() and,
    by default, json_command() calls the python
    rados client's mon_command() instead of mgr_command().

    By passing the target as mon-mgr, the python rados
    client's mgr_command() is called as desired, and we
    avoid the need of extra MON write caps.

Closes-Bug: #1923181