OpenStack Shared File Systems Service (Manila)

[ceph-nfs-ganesha] Should not allow 'cephx' access to a NFS protocol share

Bug #1816420 reported by Liron Kuchlani
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
Medium
Tom Barron

Bug Description

Description of problem:
Manila allows 'cephx' access to a NFS share type while only 'ip' access should be allowed.

Version-Release number of selected component (if applicable):
python2-manilaclient-1.24.1-0.20180809180957.316bd21.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:

(overcloud) [stack@undercloud-0 ~]$ manila create NFS 1 --name share1 --share-type default_share_type
+---------------------------------------+--------------------------------------+
| Property | Value |
+---------------------------------------+--------------------------------------+
| status | creating |
| share_type_name | default_share_type |
| description | None |
| availability_zone | None |
| share_network_id | None |
| share_server_id | None |
| share_group_id | None |
| host | |
| revert_to_snapshot_support | False |
| access_rules_status | active |
| snapshot_id | None |
| create_share_from_snapshot_support | False |
| is_public | False |
| task_state | None |
| snapshot_support | False |
| id | bd86b90e-00fa-49e7-a8c4-b18dbd708250 |
| size | 1 |
| source_share_group_snapshot_member_id | None |
| user_id | ceee86a910d54af1bc1a629022033da2 |
| name | share1 |
| share_type | 58a9f347-dd98-4db2-bb68-ece69ceef271 |
| has_replicas | False |
| replication_type | None |
| created_at | 2019-02-18T12:39:55.000000 |
| share_proto | NFS |
| mount_snapshot_support | False |
| project_id | fd808698c9c34580a92266ff52b11b0d |
| metadata | {} |
+---------------------------------------+--------------------------------------+

(overcloud) [stack@undercloud-0 ~]$ manila list
+--------------------------------------+--------+------+-------------+-----------+-----------+--------------------+-------------------------+-------------------+
| ID | Name | Size | Share Proto | Status | Is Public | Share Type Name | Host | Availability Zone |
+--------------------------------------+--------+------+-------------+-----------+-----------+--------------------+-------------------------+-------------------+
| bd86b90e-00fa-49e7-a8c4-b18dbd708250 | share1 | 1 | NFS | available | False | default_share_type | hostgroup@cephfs#cephfs | nova |
+--------------------------------------+--------+------+-------------+-----------+-----------+--------------------+-------------------------+-------------------+

(overcloud) [stack@undercloud-0 ~]$ manila access-allow share1 cephx eve
+--------------+--------------------------------------+
| Property | Value |
+--------------+--------------------------------------+
| access_key | None |
| share_id | bd86b90e-00fa-49e7-a8c4-b18dbd708250 |
| created_at | 2019-02-18T12:41:59.000000 |
| updated_at | None |
| access_type | cephx |
| access_to | eve |
| access_level | rw |
| state | queued_to_apply |
| id | 3903a546-812b-430c-8977-bac2c59defa9 |
| metadata | {} |
+--------------+--------------------------------------+

(overcloud) [stack@undercloud-0 ~]$ manila access-list share1
+--------------------------------------+-------------+-----------+--------------+--------+------------+----------------------------+------------+
| id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
+--------------------------------------+-------------+-----------+--------------+--------+------------+----------------------------+------------+
| 3903a546-812b-430c-8977-bac2c59defa9 | cephx | eve | rw | active | None | 2019-02-18T12:41:59.000000 | None |
+--------------------------------------+-------------+-----------+--------------+--------+------------+----------------------------+------------+

(overcloud) [stack@undercloud-0 ~]$ manila access-show 3903a546-812b-430c-8977-bac2c59defa9
+--------------+--------------------------------------+
| Property | Value |
+--------------+--------------------------------------+
| access_key | None |
| share_id | bd86b90e-00fa-49e7-a8c4-b18dbd708250 |
| created_at | 2019-02-18T12:41:59.000000 |
| updated_at | None |
| access_type | cephx |
| access_to | eve |
| access_level | rw |
| state | active |
| id | 3903a546-812b-430c-8977-bac2c59defa9 |
| metadata | {} |
+--------------+--------------------------------------+

Actual results:
Allow 'cephx' access to a NFS share type.

Expected results:
'cephx' access to a NFS share type is not allowed.
Only 'ip' access to a NFS share type should be allowed.

Tom Barron (tpb)
Changed in manila:
assignee: nobody → Tom Barron (tpb)
status: New → Confirmed
Tom Barron (tpb)
tags: added: cephfs driver
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.openstack.org/639817

Changed in manila:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on manila (master)

Change abandoned by Tom Barron (<email address hidden>) on branch: master
Review: https://review.openstack.org/639817
Reason: I am going to push a different patch that disallows the specific cephx plus nfs combination in the ceph back end.

Tom Barron (tpb)
summary: - [ceph-nfs-ganesha] Allow 'cephx' access to a NFS share type
+ [ceph-nfs-ganesha] Should not allow 'cephx' access to a NFS share type
summary: - [ceph-nfs-ganesha] Should not allow 'cephx' access to a NFS share type
+ [ceph-nfs-ganesha] Should not allow 'cephx' access to a NFS protocol
+ share
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.openstack.org/640185

Goutham Pacha Ravi (gouthamr)
Changed in manila:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.openstack.org/640185
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=9df750fd19c6c11562b7bf86464185cd63568310
Submitter: Zuul
Branch: master

commit 9df750fd19c6c11562b7bf86464185cd63568310
Author: Tom Barron <email address hidden>
Date: Thu Feb 28 15:35:12 2019 -0500

    Only allow IP access type for CephFS NFS

    For the CephFS NFS back end only ``IP`` access type
    is valid so enforce this in the driver.

    Also validate access level since there is a utility
    routine to check both access type and access level.

    Closes-bug: #1816420
    Change-Id: I6c96f861b30ef7ccac05a7c199a62f0d69044c3a

Changed in manila:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 8.0.0.0rc1

This issue was fixed in the openstack/manila 8.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/648290

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/rocky)

Reviewed: https://review.openstack.org/648290
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=08148bba49709c22048637e710b9553c2745c903
Submitter: Zuul
Branch: stable/rocky

commit 08148bba49709c22048637e710b9553c2745c903
Author: Tom Barron <email address hidden>
Date: Thu Feb 28 15:35:12 2019 -0500

    Only allow IP access type for CephFS NFS

    For the CephFS NFS back end only ``IP`` access type
    is valid so enforce this in the driver.

    Also validate access level since there is a utility
    routine to check both access type and access level.

    Closes-bug: #1816420
    Change-Id: I6c96f861b30ef7ccac05a7c199a62f0d69044c3a
    (cherry picked from commit 9df750fd19c6c11562b7bf86464185cd63568310)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/649743

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/queens)

Reviewed: https://review.openstack.org/649743
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=625fce5bb0e0792550cbae4f526159d4677bf072
Submitter: Zuul
Branch: stable/queens

commit 625fce5bb0e0792550cbae4f526159d4677bf072
Author: Tom Barron <email address hidden>
Date: Thu Feb 28 15:35:12 2019 -0500

    Only allow IP access type for CephFS NFS

    For the CephFS NFS back end only ``IP`` access type
    is valid so enforce this in the driver.

    Also validate access level since there is a utility
    routine to check both access type and access level.

    Closes-bug: #1816420
    Change-Id: I6c96f861b30ef7ccac05a7c199a62f0d69044c3a
    (cherry picked from commit 9df750fd19c6c11562b7bf86464185cd63568310)
    (cherry picked from commit 08148bba49709c22048637e710b9553c2745c903)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 7.3.0

This issue was fixed in the openstack/manila 7.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 6.3.0

This issue was fixed in the openstack/manila 6.3.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.