Manila overwrite existing Ceph users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
High
|
Goutham Pacha Ravi | ||
ceph (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Description
=============
I'm currently testing manila with CephFS and I stumbled upon a behavior
where manila is able to overwrite existing Ceph users.
In my testing setup Glance, Nova, Cinder and Manila share the same Ceph
cluster. However they have different users.
When a share is created and an "allow-access" is made on that share for a service user (cinder/
Steps to reproduce
==================
* Having a running OpenStack with Cinder/
* Create a share and allow access to it with one of the users used for OpenStack services (Cinder/
manila create --share-type cephfstype --name Share1 cephfs 25
manila access-allow Share1 cephx cindertest
Expected result
===============
A better option would be to prevent the creation by Manila of users used by others OpenStack services.
Actual result
=============
It works but this user is used by Ceph and OpenStack to provide access on pools for running services. Changing it to access only one share will result in breaking all resources that was using it.
Environment
===========
I'm currently running OpenStack Rocky, with Ceph Nautilus.
Logs & Configs
==============
Just an example of how the user change in the Ceph cluster config : http://
Jahson
CVE References
Changed in manila: | |
importance: | Undecided → Medium |
Changed in manila: | |
status: | New → Confirmed |
importance: | Medium → High |
Changed in manila: | |
status: | Confirmed → Fix Released |
milestone: | none → wallaby-rc1 |
assignee: | nobody → Goutham Pacha Ravi (gouthamr) |
Changed in ceph (Ubuntu): | |
status: | New → Invalid |
Additional comments http:// eavesdrop. openstack. org/meetings/ manila/ 2020/manila. 2020-11- 12-15.01. log.html