NFS Security Enhancements: allows secure NFS environment setup

Bug #1385248 reported by OpenStack Infra on 2014-10-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Medium
Gauvain Pocentek

Bug Description

https://review.openstack.org/107693
commit 6879bd0720b2c4c5ef4d2f2c42fe0e4e436ba998
Author: Glenn M. Gobeli <email address hidden>
Date: Thu Jun 12 09:31:25 2014 -0400

    NFS Security Enhancements: allows secure NFS environment setup

    This patch allows an OpenStack environment to run as a secure NAS
    environment from the client and server perspective, including having
    root squash enabled and not running file operations as the 'root'
    user. This also sets Cinder file permissions as 660: removing
    other/world file access.

    The "nas_secure_file_permissions" option controls the setting of file
    permissions when Cinder volumes are created. The option defaults to
    "auto" to gracefully handle upgrade scenarios. When set to "auto",
    a check is done during Cinder startup to determine if there are
    existing Cinder volumes: no volumes will set the option to 'true',
    and use secure file permissions. The detection of existing volumes will
    set the option to 'false', and use the current insecure method of
    handling file permissions.

    The "nas_secure_file_operations" option controls whether file
    operations are run as the 'root' user or the current OpenStack
    'process' user. The option defaults to "auto" to gracefully handle
    upgrade scenarios. When set to "auto", a check is done during Cinder
    startup to determine if there are existing Cinder volumes: no volumes
    will set the option to 'true', be secure and do NOT run as the 'root'
    user. The detection of existing volumes will set the option to 'false',
    and use the current method of running operations as the 'root' user.
    For new installations, a 'marker file' is written so that subsequent
    restarts of Cinder will know what the original determination had been.

    This patch enables this functionality only for the NFS driver.
    Other similar drivers can use this code to enable the same
    functionality with the same config options.

    DocImpact
    Change-Id: I3d25f593beab7f5462576b14ab62d13d8c53e7c6
    Implements: blueprint secure-nfs
    Partial-Bug: 1260679

Tom Fifield (fifieldt) on 2014-11-11
Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → Medium
milestone: none → kilo
Tom Fifield (fifieldt) on 2015-06-11
Changed in openstack-manuals:
milestone: kilo → liberty
Changed in openstack-manuals:
assignee: nobody → Gauvain Pocentek (gpocentek)
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/203409
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=523d46a8b6bdc6bae51b01443c46d4ec1fa7bce6
Submitter: Jenkins
Branch: master

commit 523d46a8b6bdc6bae51b01443c46d4ec1fa7bce6
Author: Gauvain Pocentek <email address hidden>
Date: Sun Jul 19 10:53:46 2015 +0200

    [config-ref] Cinder option tables update

    Remove the quobyte documentation since it is not in the cinder tree
    anymore.

    Closes-Bug: #1474495
    Closes-Bug: #1469518
    Closes-Bug: #1467587
    Closes-Bug: #1467170
    Partial-Bug: #1467123
    Partial-Bug: #1466971
    Closes-Bug: #1466163
    Partial-Bug: #1465700
    Partial-Bug: #1464726
    Closes-Bug: #1462459
    Closes-Bug: #1462184
    Closes-Bug: #1460811
    Closes-Bug: #1460366
    Closes-Bug: #1458714
    Closes-Bug: #1453247
    Closes-Bug: #1451526
    Partial-Bug: #1447455
    Partial-Bug: #1445154
    Closes-Bug: #1444814
    Closes-Bug: #1385248

    Change-Id: I6eec26af059d7d390b2b3875b346fcb50c8100a5

Changed in openstack-manuals:
status: In Progress → Fix Released

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers