NFS Security Enhancements: allows secure NFS environment setup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Fix Released
|
Medium
|
Gauvain Pocentek |
Bug Description
https:/
commit 6879bd0720b2c4c
Author: Glenn M. Gobeli <email address hidden>
Date: Thu Jun 12 09:31:25 2014 -0400
NFS Security Enhancements: allows secure NFS environment setup
This patch allows an OpenStack environment to run as a secure NAS
environment from the client and server perspective, including having
root squash enabled and not running file operations as the 'root'
user. This also sets Cinder file permissions as 660: removing
other/world file access.
The "nas_secure_
permissions when Cinder volumes are created. The option defaults to
"auto" to gracefully handle upgrade scenarios. When set to "auto",
a check is done during Cinder startup to determine if there are
existing Cinder volumes: no volumes will set the option to 'true',
and use secure file permissions. The detection of existing volumes will
set the option to 'false', and use the current insecure method of
handling file permissions.
The "nas_secure_
operations are run as the 'root' user or the current OpenStack
'process' user. The option defaults to "auto" to gracefully handle
upgrade scenarios. When set to "auto", a check is done during Cinder
startup to determine if there are existing Cinder volumes: no volumes
will set the option to 'true', be secure and do NOT run as the 'root'
user. The detection of existing volumes will set the option to 'false',
and use the current method of running operations as the 'root' user.
For new installations, a 'marker file' is written so that subsequent
restarts of Cinder will know what the original determination had been.
This patch enables this functionality only for the NFS driver.
Other similar drivers can use this code to enable the same
functionality with the same config options.
DocImpact
Change-Id: I3d25f593beab7f
Implements: blueprint secure-nfs
Partial-Bug: 1260679
Changed in openstack-manuals: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
milestone: | none → kilo |
Changed in openstack-manuals: | |
milestone: | kilo → liberty |
Changed in openstack-manuals: | |
assignee: | nobody → Gauvain Pocentek (gpocentek) |
status: | Confirmed → In Progress |
Reviewed: https:/ /review. openstack. org/203409 /git.openstack. org/cgit/ openstack/ openstack- manuals/ commit/ ?id=523d46a8b6b dc6bae51b01443c 46d4ec1fa7bce6
Committed: https:/
Submitter: Jenkins
Branch: master
commit 523d46a8b6bdc6b ae51b01443c46d4 ec1fa7bce6
Author: Gauvain Pocentek <email address hidden>
Date: Sun Jul 19 10:53:46 2015 +0200
[config-ref] Cinder option tables update
Remove the quobyte documentation since it is not in the cinder tree
anymore.
Closes-Bug: #1474495
Closes-Bug: #1469518
Closes-Bug: #1467587
Closes-Bug: #1467170
Partial-Bug: #1467123
Partial-Bug: #1466971
Closes-Bug: #1466163
Partial-Bug: #1465700
Partial-Bug: #1464726
Closes-Bug: #1462459
Closes-Bug: #1462184
Closes-Bug: #1460811
Closes-Bug: #1460366
Closes-Bug: #1458714
Closes-Bug: #1453247
Closes-Bug: #1451526
Partial-Bug: #1447455
Partial-Bug: #1445154
Closes-Bug: #1444814
Closes-Bug: #1385248
Change-Id: I6eec26af059d7d 390b2b3875b346f cb50c8100a5