tripleo

CephX keyrings ACLs are not effective

Bug #1775549 reported by Giulio Fidente on 2018-06-07

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Critical	Giulio Fidente	tripleo rocky-3

Bug Description

I believe that by setting mode to 0600 for the file, we're changing the ACLs mask preventing the "read" permission from being applied for the specific user (cinder).

This affects all (but only) the non-containerized services, so cinder-volume in the OSP12 default case.

I think the only solution is to set the ACLs mask from puppet-tripleo where we also set the ACLs for the openstack users... but if others have better ideas I'd like to get some feedback. We set the file mode to 0600 in the attmempt to increase the deployment security.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-07: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/573142

Changed in tripleo:
assignee:	nobody → Giulio Fidente (gfidente)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-07: Fix proposed to puppet-tripleo (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/573382

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-07: Fix proposed to puppet-tripleo (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/573383

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-19: Fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/573382
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=2268bd1a71acacc391a695f9ae93ee5163c2481b
Submitter: Zuul
Branch: stable/queens

commit 2268bd1a71acacc391a695f9ae93ee5163c2481b
Author: Giulio Fidente <email address hidden>
Date: Thu Jun 7 11:08:59 2018 +0200

Ensure appropriate ACL mask is set on CephX keyrings

Changing group permissions alters the ACL mask, causing the "read"
permission we set explicitly for the openstack users to be ignored.

This change ensures "read" is set for the ACLs mask.

    Change-Id: I4f94a3f7ab2c55a8c45363b8354be99d52980a7b
    Closes-Bug: 1775549
    (cherry picked from commit 2a59f98d78a046516d2013308e1be4fa0cf7f068)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-22: Fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/573383
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7d3e7f6a2ffd0ffb9ff61e9822f3a7872faa29b4
Submitter: Zuul
Branch: stable/pike

commit 7d3e7f6a2ffd0ffb9ff61e9822f3a7872faa29b4
Author: Giulio Fidente <email address hidden>
Date: Thu Jun 7 11:08:59 2018 +0200

Ensure appropriate ACL mask is set on CephX keyrings

Changing group permissions alters the ACL mask, causing the "read"
permission we set explicitly for the openstack users to be ignored.

This change ensures "read" is set for the ACLs mask.

    Change-Id: I4f94a3f7ab2c55a8c45363b8354be99d52980a7b
    Closes-Bug: 1775549
    (cherry picked from commit 2268bd1a71acacc391a695f9ae93ee5163c2481b)

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-27: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/573142
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=2a59f98d78a046516d2013308e1be4fa0cf7f068
Submitter: Zuul
Branch: master

commit 2a59f98d78a046516d2013308e1be4fa0cf7f068
Author: Giulio Fidente <email address hidden>
Date: Thu Jun 7 11:08:59 2018 +0200

Ensure appropriate ACL mask is set on CephX keyrings

Changing group permissions alters the ACL mask, causing the "read"
permission we set explicitly for the openstack users to be ignored.

This change ensures "read" is set for the ACLs mask.

Change-Id: I4f94a3f7ab2c55a8c45363b8354be99d52980a7b
Closes-Bug: 1775549

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-05: Fix included in openstack/puppet-tripleo 8.3.4

This issue was fixed in the openstack/puppet-tripleo 8.3.4 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-08: Fix included in openstack/puppet-tripleo 7.4.14

This issue was fixed in the openstack/puppet-tripleo 7.4.14 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-26: Fix included in openstack/puppet-tripleo 9.2.0

This issue was fixed in the openstack/puppet-tripleo 9.2.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.