[Bug 1424771] Re: Excessive caps for CephX users glance, cinder, nova-compute

James Page james.page at ubuntu.com
Mon Oct 17 07:43:55 UTC 2016 

Upstream doc reference:

  http://docs.ceph.com/docs/firefly/rbd/rbd-openstack/


** Also affects: cinder (Juju Charms Collection)
   Importance: Undecided
       Status: New

** Also affects: glance (Juju Charms Collection)
   Importance: Undecided
       Status: New

** Also affects: nova-compute (Juju Charms Collection)
   Importance: Undecided
       Status: New

** Changed in: cinder (Juju Charms Collection)
   Importance: Undecided => Medium

** Changed in: glance (Juju Charms Collection)
   Importance: Undecided => Medium

** Changed in: nova-compute (Juju Charms Collection)
   Importance: Undecided => Medium

** Changed in: cinder (Juju Charms Collection)
    Milestone: None => 17.01

** Changed in: glance (Juju Charms Collection)
    Milestone: None => 17.01

** Changed in: nova-compute (Juju Charms Collection)
    Milestone: None => 17.01

** Changed in: cinder (Juju Charms Collection)
       Status: New => Triaged

** Changed in: glance (Juju Charms Collection)
       Status: New => Triaged

** Changed in: nova-compute (Juju Charms Collection)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Juju Charms Collection.
Matching subscriptions: charm-bugs
https://bugs.launchpad.net/bugs/1424771

Title:
  Excessive caps for CephX users glance, cinder, nova-compute

Status in charms.openstack:
  Triaged
Status in ceph package in Juju Charms Collection:
  Triaged
Status in ceph-mon package in Juju Charms Collection:
  Triaged
Status in cinder package in Juju Charms Collection:
  Triaged
Status in glance package in Juju Charms Collection:
  Triaged
Status in nova-compute package in Juju Charms Collection:
  Triaged

Bug description:
  The cephx identities, which the charms generate for glance, cinder and
  nova-compute, have excessive capabilities. They allow write access to
  mons, and unrestricted access to OSDs.

  The following caps should be sufficient:

  For client.glance:
  mon = "allow r"
  osd = "allow rw pool=glance"

  For client.cinder:
  mon = "allow r"
  osd = "allow rw pool=cinder"

  For client.nova-compute:
  mon = "allow r"
  osd = "allow rwx pool=cinder"

To manage notifications about this bug go to:
https://bugs.launchpad.net/charms.openstack/+bug/1424771/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list