[Bug 1424771] Re: Excessive caps for CephX users glance, cinder, nova-compute
James Page
james.page at ubuntu.com
Tue Feb 14 21:25:15 UTC 2017
Marking consuming charm tasks Fix Committed; charms have a new flag
'restrict-ceph-pools' which will enable restriction of access to
underlying ceph pools using a grouping mechanism provided by the ceph
broker in the ceph and ceph-mon charms.
Pools are groups into 'volumes', 'images', 'vms', 'objects' - example
perms for a 'default' deployment:
client.cinder-ceph
key: AQBgGqNYTLTXOBAA2VnYZ+lEXaFY0fn0bFg7Fg==
caps: [mon] allow r
caps: [osd] allow rwx pool=cinder-ceph, allow rwx pool=glance, allow rwx pool=nova
client.glance
key: AQBKGaNYXBqvKBAAQC8MjQ+5Aj/8YVZw7q3oZQ==
caps: [mon] allow r
caps: [osd] allow rwx pool=glance
client.nova-compute
key: AQA+GaNY1dZmGhAALeUWb0E9d2v6KI8VQG+c0w==
caps: [mon] allow r
caps: [osd] allow rwx pool=cinder-ceph, allow rwx pool=glance, allow rwx pool=nova
client.radosgw.gateway
key: AQBxM6NY0al5AhAAqg9mm7CtP4WpDvGiVJvfEg==
caps: [mon] allow r
caps: [osd] allow rwx pool=default.rgw.buckets, ..., allow rwx pool=.rgw.root
** Also affects: ceph-radosgw (Juju Charms Collection)
Importance: Undecided
Status: New
** Changed in: ceph-radosgw (Juju Charms Collection)
Status: New => In Progress
** Changed in: ceph-radosgw (Juju Charms Collection)
Importance: Undecided => Medium
** Changed in: cinder-ceph (Juju Charms Collection)
Importance: Undecided => Medium
** Changed in: ceph-radosgw (Juju Charms Collection)
Status: In Progress => Fix Committed
** Changed in: cinder (Juju Charms Collection)
Status: In Progress => Fix Committed
** Changed in: cinder-ceph (Juju Charms Collection)
Status: In Progress => Fix Committed
** Changed in: glance (Juju Charms Collection)
Status: In Progress => Fix Committed
** Changed in: nova-compute (Juju Charms Collection)
Status: In Progress => Fix Committed
** Changed in: ceph-radosgw (Juju Charms Collection)
Milestone: None => 17.01
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Juju Charms Collection.
Matching subscriptions: charm-bugs
https://bugs.launchpad.net/bugs/1424771
Title:
Excessive caps for CephX users glance, cinder, nova-compute
Status in charms.openstack:
In Progress
Status in ceph package in Juju Charms Collection:
In Progress
Status in ceph-mon package in Juju Charms Collection:
In Progress
Status in ceph-radosgw package in Juju Charms Collection:
Fix Committed
Status in cinder package in Juju Charms Collection:
Fix Committed
Status in cinder-ceph package in Juju Charms Collection:
Fix Committed
Status in glance package in Juju Charms Collection:
Fix Committed
Status in nova-compute package in Juju Charms Collection:
Fix Committed
Bug description:
The cephx identities, which the charms generate for glance, cinder and
nova-compute, have excessive capabilities. They allow write access to
mons, and unrestricted access to OSDs.
The following caps should be sufficient:
For client.glance:
mon = "allow r"
osd = "allow rw pool=glance"
For client.cinder:
mon = "allow r"
osd = "allow rw pool=cinder"
For client.nova-compute:
mon = "allow r"
osd = "allow rwx pool=cinder"
To manage notifications about this bug go to:
https://bugs.launchpad.net/charms.openstack/+bug/1424771/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list