[Bug 1904015] Re: Manila overwrite existing Ceph users

OpenStack Infra 1904015 at bugs.launchpad.net
Sat May 22 11:34:57 UTC 2021 

Reviewed:  https://review.opendev.org/c/openstack/manila/+/773419
Committed: https://opendev.org/openstack/manila/commit/8f969689efe27f4adf1546a99d3cdfa71266671d
Submitter: "Zuul (22348)"
Branch:    stable/victoria

commit 8f969689efe27f4adf1546a99d3cdfa71266671d
Author: Goutham Pacha Ravi <gouthampravi at gmail.com>
Date:   Mon Jan 25 23:44:32 2021 -0800

    [Native CephFS] Add messages for async ACL ops
    
    Access rules added to CephFS shares can fail
    at the driver, or by the ceph volume client library.
    Since the share manager can supply rule changes to
    the driver in batches, the driver has to gracefully
    handle individual rule failures.
    
    Further some of the causes of the access rule
    failures can be remedied by end users, therefore
    asynchronous user messages would be a good vehicle
    to register user faults that can be examined and
    corrected.
    
    Related-Bug: #1904015
    [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27781
    
    Change-Id: I3882fe5b1ad4a6cc71c13ea70fd6aea10430c42e
    Signed-off-by: Goutham Pacha Ravi <gouthampravi at gmail.com>
    (cherry picked from commit da3ab2cf4512716fa47a16315e98e610fbaed829)


** Tags added: in-stable-victoria

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/1904015

Title:
  Manila overwrite existing Ceph users

Status in OpenStack Shared File Systems Service (Manila):
  Fix Released
Status in ceph package in Ubuntu:
  New

Bug description:
  Description
  =============

  I'm currently testing manila with CephFS and I stumbled upon a behavior
  where manila is able to overwrite existing Ceph users.
  In my testing setup Glance, Nova, Cinder and Manila share the same Ceph
  cluster. However they have different users.
  When a share is created and an "allow-access" is made on that share for a service user (cinder/nova/glance) it will overwrite the existing user, removing access on the pools in order to set permissions for the share.

  Steps to reproduce
  ==================

  * Having a running OpenStack with Cinder/Glance/Nova/Manila all configured with one Ceph cluster using different pools.
  * Create a share and allow access to it with one of the users used for OpenStack services (Cinder/Nova/Glance..)
  manila create --share-type cephfstype --name Share1 cephfs 25
  manila access-allow Share1 cephx cindertest

  Expected result
  ===============

  A better option would be to prevent the creation by Manila of users
  used by others OpenStack services.

  Actual result
  =============

  It works but this user is used by Ceph and OpenStack to provide access
  on pools for running services. Changing it to access only one share
  will result in breaking all resources that was using it.

  Environment
  ===========

  I'm currently running OpenStack Rocky, with Ceph Nautilus.

  Logs & Configs
  ==============
  Just an example of how the user change in the Ceph cluster config : http://paste.openstack.org/show/799959/

  Jahson

To manage notifications about this bug go to:
https://bugs.launchpad.net/manila/+bug/1904015/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list