Excessive caps for CephX users glance, cinder, nova-compute

This is now possible that we have the ceph broker support in the ceph charm - prior to the 15.01 release, the remote client created pools, so this type of permission was blocked.

As of today, perms are still as follows:

client.cinder-volume
        caps: [mon] allow rw
        caps: [osd] allow rwx
client.glance
        caps: [mon] allow rw
        caps: [osd] allow rwx
client.nova-compute
        caps: [mon] allow rw
        caps: [osd] allow rwx
client.radosgw.gateway
        caps: [mon] allow rw
        caps: [osd] allow rwx

That's over a year and counting. You do realize that this means the nova, glance, and cinder processes are all capable of deleting all pools and all data in them if compromised, right?

I'd like to get the cephx perms tightened up as well. I wasn't able to get to this for the 16.04 cycle. I'll put it on the roadmap for 16.10. In the mean time PR's are welcome if you feel strongly about this. The repos are here: https://review.openstack.org/#/admin/projects/openstack/charm-ceph-osd and https://review.openstack.org/#/admin/projects/openstack/charm-ceph-mon

This can got kicked down the road *again*? This is a security issue.

Florian

Depsite Chris' best efforts, this feature was not ready in time for the charm feature freeze a few weeks back.

We have a ACL design that we believe will work to allow the manage of permissions between openstack services and associated pools, and the required ongoing management to ensure that when new pools get created, existing users in the relevant groups are granted access to them.

I believe we should get the implementation of this design landed in the next month so it should be included in the 17.01 charm release.

FTR this is not as trivial as granting access to fixed pool names for each auth key; pool names are generated from the name of each charm, which can be changed at deployment time (think cinder-ceph, cinder-ceph-fast, cinder-ceph-slow).

The charms also need to deal with upgrading from the current open access to the proposed restricted access (so this change impacts cinder-ceph, cinder, glance, ceph-radosgw and nova-compute as well).

When you also consider that features such as ephemeral disk on ceph and COW cloning between cinder and glance thinks get quite complex fast.

Upstream doc reference:

  http://docs.ceph.com/docs/firefly/rbd/rbd-openstack/

Dropping the 'w' perms for mon is a good first step (no longer required as ceph charms now create pools):

  https://review.openstack.org/#/c/387227/

Reviewed: https://review.openstack.org/387250
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-mon/commit/?id=526dc525d4525a70efdb9cf153da3720336dc556
Submitter: Jenkins
Branch: master

commit 526dc525d4525a70efdb9cf153da3720336dc556
Author: James Page <email address hidden>
Date: Mon Oct 17 09:22:15 2016 +0100

    Downgrade default key mon capabilities

    The 'w' capability for mon is no longer required by default, as
    the ceph broker in the ceph{-mon} charm is responsible for pool
    creation, not clients.

    Drop this permission (keys are automatically upgraded).

    Change-Id: I85ba55b7b929eb852046db354a745eb3beed2c51
    Depends-On: Iefffe047214555a15c4201fca605f07ac39c8f5c
    Partial-Bug: 1424771

Reviewed: https://review.openstack.org/387245
Committed: https://git.openstack.org/cgit/openstack/charm-ceph/commit/?id=a2d19d37ea2caeae96b435d0e666c8fc941d2c62
Submitter: Jenkins
Branch: master

commit a2d19d37ea2caeae96b435d0e666c8fc941d2c62
Author: James Page <email address hidden>
Date: Mon Oct 17 09:18:38 2016 +0100

    Downgrade default key mon capabilities

    The 'w' capability for mon is no longer required by default, as
    the ceph broker in the ceph{-mon} charm is responsible for pool
    creation, not clients.

    Drop this permission (keys are automatically upgraded).

    Change-Id: I23a75bc4d3737f9181b48d0affb046349be4153b
    Depends-On: Iefffe047214555a15c4201fca605f07ac39c8f5c
    Partial-Bug: 1424771

Change abandoned by Chris Holcombe (<email address hidden>) on branch: master
Review: https://review.openstack.org/351878

Reviewed: https://review.openstack.org/432290
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-mon/commit/?id=7389494cb9acf493ab1ae1e7b611def6886c4bda
Submitter: Jenkins
Branch: master

commit 7389494cb9acf493ab1ae1e7b611def6886c4bda
Author: Chris MacNaughton <email address hidden>
Date: Fri Feb 10 07:56:15 2017 -0500

    Sync in charms.ceph

    This brings in the new broker change to restrict
    key access by groups

    Change-Id: I9c3a973f996feec5383b174ef5a6a454ed4572c5
    Partial-Bug: 1424771

Reviewed: https://review.openstack.org/432289
Committed: https://git.openstack.org/cgit/openstack/charm-ceph/commit/?id=3dfeff7a19e16b166c302a8896b39e8357eeb6f7
Submitter: Jenkins
Branch: master

commit 3dfeff7a19e16b166c302a8896b39e8357eeb6f7
Author: Chris MacNaughton <email address hidden>
Date: Fri Feb 10 07:54:14 2017 -0500

    Sync in charms.ceph

    This brings in the new broker change to restrict
    key access by groups

    Change-Id: I19ad0142b4227ba555a0794e8b938372d9fdb84c
    Partial-Bug: 1424771

Reviewed: https://review.openstack.org/433864
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-mon/commit/?id=2aa46934b235fda13864795d4c3ebfbcb4defd78
Submitter: Jenkins
Branch: master

commit 2aa46934b235fda13864795d4c3ebfbcb4defd78
Author: Chris MacNaughton <email address hidden>
Date: Tue Feb 14 13:06:17 2017 -0600

    remove upgrade_keys

    This function is no longer necessary as we do
    not need to ensure that the remote units can
    create their own pools

    Partial-Bug: 1424771
    Change-Id: Id94c983b9631ac5a5c0a43813b2157724b148a87

Reviewed: https://review.openstack.org/433863
Committed: https://git.openstack.org/cgit/openstack/charm-ceph/commit/?id=024fe9215fe1ada7a5c4f2e44fb315a3486120be
Submitter: Jenkins
Branch: master

commit 024fe9215fe1ada7a5c4f2e44fb315a3486120be
Author: Chris MacNaughton <email address hidden>
Date: Tue Feb 14 13:09:05 2017 -0600

    remove upgrade_keys

    This function is no longer necessary as we do
    not need to ensure that the remote units can
    create their own pools

    Change-Id: I7e46b97ad2bb18a6e11a393a34f40e9bf51445c7
    Partial-Bug: 1424771

Reviewed: https://review.openstack.org/433555
Committed: https://git.openstack.org/cgit/openstack/charm-cinder-ceph/commit/?id=cee77d94143ab33d262fa57bffcf9363ef9ed4a5
Submitter: Jenkins
Branch: master

commit cee77d94143ab33d262fa57bffcf9363ef9ed4a5
Author: James Page <email address hidden>
Date: Tue Feb 14 10:01:17 2017 +0000

    Add support for cephx pool grouping and permissions

    Sync charmhelpers and add configuration option to allow access
    to ceph pools to be limited based on grouping.

    Cinder requires rwx access to pools associated with volumes,
    images and vms (to support rbd snapshots).

    Change-Id: If09137f5e36d78ab35d27f88624de5533c34ce53
    Partial-Bug: 1424771

Reviewed: https://review.openstack.org/432479
Committed: https://git.openstack.org/cgit/openstack/charm-cinder/commit/?id=d679c667767039ab7c3bc1fd5346b7c2a65bbf56
Submitter: Jenkins
Branch: master

commit d679c667767039ab7c3bc1fd5346b7c2a65bbf56
Author: Chris MacNaughton <email address hidden>
Date: Fri Feb 10 17:04:37 2017 -0500

    Add support for cephx pool grouping and permissions

    Sync charmhelpers and add configuration option to allow access
    to ceph pools to be limited based on grouping.

    Cinder requires rwx access to pools associated with volumes,
    images and vms (to support rbd snapshots).

    Change-Id: If1734c430108e193df0a58dc4c06ebe2b79990e3
    Partial-Bug: 1424771

Reviewed: https://review.openstack.org/433621
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=6fbc53d28f66f0fe418315676e16f8c3ad3ce7d5
Submitter: Jenkins
Branch: master

commit 6fbc53d28f66f0fe418315676e16f8c3ad3ce7d5
Author: James Page <email address hidden>
Date: Tue Feb 14 12:26:48 2017 +0000

    Add support for cephx pool grouping and permissions

    Sync charmhelpers and add configuration option to allow access
    to ceph pools to be limited based on grouping.

    Nova will require access to volumes, images and vms pool groups.

    Change-Id: I1c188d983609577ab34f7aef7854954c104b58bd
    Partial-Bug: 1424771

Reviewed: https://review.openstack.org/433586
Committed: https://git.openstack.org/cgit/openstack/charm-glance/commit/?id=29da04b58bd0eac3125ebd95b85b237fd7789713
Submitter: Jenkins
Branch: master

commit 29da04b58bd0eac3125ebd95b85b237fd7789713
Author: James Page <email address hidden>
Date: Tue Feb 14 10:46:27 2017 +0000

    Add support for cephx pool grouping and permissions

    Sync charmhelpers and add configuration option to allow access
    to ceph pools to be limited based on grouping.

    Glance only requires rwx access to pools containing images.

    Change-Id: I72611b38887a686f6acaeffd70bc4705a425a07b
    Partial-Bug: 1424771

Marking consuming charm tasks Fix Committed; charms have a new flag 'restrict-ceph-pools' which will enable restriction of access to underlying ceph pools using a grouping mechanism provided by the ceph broker in the ceph and ceph-mon charms.

Pools are groups into 'volumes', 'images', 'vms', 'objects' - example perms for a 'default' deployment:

client.cinder-ceph
        key: AQBgGqNYTLTXOBAA2VnYZ+lEXaFY0fn0bFg7Fg==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=cinder-ceph, allow rwx pool=glance, allow rwx pool=nova
client.glance
        key: AQBKGaNYXBqvKBAAQC8MjQ+5Aj/8YVZw7q3oZQ==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=glance
client.nova-compute
        key: AQA+GaNY1dZmGhAALeUWb0E9d2v6KI8VQG+c0w==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=cinder-ceph, allow rwx pool=glance, allow rwx pool=nova
client.radosgw.gateway
        key: AQBxM6NY0al5AhAAqg9mm7CtP4WpDvGiVJvfEg==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=default.rgw.buckets, ..., allow rwx pool=.rgw.root

Reviewed: https://review.openstack.org/433870
Committed: https://git.openstack.org/cgit/openstack/charm-ceph/commit/?id=06f517d18de20e869dbcce2927d86006f8899b4e
Submitter: Jenkins
Branch: master

commit 06f517d18de20e869dbcce2927d86006f8899b4e
Author: Chris MacNaughton <email address hidden>
Date: Tue Feb 14 13:22:50 2017 -0600

    Sync back in charms.ceph

    Change-Id: I188fd24fa2382657d14842b9022a6610f790d7db
    Partial-Bug: 1424771

Reviewed: https://review.openstack.org/433871
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-mon/commit/?id=dfd070202bcca626f6fa67ba36de5146174196eb
Submitter: Jenkins
Branch: master

commit dfd070202bcca626f6fa67ba36de5146174196eb
Author: Chris MacNaughton <email address hidden>
Date: Tue Feb 14 13:23:21 2017 -0600

    Sync back in charms.ceph

    Change-Id: I5d8956792a2de53d9d0f34b241206cb62295dcac
    Partial-Bug: 1424771