Comment 6 for bug 1904015

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

An update regarding this bug.

We have held several rounds of brainstorming sessions with CephFS engineers in the past couple of weeks. It became apparent in the earliest discussions that a manila side resolution by maintaining a "denylist" of ceph users isn't helpful in the long run. It would merely allow OpenStack administrators set aside some unusable user names - but leaves the security hole unplugged for other non OpenStack consumers.

The current solution we're working on is in the ceph_volume_client library - and not in manila. When this fix lands, only users created by manila can be manipulated by manila. This will disallow pre-existing users consuming CephFS shares via manila. The consequence is that you may have to make up a cephx user name to interact with manila if your "manila access-allow" command fails. This is a bit of a workaround, and we'll document this behavior loud and clear. We'll also work on adding an asynchronous user message in manila to enhance the user experience and allow users to discover this if they don't read documentation.

A CVE has been reserved for this vulnerability in the ceph_volume_client: CVE-2020-27781 "ceph: vulnerability in RHCS"

This issue is still under embargo. We expect this embargo to end in mid-december 2020. At the embargo end-date, we'll have patches submitted against ceph ( to patch this vulnerability.

It's however, entirely possible that we don't keep these timelines. Please bear with me as we're working through this via various teams/channels.