[cinder] discuss nas_secure options and root_squash (prohibiting root access to share)

Stefan Hoffmann stefan.hoffmann at cloudandheat.com
Mon Sep 6 08:11:37 UTC 2021


Hi cinder team,

do you have any feedback, if this approach [1] follows the "right" way
now?
Will add this point to the meeting this week, would be nice, if you can
have a look before, so we can discuss about it.

Regards
Stefan

[1] https://review.opendev.org/c/openstack/cinder/+/802882


On Mon, 2021-08-16 at 18:05 +0200, Stefan Hoffmann wrote:
> Hi cinder team,
> 
> like discussed in the last meeting, I prepared a list [1] of
> combinations of the nas_secure options and when to use them.
> 
> If one want to prohibit root access to NFS share, only setting
> nas_secure_file_operations and nas_secure_file_permissions to true is
> a
> useful option, I think. (Option 4)
> 
> But also the nas_secure_file_operations is not useful to determine if
> _qemu_img_info and fs access check at _connect_device should be done
> with root user or cinder user.
> So I will update the change [2] like proposed in the etherpad.
> 
> Feel free to add other use cases and hints for the options to [1] and
> discuss about the proposed change.
> 
> Regards
> Stefan
> 
> 
> [1] https://etherpad.opendev.org/p/gSotXYAZ3JfJE8FEpMpS
> [2] https://review.opendev.org/c/openstack/cinder/+/802882
> Initial Bug:
> https://bugs.launchpad.net/cinder/+bug/1938196?comments=all
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 878 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210906/53421187/attachment.sig>


More information about the openstack-discuss mailing list