Thanks for your responses!


On 13.12.23 18:40, Jonathan Rosser wrote:
Hi Christain,

If you dig through the various deployment tooling then you'll find things like
https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/group_vars/all/ceph.yml#L53-L60

Yes indeed. Once you know which technical terms to search for you'll see these kind of configurations "all over":


Charm
* https://review.opendev.org/q/topic:%22bug/1696073%22
* https://bugs.launchpad.net/charm-glance/+bug/1696073

RedHat Ceph Config guide on OpenStack clients:
* https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html/ceph_block_device_to_openstack_guide/installing_and_configuring_ceph_clients#setting_up_ceph_client_authentication

....



On 14.12.23 13:16, Erno Kuvaja wrote:
On Thu, 14 Dec 2023 at 10:28, Eugen Block <eblock@nde.ag> wrote:
Interesting, I have a kolla-ansible one-node cluster with Antelope and 
there I see what you describe as well. So the behavior did indeed 
change. I guess the docs should be updated and contain read-only rbd 
profile for glance.

This sounds like regression to me.

We debated about it a lot when Ceph broke their backwards compatibility on deletes and I'm pretty sure, if my memory serves me right, that we found a solution in the Ceph store driver to not need the permissions to other pools. There really is no excuse why Glance should have read access to volume data or Nova Ephemeral data.

See my references above. It's nice to have the various deployment tools and methods all "fix" this, but first and foremost this needs to be properly documented in the source documentation of Glance, Cinder and Nova.

I wonder why there are no unit tests that fail because of this?
Looking at what devstack does at [1] it appears that

a) it actually applies "allow class-read object_prefix rbd_children", which is not what is currently documented in the setup guide(s) (see [2] and [3])
b) it unnecessarily grants read permissions to NOVA_CEPH_POOL ("vms") and CINDER_CEPH_POOL ("volumes") also for the Glance user
c) does NOT use the managed capabilities called "profiles" such as "rbd" or "rbd-readonly" instead of raw ACLs such das "rwx", see [4].
This also differs in the Cinder / Glance documentation and makes a great difference as "such privileges include the ability to blocklist other client users.",
required for lock of stale RBD clients to be removed from images, see https://docs.ceph.com/en/latest/rbd/rbd-exclusive-locks/#rbd-exclusive-locks.

I  suggest to update the documentation and also the devstack plugin to properly use the agreed best practices.
Maybe it makes sense to move the conversion and bugfixes to the Launchpad bug I raised about this issue [5] ?



Regards


Christian



[1] https://opendev.org/openstack/devstack-plugin-ceph/src/commit/4c22c3d0905589d676bf4865ca5cf57994eb426d/devstack/lib/ceph#L712
[2] https://docs.openstack.org/glance/latest/configuration/configuring.html#configuring-the-rbd-storage-backend
[3] https://docs.ceph.com/en/latest/rbd/rbd-openstack/#setup-ceph-client-authentication
[4] https://docs.ceph.com/en/latest/rados/operations/user-management/#authorization-capabilities
[5] https://bugs.launchpad.net/glance/+bug/2045158