Hi cinder team, do you have any feedback, if this approach [1] follows the "right" way now? Will add this point to the meeting this week, would be nice, if you can have a look before, so we can discuss about it. Regards Stefan [1] https://review.opendev.org/c/openstack/cinder/+/802882 On Mon, 2021-08-16 at 18:05 +0200, Stefan Hoffmann wrote:

Hi cinder team,

like discussed in the last meeting, I prepared a list [1] of combinations of the nas_secure options and when to use them.

If one want to prohibit root access to NFS share, only setting nas_secure_file_operations and nas_secure_file_permissions to true is a useful option, I think. (Option 4)

But also the nas_secure_file_operations is not useful to determine if _qemu_img_info and fs access check at _connect_device should be done with root user or cinder user. So I will update the change [2] like proposed in the etherpad.

Feel free to add other use cases and hints for the options to [1] and discuss about the proposed change.

Regards Stefan

[1] https://etherpad.opendev.org/p/gSotXYAZ3JfJE8FEpMpS [2] https://review.opendev.org/c/openstack/cinder/+/802882 Initial Bug: https://bugs.launchpad.net/cinder/+bug/1938196?comments=all