[Manila] Manila user overwriting existing Ceph users
jahson.babel at cc.in2p3.fr
Thu Nov 12 09:24:30 UTC 2020
I'm currently testing manila with CephFS and I stumbled upon a behavior
where manila is able to overwrite existing Ceph users.
In my testing setup glance, nova, cinder and manila share the same Ceph
cluster. However they have different users.
In this situation when you create a share and allow acces via "manila
access-allow cephshare1 cephx test"
If the user "test" is already used to access some pools on the cluster,
let's say cinder-volume or glance-images it will be overwritten with the
permissions for the share.
Which will break any resources that was using it.
I've recheck the configuration files multiple times to see if I could
set some properties to avoid this but I didn't find any.
By quickly looking at the code here :
A check is done but only for the manila user. I'm on Rocky version but
this part doesn't seems to have changed since.
That lead me to some questions :
- Does manila must have his own dedicated Ceph cluster ?
- Is there any workaroud to this ? Other than putting some gibberish
names for services users ?
- Is it possible to lock some users in the Ceph cluster to prevent this
If someone has some clues on this, thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss