[Manila] Manila user overwriting existing Ceph users

Babel Jahson jahson.babel at cc.in2p3.fr
Thu Nov 12 09:24:30 UTC 2020

Hello everyone,

I'm currently testing manila with CephFS and I stumbled upon a behavior 
where manila is able to overwrite existing Ceph users.
In my testing setup glance, nova, cinder and manila share the same Ceph 
cluster. However they have different users.
In this situation when you create a share and allow acces via "manila 
access-allow cephshare1 cephx test"
If the user "test" is already used to access some pools on the cluster, 
let's say cinder-volume or glance-images it will be overwritten with the 
permissions for the share.
Which will break any resources that was using it.
I've recheck the configuration files multiple times to see if I could 
set some properties to avoid this but I didn't find any.
By quickly looking at the code here : 
A check is done but only for the manila user. I'm on Rocky version but 
this part doesn't seems to have changed since.

That lead me to some questions :
- Does manila must have his own dedicated Ceph cluster ?
- Is there any workaroud to this ? Other than putting some gibberish 
names for services users ?
- Is it possible to lock some users in the Ceph cluster to prevent this 
behavior ?

If someone has some clues on this, thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201112/6e03a0dd/attachment.html>

More information about the openstack-discuss mailing list