[Manila] Manila user overwriting existing Ceph users

Giulio Fidente gfidente at redhat.com
Thu Nov 12 10:56:44 UTC 2020

On 11/12/20 10:24 AM, Babel Jahson wrote:
> Hello everyone,
> I'm currently testing manila with CephFS and I stumbled upon a behavior
> where manila is able to overwrite existing Ceph users.
> In my testing setup glance, nova, cinder and manila share the same Ceph
> cluster. However they have different users.
> In this situation when you create a share and allow acces via "manila
> access-allow cephshare1 cephx test"
> If the user "test" is already used to access some pools on the cluster,
> let's say cinder-volume or glance-images it will be overwritten with the
> permissions for the share.
> Which will break any resources that was using it.
> I've recheck the configuration files multiple times to see if I could
> set some properties to avoid this but I didn't find any.
> By quickly looking at the code here :
> https://opendev.org/openstack/manila/src/branch/master/manila/share/drivers/cephfs/driver.py
> A check is done but only for the manila user. I'm on Rocky version but
> this part doesn't seems to have changed since.
> That lead me to some questions :
> - Does manila must have his own dedicated Ceph cluster ?
> - Is there any workaroud to this ? Other than putting some gibberish
> names for services users ?
> - Is it possible to lock some users in the Ceph cluster to prevent this
> behavior ?

hi Jahnson, I am adding a few folks who can probably help us better but
I also wanted to ask a question to understand better the use case

the cephx user which cinder/glance/nova use has specific permissions to
operate on their pools and this is configured in their respective
config, not something you have access from the actual openstack guests;
are you saying that "access-allow" is overwriting the cephx caps which
were set for the cephx user which, for example, cinder is configured to use?

in that case maybe better would be for the manila workflow to add/remove
caps to existing users instead of overwriting the caps? is that be what
you expected to happen?
Giulio Fidente

More information about the openstack-discuss mailing list