[cinder] discuss nas_secure options and root_squash (prohibiting root access to share)

Stefan Hoffmann stefan.hoffmann at cloudandheat.com
Mon Aug 16 16:05:04 UTC 2021

Hi cinder team,

like discussed in the last meeting, I prepared a list [1] of
combinations of the nas_secure options and when to use them.

If one want to prohibit root access to NFS share, only setting
nas_secure_file_operations and nas_secure_file_permissions to true is a
useful option, I think. (Option 4)

But also the nas_secure_file_operations is not useful to determine if
_qemu_img_info and fs access check at _connect_device should be done
with root user or cinder user.
So I will update the change [2] like proposed in the etherpad.

Feel free to add other use cases and hints for the options to [1] and
discuss about the proposed change.


[1] https://etherpad.opendev.org/p/gSotXYAZ3JfJE8FEpMpS
[2] https://review.opendev.org/c/openstack/cinder/+/802882
Initial Bug:

More information about the openstack-discuss mailing list