)]}'
{"security-notes/OSSN-0085":[{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"f63302e0130ef19e9a9ac7bb4c18a9830afb738c","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"### Discussion ###"},{"line_number":14,"context_line":"When the ``rbd_keyring_conf`` option is set, a user who creates a volume"},{"line_number":15,"context_line":"and then does a local attach of that volume, may discover the keyring"},{"line_number":16,"context_line":"content for the Ceph cluster.  If this user gains access to the Ceph"},{"line_number":17,"context_line":"cluster independently of Cinder, these credentials may be used to access"},{"line_number":18,"context_line":"any volume in the cluster."}],"source_content_type":"application/octet-stream","patch_set":2,"id":"3fa7e38b_57bf1360","line":15,"range":{"start_line":15,"start_character":16,"end_line":15,"end_character":43},"updated":"2019-10-31 13:13:14.000000000","message":"Maybe it\u0027s worth mention that this only happens if they call the REST API and not in the normal Nova attach process.","commit_id":"88216a913e1df0ca25abd30c9a84c999fc6a79ac"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"6776bbb5d4eb1bae708cb68f0a64e3c244472e88","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"### Discussion ###"},{"line_number":14,"context_line":"When the ``rbd_keyring_conf`` option is set, a user who creates a volume"},{"line_number":15,"context_line":"and then does a local attach of that volume, may discover the keyring"},{"line_number":16,"context_line":"content for the Ceph cluster.  If this user gains access to the Ceph"},{"line_number":17,"context_line":"cluster independently of Cinder, these credentials may be used to access"},{"line_number":18,"context_line":"any volume in the cluster."}],"source_content_type":"application/octet-stream","patch_set":2,"id":"3fa7e38b_727a5d88","line":15,"range":{"start_line":15,"start_character":16,"end_line":15,"end_character":43},"in_reply_to":"3fa7e38b_57bf1360","updated":"2019-10-31 13:22:06.000000000","message":"Good idea, it may reduce the freakout factor.","commit_id":"88216a913e1df0ca25abd30c9a84c999fc6a79ac"},{"author":{"_account_id":9535,"name":"Gorka Eguileor","email":"geguileo@redhat.com","username":"Gorka"},"change_message_id":"f63302e0130ef19e9a9ac7bb4c18a9830afb738c","unresolved":false,"context_lines":[{"line_number":25,"context_line":"continue working, the Ceph keyring secrets should be deployed directly"},{"line_number":26,"context_line":"on cinder-backup hosts in their standard location:"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"    /etc/cinder/\u003cbackend_name\u003e.keyring.conf"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"### Contacts / References ###"},{"line_number":31,"context_line":"Author: Brian Rosmaita, Red Hat"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"3fa7e38b_17119b5d","line":28,"updated":"2019-10-31 13:13:14.000000000","message":"I don\u0027t think this is correct...  I think it\u0027s:\n\n  /etc/ceph/\u003ccluster_name\u003e.client.\u003cuser_name\u003e.keyring\n\nAt least according to https://opendev.org/openstack/os-brick/src/commit/87171abef8bf2336f15ce3a7949f77d7999e11b7/os_brick/initiator/connectors/rbd.py#L76","commit_id":"88216a913e1df0ca25abd30c9a84c999fc6a79ac"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"6776bbb5d4eb1bae708cb68f0a64e3c244472e88","unresolved":false,"context_lines":[{"line_number":25,"context_line":"continue working, the Ceph keyring secrets should be deployed directly"},{"line_number":26,"context_line":"on cinder-backup hosts in their standard location:"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"    /etc/cinder/\u003cbackend_name\u003e.keyring.conf"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"### Contacts / References ###"},{"line_number":31,"context_line":"Author: Brian Rosmaita, Red Hat"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"3fa7e38b_d26a31b1","line":28,"in_reply_to":"3fa7e38b_17119b5d","updated":"2019-10-31 13:22:06.000000000","message":"Good catch!","commit_id":"88216a913e1df0ca25abd30c9a84c999fc6a79ac"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"49f55244d78f07e920e3c0ae54d5c3b487dff13c","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If this user then gains access to the Ceph cluster independently of"},{"line_number":21,"context_line":"Cinder, these credentials may be used to access any volume in the"},{"line_number":22,"context_line":"cluster."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"This issue was reported by Raphael Glon of OVH."},{"line_number":25,"context_line":""}],"source_content_type":"application/octet-stream","patch_set":3,"id":"3fa7e38b_cd3ff622","line":22,"updated":"2019-10-31 14:38:10.000000000","message":"This may be a good place to also mention https://security.openstack.org/ossa/OSSA-2019-003.html since that\u0027s a relatively recent vulnerability which was literally observed leaking Ceph backend credentials to normal users through the Nova API in another public cloud provider.","commit_id":"728d30a1921fe7b871eb0b163254b7ebb4fa9d05"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"c20a58dc5f0185b5a8ca2c43ce043a79b542d089","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If this user then gains access to the Ceph cluster independently of"},{"line_number":21,"context_line":"Cinder, these credentials may be used to access any volume in the"},{"line_number":22,"context_line":"cluster."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"This issue was reported by Raphael Glon of OVH."},{"line_number":25,"context_line":""}],"source_content_type":"application/octet-stream","patch_set":3,"id":"3fa7e38b_c825a4c3","line":22,"in_reply_to":"3fa7e38b_68e110d0","updated":"2019-10-31 15:57:27.000000000","message":"It won\u0027t hurt to mention the OSSA.  I\u0027ll try to work it in here in a non-misleading way.","commit_id":"728d30a1921fe7b871eb0b163254b7ebb4fa9d05"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"f451bb5402636502ac3b5ba28fba6b798d17d0b6","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If this user then gains access to the Ceph cluster independently of"},{"line_number":21,"context_line":"Cinder, these credentials may be used to access any volume in the"},{"line_number":22,"context_line":"cluster."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"This issue was reported by Raphael Glon of OVH."},{"line_number":25,"context_line":""}],"source_content_type":"application/octet-stream","patch_set":3,"id":"3fa7e38b_68e110d0","line":22,"in_reply_to":"3fa7e38b_cd3ff622","updated":"2019-10-31 15:26:52.000000000","message":"++","commit_id":"728d30a1921fe7b871eb0b163254b7ebb4fa9d05"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"ca3d2644adee66c6c32ae71d976dd00907388f49","unresolved":false,"context_lines":[{"line_number":29,"context_line":"security advisory and make sure your system has been updated or patched"},{"line_number":30,"context_line":"to address it:"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"    https://security.openstack.org/ossa/OSSA-2019-003.html"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"### Recommended Actions ###"},{"line_number":35,"context_line":"Any installation currently using the ``rbd_keyring_conf`` option should"}],"source_content_type":"application/octet-stream","patch_set":4,"id":"3fa7e38b_aee631af","line":32,"updated":"2019-10-31 16:53:54.000000000","message":"Yep, cool, thanks! Mostly just wanting to make sure folks know that patching Nova there is important since the two of these together could be a dangerous combo.","commit_id":"d7ea3628f2538e073583aba77143f010e339e556"}]}