From b3c68b777a53e78fb77b7af98952bcc7d97bb06f Mon Sep 17 00:00:00 2001 From: Brian Rosmaita Date: Thu, 31 Oct 2019 14:17:19 -0400 Subject: [PATCH] Deprecate rbd_keyring_conf option This option presents a security risk; see OSSN-0085. Change-Id: I345a3b4bf3b328b0e547016f481518d252f734b9 Partial-bug: #1849624 --- cinder/volume/drivers/rbd.py | 4 ++++ ...cate-rbd_keyring_conf-432efbcd47e52c8a.yaml | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml diff --git a/cinder/volume/drivers/rbd.py b/cinder/volume/drivers/rbd.py index 70adce85b73..82a9feb6aee 100644 --- a/cinder/volume/drivers/rbd.py +++ b/cinder/volume/drivers/rbd.py @@ -69,6 +69,10 @@ RBD_OPTS = [ default='', # default determined by librados help='Path to the ceph configuration file'), cfg.StrOpt('rbd_keyring_conf', + deprecated_for_removal=True, + deprecated_reason='Use of this option exposes a security ' + 'vulnerability. See OSSN-0085 for details.', + deprecated_since='Ussuri', default='', help='Path to the ceph keyring file'), cfg.BoolOpt('rbd_flatten_volume_from_snapshot', diff --git a/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml b/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml new file mode 100644 index 00000000000..f2a4083d697 --- /dev/null +++ b/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml @@ -0,0 +1,18 @@ +--- +security: + - | + Due to `OSSN-0085 + `_: + Cinder configuration option can leak secret key from Ceph backend, + deployers using the ``rbd_keyring_conf`` option are advised to stop + using it immediately. The option has been deprecated for removal + early in the 'V' development cycle. +deprecations: + - | + The configuration option ``rbd_keyring_conf`` for the Ceph cinder + driver presents a security risk and the option is hereby deprecated + and scheduled to be removed early in the 'V' development cycle, + following the standard OpenStack deprecation policy. For more + information, see `OSSN-0085 + `_: + Cinder configuration option can leak secret key from Ceph backend.