From 4aa3f20af41bce1b4ed1538720b685d0959bc829 Mon Sep 17 00:00:00 2001 From: Sean McGinnis Date: Wed, 13 May 2020 09:27:18 -0500 Subject: [PATCH] [stable only] Add warning about rbd_keyring_conf This adds a warning message to the driver documentation page to make sure it is visible that this config option should not be used due to security concerns. We can't backport the deprecation of the config option, but we can backport this doc warning to help prevent this option from being used. Also includes part of a squash for the release note from: Deprecate rbd_keyring_conf option Change-Id: I345a3b4bf3b328b0e547016f481518d252f734b9 Related-bug: #1849624 Change-Id: Ief2c868d6a9baf6793cd9070a4451835a90752aa Signed-off-by: Sean McGinnis (cherry picked from commit 0f7a3ddd3c4d4173612b4ea86c31c8b301ff2153) (cherry picked from commit ac6e0c472fb6276afbd6d421c410ccc844369563) (cherry picked from commit 7a33e5fa791b77ead0bddb052b875cffd24933de) --- .../block-storage/drivers/ceph-rbd-volume-driver.rst | 9 +++++++++ .../deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml | 9 +++++++++ 2 files changed, 18 insertions(+) create mode 100644 releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml diff --git a/doc/source/configuration/block-storage/drivers/ceph-rbd-volume-driver.rst b/doc/source/configuration/block-storage/drivers/ceph-rbd-volume-driver.rst index 78c564b9ab9..5b2acf57abf 100644 --- a/doc/source/configuration/block-storage/drivers/ceph-rbd-volume-driver.rst +++ b/doc/source/configuration/block-storage/drivers/ceph-rbd-volume-driver.rst @@ -87,6 +87,15 @@ Driver options The following table contains the configuration options supported by the Ceph RADOS Block Device driver. +.. warning:: + Due to security concerns, it is recommended deployers do not use the + ``rbd_keyring_conf`` option. This configuration option has been deprecated + and will be removed in the Victoria release. + + For more information, see `OSSN-0085 Cinder configuration option can leak + secret key from Ceph backend. + `_ + .. config-table:: :config-target: Ceph storage diff --git a/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml b/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml new file mode 100644 index 00000000000..74388a17a62 --- /dev/null +++ b/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml @@ -0,0 +1,9 @@ +--- +security: + - | + Due to `OSSN-0085 + `_: + Cinder configuration option can leak secret key from Ceph backend, + deployers using the ``rbd_keyring_conf`` option are advised to stop + using it immediately. The option has been deprecated for removal + as of Ussuri and will be removed in the Victoria development cycle.