From b3c68b777a53e78fb77b7af98952bcc7d97bb06f Mon Sep 17 00:00:00 2001
From: Brian Rosmaita <rosmaita.fossdev@gmail.com>
Date: Thu, 31 Oct 2019 14:17:19 -0400
Subject: [PATCH] Deprecate rbd_keyring_conf option

This option presents a security risk; see OSSN-0085.

Change-Id: I345a3b4bf3b328b0e547016f481518d252f734b9
Partial-bug: #1849624
---
 cinder/volume/drivers/rbd.py                   |  4 ++++
 ...cate-rbd_keyring_conf-432efbcd47e52c8a.yaml | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml

diff --git a/cinder/volume/drivers/rbd.py b/cinder/volume/drivers/rbd.py
index 70adce85b73..82a9feb6aee 100644
--- a/cinder/volume/drivers/rbd.py
+++ b/cinder/volume/drivers/rbd.py
@@ -69,6 +69,10 @@ RBD_OPTS = [
                default='',  # default determined by librados
                help='Path to the ceph configuration file'),
     cfg.StrOpt('rbd_keyring_conf',
+               deprecated_for_removal=True,
+               deprecated_reason='Use of this option exposes a security '
+                                 'vulnerability.  See OSSN-0085 for details.',
+               deprecated_since='Ussuri',
                default='',
                help='Path to the ceph keyring file'),
     cfg.BoolOpt('rbd_flatten_volume_from_snapshot',
diff --git a/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml b/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml
new file mode 100644
index 00000000000..f2a4083d697
--- /dev/null
+++ b/releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml
@@ -0,0 +1,18 @@
+---
+security:
+  - |
+    Due to `OSSN-0085
+    <https://wiki.openstack.org/wiki/OSSN/OSSN-0085>`_:
+    Cinder configuration option can leak secret key from Ceph backend,
+    deployers using the ``rbd_keyring_conf`` option are advised to stop
+    using it immediately.  The option has been deprecated for removal
+    early in the 'V' development cycle.
+deprecations:
+  - |
+    The configuration option ``rbd_keyring_conf`` for the Ceph cinder
+    driver presents a security risk and the option is hereby deprecated
+    and scheduled to be removed early in the 'V' development cycle,
+    following the standard OpenStack deprecation policy.  For more
+    information, see `OSSN-0085
+    <https://wiki.openstack.org/wiki/OSSN/OSSN-0085>`_:
+    Cinder configuration option can leak secret key from Ceph backend.