Browse Source

Merge "Deprecate rbd_keyring_conf option"

changes/33/695633/1
Zuul 2 weeks ago
parent
commit
f5b188a70f
2 changed files with 22 additions and 0 deletions
  1. +4
    -0
      cinder/volume/drivers/rbd.py
  2. +18
    -0
      releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml

+ 4
- 0
cinder/volume/drivers/rbd.py View File

@@ -69,6 +69,10 @@ RBD_OPTS = [
default='', # default determined by librados
help='Path to the ceph configuration file'),
cfg.StrOpt('rbd_keyring_conf',
deprecated_for_removal=True,
deprecated_reason='Use of this option exposes a security '
'vulnerability. See OSSN-0085 for details.',
deprecated_since='Ussuri',
default='',
help='Path to the ceph keyring file'),
cfg.BoolOpt('rbd_flatten_volume_from_snapshot',

+ 18
- 0
releasenotes/notes/deprecate-rbd_keyring_conf-432efbcd47e52c8a.yaml View File

@@ -0,0 +1,18 @@
---
security:
- |
Due to `OSSN-0085
<https://wiki.openstack.org/wiki/OSSN/OSSN-0085>`_:
Cinder configuration option can leak secret key from Ceph backend,
deployers using the ``rbd_keyring_conf`` option are advised to stop
using it immediately. The option has been deprecated for removal
early in the 'V' development cycle.
deprecations:
- |
The configuration option ``rbd_keyring_conf`` for the Ceph cinder
driver presents a security risk and the option is hereby deprecated
and scheduled to be removed early in the 'V' development cycle,
following the standard OpenStack deprecation policy. For more
information, see `OSSN-0085
<https://wiki.openstack.org/wiki/OSSN/OSSN-0085>`_:
Cinder configuration option can leak secret key from Ceph backend.

Loading…
Cancel
Save