[stable only] Add warning about rbd_keyring_conf

This adds a warning message to the driver documentation page to make
sure it is visible that this config option should not be used due to
security concerns. We can't backport the deprecation of the config
option, but we can backport this doc warning to help prevent this option
from being used.

Also includes part of a squash for the release note from:
Deprecate rbd_keyring_conf option
Change-Id: I345a3b4bf3b328b0e547016f481518d252f734b9

Related-bug: #1849624

Change-Id: Ief2c868d6a9baf6793cd9070a4451835a90752aa
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
(cherry picked from commit 0f7a3ddd3c)
This commit is contained in:
Sean McGinnis 2020-05-13 09:27:18 -05:00
parent 0aceffbf9e
commit ac6e0c472f
No known key found for this signature in database
GPG Key ID: CE7EE4BFAF8D70C8
2 changed files with 18 additions and 0 deletions

View File

@ -87,6 +87,15 @@ Driver options
The following table contains the configuration options supported by the
Ceph RADOS Block Device driver.
.. warning::
Due to security concerns, it is recommended deployers do not use the
``rbd_keyring_conf`` option. This configuration option has been deprecated
and will be removed in the Victoria release.
For more information, see `OSSN-0085 Cinder configuration option can leak
secret key from Ceph backend.
<https://opendev.org/openstack/security-doc/src/branch/master/security-notes/OSSN-0085>`_
.. config-table::
:config-target: Ceph storage

View File

@ -0,0 +1,9 @@
---
security:
- |
Due to `OSSN-0085
<https://wiki.openstack.org/wiki/OSSN/OSSN-0085>`_:
Cinder configuration option can leak secret key from Ceph backend,
deployers using the ``rbd_keyring_conf`` option are advised to stop
using it immediately. The option has been deprecated for removal
as of Ussuri and will be removed in the Victoria development cycle.