qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev para


From: Daniel P. Berrange
Subject: Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret
Date: Mon, 3 Apr 2017 14:04:42 +0100
User-agent: Mutt/1.7.1 (2016-10-04)

On Mon, Apr 03, 2017 at 02:42:48PM +0200, Max Reitz wrote:
> On 03.04.2017 13:37, Daniel P. Berrange wrote:
> > On Mon, Mar 27, 2017 at 03:26:33PM +0200, Markus Armbruster wrote:
> >> This reverts a part of commit 8a47e8e.  We're having second thoughts
> >> on the QAPI schema (and thus the external interface), and haven't
> >> reached consensus, yet.  Issues include:
> >>
> >> * BlockdevOptionsRbd member @password-secret isn't actually a
> >>   password, it's a key generated by Ceph.
> >>
> >> * We're not sure where member @password-secret belongs (see the
> >>   previous commit).
> >>
> >> * How @password-secret interacts with settings from a configuration
> >>   file specified with @conf is undocumented.  I suspect it's untested,
> >>   too.
> >>
> >> Let's avoid painting ourselves into a corner now, and revert the
> >> feature for 2.9.
> >>
> >> Note that users can still configure an authentication key with a
> >> configuration file.  They probably do that anyway if they use Ceph
> >> outside QEMU as well.
> > 
> > NB, this makes blockdev-add largely useless for RBD from libvirt's POV,
> > since we rely on the password-secret facility working to support apps
> > like openstack which won't configure the global config file for RBD.
> > 
> > Not a regression though, since blockdev-add is new - just means we won't
> > be able to use the new feature yet :-(
> 
> How does it make blockdev-add totally useless? The only thing you cannot
> do is set passwords for rbd. Can this not be added as a new feature in
> the future?

Sure, if you want to run an rbd server without any auth its usable, just
that isn't something you really want todo from a security pov.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|



reply via email to

[Prev in Thread] Current Thread [Next in Thread]