qemu-block
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-block] [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of

From: Daniel P . Berrangé
Subject: Re: [Qemu-block] [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme
Date: Fri, 20 Apr 2018 15:53:22 +0100
User-agent: Mutt/1.9.2 (2017-12-15) 
On Fri, Apr 20, 2018 at 04:50:38PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <address@hidden> writes:
> 
> > On Fri, Apr 20, 2018 at 03:34:26PM +0200, Markus Armbruster wrote:
> >> Daniel P. Berrangé <address@hidden> writes:
> >> 
> >> > Yeah this is a mess - I wish we had never allowed users to pass a config
> >> > file, and had used /dev/null all the time. Unfortunately changing either
> >> > of these aspects would cause backcompat problems for existing deployments
> >> > now :-( So we just have to accept that the global config file is always
> >> > in present, but none the less libvirt should try to specify things as
> >> > fully as possible.
> >> 
> >> I'm afraid you get backward compatibility problems no matter what.
> >> Whenever you extend libvirt to pass configuration C "via normal per-disk
> >> setup for blockdev", it breaks user config files containing C, doesn't
> >> it?
> >
> > That's not actually a problem here. We are only passing things to QEMU
> > that the user already provided us in the XML file. If we gain support
> > for passing a new item via the blockdev schema, then we'd only be
> > passing that to QEMU if the user actually provided that item in the
> > XML too.  We're not likely to pass a new config field without the
> > user having asked us to first.
> 
> What made me guess otherwise: "to properly protect against compromised
> QEMU, ideally every QEMU would use a completely separate RBD
> user+password, so that compromised QEMU can't then access RBD disks
> belonging to a different user" led me to assume libvirt would do this
> automatically.

No, a mgmt app like OpenStack would have to take care of that, as it
needs the ability to manage the RBD user accounts & volume ACLs, to
match the VMs you're creating.

I just meant that even if you have auth info in the global RBD file,
we shouldn't assume that auth info is desirable to use with QEMU. The
global auth config file may be an administrative account, while each
QEMU has its own restricted account.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
reply via email to
[Prev in Thread] Current Thread [Next in Thread]