Modify RBD plugin to use a single ID and move the id and key into the… #395
Conversation
examples/rbd/secret.yaml
Outdated
| # Key values correspond to a user name and its key, base 64 encoded, as | ||
| # defined in the ceph cluster. User ID should have required access to the | ||
| # 'pool' specified in the storage class | ||
| userID: BASE64-ENCODED-VALUE |
There was a problem hiding this comment.
The ID shouldn't need to be base64 encoded
There was a problem hiding this comment.
If the key userID is mentioned in a section named stringData it need not be encoded in base64 and can be mentioned in plain text. This is how a secret is specified in Kubernetes [1].
If required I can change the documentation to reflect the added stringData and mentioning the userID key within the same.
[1] Kubernetes manual secrets and data stringData options for base64 and plain text secrets: https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-manually
There was a problem hiding this comment.
I'd vote for stringData --- honestly, since the key is already base64 encoded, I always thought it was a little silly (usability-wise) that it needed to be encoded again, so perhaps both could be moved? or perhaps just move the userId back to the StorageClass?
There was a problem hiding this comment.
Then stringData it is. I will move both, as the key otherwise is double base64 encoded, as you point out.
Fractured ID and key in 2 files, to me, is a far worse usability proposition, so no I would not go that way.
pkg/rbd/controllerserver.go
Outdated
| @@ -122,7 +128,7 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol | |||
| return nil, err | |||
| } | |||
|
|
|||
| found, err := checkVolExists(rbdVol, req.GetSecrets()) | |||
| found, err := checkVolExists(rbdVol, cr.ID, cr.Key) | |||
There was a problem hiding this comment.
pass cr struct to checkVolExists
There was a problem hiding this comment.
same applies wherever we are passing ID and Key
There was a problem hiding this comment.
Done.
Did this more across the code, so that it is cleaner, than just certain instances.
|
@ShyamsundarR please fix merge conflicts |
ShyamsundarR
force-pushed
the
rbd-update-secret-config
branch
2 times, most recently
from
d90975d to
e4eac4a
Compare
Done, also changed some code in e2e, to adapt to the changes storage class and secrets for RBD and CephFS. |
|
@humblec PTAL |
| userID: BASE64-ENCODED-VALUE | ||
| userKey: BASE64-ENCODED-VALUE | ||
| userID: <plaintext ID> | ||
| userKey: <Ceph auth key corresponding to ID above> |
There was a problem hiding this comment.
why are we moving away from BASE64 to plain text here?
There was a problem hiding this comment.
See usability discussion here, #395 (comment)
Basically, moving away to make it easy for an user to specify plain text IDs and key is already base64 encoded by Ceph.
ShyamsundarR
force-pushed
the
rbd-update-secret-config
branch
from
e4eac4a to
768ac89
Compare
|
@humblec PTAL (rebased post recent PR merges to master) |
|
@ShyamsundarR apart from PLAIN TEXT password, changes looks good to me. Please use base64 encoded values in secret. |
The CephX secrets are already base64 encoded, so this just eliminates the unnecessary double base64 encoding. Plus, it's not like an extra layer of base64 encoding offers any protection for the key. |
@humblec This would be my reasoning as well, and also on reading the difference between [1] https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-manually |
|
@ShyamsundarR @dillaman the best practice of the secret key creation and use is |
|
Please provide a reference for "the best practice of the secret key creation and use is base 64 encoded values". Again, it's already base64 encoded and double-encoding it adds exactly zero value. Plus, it's confusing to users (look at the issues where folks have incorrectly re-encoded the CephX base64 key by either incorrectly appending a carriage return or not re-encoding it). |
There was a problem hiding this comment.
Please provide a reference for "the best practice of the secret key creation and use is base 64 encoded values".
Again, it's already base64 encoded and double-encoding it adds exactly zero value. Plus, it's confusing to users (look at the issues where folks have incorrectly re-encoded the CephX base64 key by either incorrectly appending a carriage return or not re-encoding it).
@dillaman @shyamsundar I dont know there exist a document called best practice. However I can point out resources like, in OCS we use base64 encoded secret as shown here https://github.com/kubernetes/examples/blob/master/staging/persistent-volume-provisioning/glusterfs/glusterfs-secret.yaml . The examples in kubernetes repo also list many instances ( RBD ..etc) with base 64 encoded secrets. Also think, in first place we put base64 encoded values in secret here ( ceph-csi) too. These examples lists from kube and the first samples/existing method of ceph-csi itself pointing out that thats the common or best practice people follow or used to. I dont want to mention it explictly, however, existing users also have a practice of using it in that way. Thats why I was wondering why to change it ? if thats not going to give us any advantages? If there are user issues or complaints about , using base 64 is a pain or need to be reconsidered, please point , may be I missed those references. Please note, I am trying to share my view based on the experience, but it doesnot mean that, we should not change, but atleast I have to point out.
|
|
||
| # Required for dynamically provisioned volumes | ||
| adminID: BASE64-ENCODED-VALUE | ||
| adminKey: BASE64-ENCODED-VALUE | ||
| adminID: <plaintext ID> |
There was a problem hiding this comment.
@ShyamsundarR the secret values in BASE64 is the recommended practice. IMO, we should not use plain text in secret , thats actually a kind of security issue.
There was a problem hiding this comment.
Please specify what the security issue is? The plain text stringData is just a user convenience, it is not stored and displayed in plain text if the secret is queried, just like passing it in using data instead.
The documentation here [1] states this: "stringData allows specifying non-binary secret data in string form. It is provided as a write-only convenience method. All keys and values are merged into the data field on write, overwriting any existing values. It is never output when reading from the API."
[1] Read stringData section: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#secret-v1-core
| # Key values correspond to a user name and its key, as defined in the | ||
| # ceph cluster. User ID should have required access to the 'pool' | ||
| # specified in the storage class | ||
| userID: <plaintext ID> |
Repeating comment on security issue here again: The documentation here [1] states this: "stringData allows specifying non-binary secret data in string form. It is provided as a write-only convenience method. All keys and values are merged into the data field on write, overwriting any existing values. It is never output when reading from the API." I believe @humblec you are missing the usability point, and as already pointed out by @dillaman there are users who have incorrectly encoded the key or ID (with trailing newlines or missing the encoding). Here are some that I could find as issues #350 #98 #80 and there has been at least one or two more that I addressed in slack channels. Finally: This PR blocks for me a couple of other PRs in flight (#391, and partially at least #318 ), so a decision here sooner the better. [1] Read stringData section: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#secret-v1-core |
|
@ShyamsundarR please rebase. |
|
Hi ,
I think you are talking to a wrong shyam Sundar. I don't know anything this
project.
Regards.
…On Sun, Jun 23, 2019, 7:48 PM Humble Devassy Chirammal < ***@***.***> wrote:
@ShyamsundarR <https://github.com/ShyamsundarR> please rebase.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#395?email_source=notifications&email_token=AANZLJECDHMPWQGCEWKPR4LP4AYXPA5CNFSM4HSBK2XKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYLTKKQ#issuecomment-504837418>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AANZLJGXX2TTSXIEFA6R5GLP4AYXPANCNFSM4HSBK2XA>
.
|
|
… secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes ceph#270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
ShyamsundarR
force-pushed
the
rbd-update-secret-config
branch
from
768ac89 to
5a8226b
Compare
@humblec Done PTAL. |
|
Thanks @ShyamsundarR . As discussed we may need a mention in the LGTM. thanks ! |
humblec
added
release-note-required
cephcsi PR ceph/ceph-csi#395 changed the way we are storing secrets. This PR will bring same changes to the rook as well. Fixes: rook#3357 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
cephcsi PR ceph/ceph-csi#395 changed the way we are storing secrets. This PR will bring same changes to the rook as well. Fixes: rook#3357 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
cephcsi PR ceph/ceph-csi#395 changed the way we are storing secrets. This PR will bring same changes to the rook as well. Fixes: rook#3357 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
|
@Madhu-1 @shyamsundar I have a question:
Also, that user in rbd/secret.yaml can either be an "admin" user, or a normal user , e.g. ceph_user1 ? What if we want to give both , is that not supported now ? userID: ${admin_id} OR userID: ${ceph_user1_id} |
|
@Madhu-1 @shyamsundar I tried this and it worked.. But I am a little confused if 2 users in secret are going to be supported or not: |
cephcsi PR ceph/ceph-csi#395 changed the way we are storing secrets. This PR will bring same changes to the rook as well. Fixes: rook#3357 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
|
@nehaberry |
you can have both users in secret, either you can use admin user or ceph_user1 but he should have the permission for the pool mentioned in storage class |
|
@Madhu-1 thanks for the clarification. So, we actually don't need a separate adminID anymore since we can specify admin user in "userID" irtself. Makes sense. Thanks again |
cephcsi PR ceph/ceph-csi#395 changed the way we are storing secrets. This PR will bring same changes to the rook as well. Fixes: rook#3357 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
Syncing latest changes from devel for ceph-csi
… secret
RBD plugin needs only a single ID to manage images and operations against a
pool, mentioned in the storage class. The current scheme of 2 IDs is hence not
needed and removed in this commit.
Further, unlike CephFS plugin, the RBD plugin splits the user id and the key
into the storage class and the secret respectively. Also the parameter name
for the key in the secret is noted in the storageclass making it a variant and
hampers usability/comprehension. This is also fixed by moving the id and the key
to the secret and not retaining the same in the storage class, like CephFS.
Fixes #270
Testing done:
Signed-off-by: ShyamsundarR srangana@redhat.com