ceph - ceph-devel - 2025-01-15

Timestamp (UTC)Message
2025-01-15T13:25:44.616Z
<Casey Bodley> that's right. the users in an account are required to have the same tenant as the account, so they all see the same namespace
2025-01-15T15:00:46.267Z
<Laura Flores> User + Dev meetup happening now! <https://meet.jit.si/ceph-user-dev-monthly>
2025-01-15T16:25:44.574Z
<Casey Bodley> weekly rgw meeting starting soon in [ <https://pad.ceph.com/p/rgw-weekly](https://meet.google.com/mmj-uzzv-qce> ) (nothing on agenda yet)
2025-01-15T16:41:26.445Z
<hwpplayer1> fsbot
2025-01-15T19:05:10.782Z
<Blaine Gardner> @Laura Flores  @Yaarit  @gregsfortytwo,

There is a Rook user asking about permissions between a host/provider Ceph cluster and user/tenant clusters.

Brief summary: the idea is that many user-controlled Kubernetes clusters can connect to a central Ceph cluster for storage. Each user cluster is a separated tenant space, with limited pool/namespace and FS subvolumegroup access permissions.

We (rook) try to keep permissions minimal, and I have questions about one of the permission sets in particular. The Rook operator has permissions to check the status/health of the central Ceph cluster. This user is noticing that this permission set allows client clusters to get info about filesystems, and it might be considered information "leak."

I don't have any specific reason to think the info would allow a client user to do or infer anything malicious, but I don't have details to help back that up. I'm hoping you might be able to add some of your own  expert thoughts around that. If others would be better experts, please include them.

Here's the Rook Github discussion thread, for more info and follow-up comments: <https://github.com/rook/rook/discussions/15277#discussioncomment-11846645>

Much appreciated! Thanks for your attention :)
2025-01-15T21:11:15.607Z
<gregsfortytwo> It is a leak about the existence of filesystems, yes. That shouldn’t enable any attacks but is a leak on its own (eg, Coke seeing Pepsi is present). Ceph assumes trusted clients, and if the clients aren’t trusted you need to deploy gateway services in between.
2025-01-15T21:12:30.349Z
<gregsfortytwo> I did think we had updated things so you could limit clients to only see the presence of filesystems they are trusted for, but it may require allowing specific mon commands rather than “mon r”. @Patrick Donnelly or @Venky Shankar will know more about that

Any issue? please create an issue here and use the infra label.