A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. To exploit this flaw, the attacker must have local access to an overcloud node. However by default, access to overcloud nodes is restricted and accessible only from the management undercloud server on an internal network. Follow good security principles in your networking environment to ensure that network access is properly controlled.
To mitigate the flaw, use an overcloud post-deploy script[1] to do the following on all overcloud nodes:
key=/etc/ceph/ceph.client.openstack.keyring
chown root:root $key
chmod 600 $key
setfacl -m u:glance:r $key
setfacl -m u:cinder:r $key
setfacl -m u:nova:r $key
setfacl -m u: gnocchi:r $key
If not using Red Hat OpenStack Platform director, then run the commands above manually on each overcloud node,
Warning: Only running 'chmod 600 $key' alone (without an ACL) will prevent OpenStack from reading the key.