On 03.04.2017 15:04, Daniel P. Berrange wrote: > On Mon, Apr 03, 2017 at 02:42:48PM +0200, Max Reitz wrote: >> On 03.04.2017 13:37, Daniel P. Berrange wrote: >>> On Mon, Mar 27, 2017 at 03:26:33PM +0200, Markus Armbruster wrote: >>>> This reverts a part of commit 8a47e8e. We're having second thoughts >>>> on the QAPI schema (and thus the external interface), and haven't >>>> reached consensus, yet. Issues include: >>>> >>>> * BlockdevOptionsRbd member @password-secret isn't actually a >>>> password, it's a key generated by Ceph. >>>> >>>> * We're not sure where member @password-secret belongs (see the >>>> previous commit). >>>> >>>> * How @password-secret interacts with settings from a configuration >>>> file specified with @conf is undocumented. I suspect it's untested, >>>> too. >>>> >>>> Let's avoid painting ourselves into a corner now, and revert the >>>> feature for 2.9. >>>> >>>> Note that users can still configure an authentication key with a >>>> configuration file. They probably do that anyway if they use Ceph >>>> outside QEMU as well. >>> >>> NB, this makes blockdev-add largely useless for RBD from libvirt's POV, >>> since we rely on the password-secret facility working to support apps >>> like openstack which won't configure the global config file for RBD. >>> >>> Not a regression though, since blockdev-add is new - just means we won't >>> be able to use the new feature yet :-( >> >> How does it make blockdev-add totally useless? The only thing you cannot >> do is set passwords for rbd. Can this not be added as a new feature in >> the future? > > Sure, if you want to run an rbd server without any auth its usable, just > that isn't something you really want todo from a security pov.
Indeed, but that's at least an rbd-specific issues. You can still use blockdev-add for other block drivers just fine. ...and I just noticed that I have read your response the wrong way. I didn't notice the "for RBD" and just read "this makes blockdev-add largely useless from libvirt's POV" which sounded wrong. OK, I get it then, sorry. :-) Max
signature.asc
Description: OpenPGP digital signature
