Use --keyfile option to pass keys to all Ceph CLIs

Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2025-06-14 18:53:35 +00:00 · 2019-06-25 15:29:17 -04:00
parent c2835183e5
commit bd204d7d45
24 changed files with 191 additions and 69 deletions
--- a/pkg/rbd/nodeserver.go
+++ b/pkg/rbd/nodeserver.go
@ -62,10 +62,11 @@ func (ns *NodeServer) NodeStageVolume(ctx context.Context, req *csi.NodeStageVol

 	volID := req.GetVolumeId()

-	cr, err := util.GetUserCredentials(req.GetSecrets())
+	cr, err := util.NewUserCredentials(req.GetSecrets())
 	if err != nil {
 		return nil, status.Error(codes.Internal, err.Error())
 	}
+	defer cr.DeleteCredentials()

 	isLegacyVolume := false
 	volName, err := getVolumeName(req.GetVolumeId())