Bug #2443: Anyone can list all keys, even with caps mon 'allow rwx' and not 'allow *' - Ceph - Ceph

Actions

Copy link

Bug #2443

closed

Anyone can list all keys, even with caps mon 'allow rwx' and not 'allow *'

Added by Anonymous almost 12 years ago. Updated almost 12 years ago.

Status:

Resolved

Priority:

High

Assignee:

Category:

Monitor

Target version:

v0.48

% Done:

Source:

Development

Tags:

Backport:

Regression:

Severity:

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description

Caps are kind of pointless if I can just ask for any secret I want.

ubuntu@inst03:~$ sudo ceph --name=osd.4 --keyring=/var/lib/ceph/osd/ceph-4/keyring auth list
installed auth entries:
mon.
key: AQARQqhPCENjJBAAKW0xeZy4auqW1YNKSfOjNw==
mds.inst03
key: AQDIQbRPOErDHhAA56dPYlzBswx6qsAn9NtVGQ==
caps: [mds] allow
caps: [mon] allow rwx
caps: [osd] allow *
osd.0
key: AQCCRahPyNJtGhAAFyNkPH/tJk0OWniFDUJcQw==
caps: [mon] allow rwx
caps: [osd] allow *
osd.1
key: AQCCRahPULx0GhAAYC8mK5p/6tY46Cr0zF5cng==
caps: [mon] allow rwx
caps: [osd] allow *
osd.2
key: AQAmRqhPCMg3ORAA1soCZJTCh4/SPyrESDvWOw==
caps: [mon] allow rwx
caps: [osd] allow *
osd.3
key: AQAmRqhPgKkkORAAYci38mgPZMIxi1Om9FGFUQ==
caps: [mon] allow rwx
caps: [osd] allow *
osd.4
key: AQDy8bNP+GU+NhAABCxQc9EI0g3v0nGUW3xVkw==
caps: [mon] allow rwx
caps: [osd] allow *
client.admin
key: AQDaNKhPiNRlEBAAytX03yKyRF78ov3eKp5IUQ==
caps: [mds] allow
caps: [mon] allow *
caps: [osd] allow *
client.bootstrap-osd
key: AQASQqhPkGduOhAA7kJ/0cstN8x7fyo9lFQwFg==
caps: [mon] allow command osd create ...; allow command osd crush set ...; allow command auth add * osd allow\ * mon allow\ rwx; allow command mon getmap