Bug #42475
closedmgr/dashboard: read-only user can display RGW API keys
0%
Description
Not sure if it's a bug or intentional behaviour, but just to ensure:
"A dashboard user configured with "read-only" role can access RGW API secrets. If that's intentional, please feel free to close this bug."
Updated by Lenz Grimmer over 4 years ago
- Assignee set to Alfonso Martínez
- Target version set to v15.0.0
- Backport set to nautilus
Updated by Lenz Grimmer over 4 years ago
- Severity changed from 3 - minor to 2 - major
Increasing severity. It would be nice to get that fixed, to enhance security.
Updated by Volker Theile over 4 years ago
If the user has RGW read-only privileges, then the API keys should be visible.
On the one side there might be data that is sensitive and might make problems when the user has read-only privs, but our privileges model is simple and can not (and shouldn't) do any further decision regarding other things than checking if the user has read-only, create, update or delete privileges.
IMO the current implementation of our privileges system is not intended to evaluate the data to be displayed.
Updated by Alfonso Martínez over 4 years ago
After past dashboard daily standup conversation, we reach consensus on this topic:
API keys should not be shown if user has only read-only privileges.
Updated by Alfonso Martínez over 4 years ago
- Status changed from New to Fix Under Review
- Pull request ID set to 33178
Updated by Lenz Grimmer about 4 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Alfonso Martínez about 4 years ago
- Copied to Backport #44375: nautilus: mgr/dashboard: read-only user can display RGW API keys added
Updated by Nathan Cutler about 4 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 143 to Component - RGW