Bug #44237
closedFeature #47765: mgr/dashboard: security improvements
mgr/dashboard: security: some system roles allow accessing sensitive information
100%
Description
Some system roles (pool-manager
, cephfs-manager
, ganesha-manager
etc) have the configOpt
read permissions enabled, which allows to read all cluster config options and manager module config options. The latter includes RGW keys or Grafana user/admin, plus any sensitive information used by existing or new modules. As dashboard cannot control what new information is exposed by these modules, the suggestion is to remove that read permission from all system roles except the specific management ones (adminstrator
and cluster-manager
).
pool-manager
: checks/api/cluster_conf/osd_pool_default_pg_autoscale_mode
. This parameter could/should also be exposed via/api/pools/_info
, which already returns other ceph config params (e.g.:bluestore_compression_algorithm
).ganesha-manager
,cephfs-manager
,rgw-manager
: I couldn't find any direct dependency with cluster config options.
different case is the read-only
role. While it initially makes sense to allow configOpt
read permission, dashboard administrator might guess that read-only
perfectly fits for a guest
/low-privileged user. On the contrary, a read-only
user has access to the same sensitive data as mentioned above.
- Discuss and agree on
read-only
user with/without access toconfigOpts
. This could improve by splitting it into 2:administrator-read-only
andguest
(without the read permission on sensitive data). As I'm against adding more roles, I'd simply leave the low-privilegeguest
one. - Make
pool-form
getosd_pool_default_pg_autoscale_mode
from/pool/_info
. - Remove
configOpt
read perm (and test) in all other roles.