Project

General

Profile

Bug #2443

Anyone can list all keys, even with caps mon 'allow rwx' and not 'allow *'

Added by Anonymous about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Monitor
Target version:
% Done:

0%

Source:
Development
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Caps are kind of pointless if I can just ask for any secret I want.

ubuntu@inst03:~$ sudo ceph --name=osd.4 --keyring=/var/lib/ceph/osd/ceph-4/keyring auth list
installed auth entries:
mon.
key: AQARQqhPCENjJBAAKW0xeZy4auqW1YNKSfOjNw==
mds.inst03
key: AQDIQbRPOErDHhAA56dPYlzBswx6qsAn9NtVGQ==
caps: [mds] allow
caps: [mon] allow rwx
caps: [osd] allow *
osd.0
key: AQCCRahPyNJtGhAAFyNkPH/tJk0OWniFDUJcQw==
caps: [mon] allow rwx
caps: [osd] allow *
osd.1
key: AQCCRahPULx0GhAAYC8mK5p/6tY46Cr0zF5cng==
caps: [mon] allow rwx
caps: [osd] allow *
osd.2
key: AQAmRqhPCMg3ORAA1soCZJTCh4/SPyrESDvWOw==
caps: [mon] allow rwx
caps: [osd] allow *
osd.3
key: AQAmRqhPgKkkORAAYci38mgPZMIxi1Om9FGFUQ==
caps: [mon] allow rwx
caps: [osd] allow *
osd.4
key: AQDy8bNP+GU+NhAABCxQc9EI0g3v0nGUW3xVkw==
caps: [mon] allow rwx
caps: [osd] allow *
client.admin
key: AQDaNKhPiNRlEBAAytX03yKyRF78ov3eKp5IUQ==
caps: [mds] allow
caps: [mon] allow *
caps: [osd] allow *
client.bootstrap-osd
key: AQASQqhPkGduOhAA7kJ/0cstN8x7fyo9lFQwFg==
caps: [mon] allow command osd create ...; allow command osd crush set ...; allow command auth add * osd allow\ * mon allow\ rwx; allow command mon getmap

ubuntu@inst03:~$

Associated revisions

Revision c43c7744 (diff)
Added by Sage Weil about 8 years ago

mon: require admin privs to issue any monitor commands

This is overkill, but a first step before pushing caps enforcement down
into each subfunction that processes monitor commands.

Fixes: #2443
Signed-off-by: Sage Weil <>

History

#1 Updated by Sage Weil about 8 years ago

  • Category set to Monitor
  • Status changed from New to Fix Under Review

see wip-mon-auth

#2 Updated by Sage Weil about 8 years ago

  • Target version set to v0.48

#3 Updated by Sage Weil about 8 years ago

  • Status changed from Fix Under Review to Resolved

Also available in: Atom PDF