Bug #2443
closedAnyone can list all keys, even with caps mon 'allow rwx' and not 'allow *'
0%
Description
Caps are kind of pointless if I can just ask for any secret I want.
ubuntu@inst03:~$ sudo ceph --name=osd.4 --keyring=/var/lib/ceph/osd/ceph-4/keyring auth list
installed auth entries:
mon.
key: AQARQqhPCENjJBAAKW0xeZy4auqW1YNKSfOjNw==
mds.inst03
key: AQDIQbRPOErDHhAA56dPYlzBswx6qsAn9NtVGQ==
caps: [mds] allow
caps: [mon] allow rwx
caps: [osd] allow *
osd.0
key: AQCCRahPyNJtGhAAFyNkPH/tJk0OWniFDUJcQw==
caps: [mon] allow rwx
caps: [osd] allow *
osd.1
key: AQCCRahPULx0GhAAYC8mK5p/6tY46Cr0zF5cng==
caps: [mon] allow rwx
caps: [osd] allow *
osd.2
key: AQAmRqhPCMg3ORAA1soCZJTCh4/SPyrESDvWOw==
caps: [mon] allow rwx
caps: [osd] allow *
osd.3
key: AQAmRqhPgKkkORAAYci38mgPZMIxi1Om9FGFUQ==
caps: [mon] allow rwx
caps: [osd] allow *
osd.4
key: AQDy8bNP+GU+NhAABCxQc9EI0g3v0nGUW3xVkw==
caps: [mon] allow rwx
caps: [osd] allow *
client.admin
key: AQDaNKhPiNRlEBAAytX03yKyRF78ov3eKp5IUQ==
caps: [mds] allow
caps: [mon] allow *
caps: [osd] allow *
client.bootstrap-osd
key: AQASQqhPkGduOhAA7kJ/0cstN8x7fyo9lFQwFg==
caps: [mon] allow command osd create ...; allow command osd crush set ...; allow command auth add * osd allow\ * mon allow\ rwx; allow command mon getmap
ubuntu@inst03:~$