Project

General

Profile

Bug #42475

mgr/dashboard: read-only user can display RGW API keys

Added by Ernesto Puerta 4 months ago. Updated 8 days ago.

Status:
Fix Under Review
Priority:
Normal
Assignee:
Category:
dashboard/rgw
Target version:
% Done:

0%

Source:
Tags:
Backport:
nautilus
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Not sure if it's a bug or intentional behaviour, but just to ensure:

"A dashboard user configured with "read-only" role can access RGW API secrets. If that's intentional, please feel free to close this bug."

History

#1 Updated by Lenz Grimmer 3 months ago

  • Assignee set to Alfonso MH
  • Target version set to v15.0.0
  • Backport set to nautilus

#2 Updated by Lenz Grimmer 2 months ago

  • Severity changed from 3 - minor to 2 - major

Increasing severity. It would be nice to get that fixed, to enhance security.

#3 Updated by Volker Theile about 1 month ago

If the user has RGW read-only privileges, then the API keys should be visible.

On the one side there might be data that is sensitive and might make problems when the user has read-only privs, but our privileges model is simple and can not (and shouldn't) do any further decision regarding other things than checking if the user has read-only, create, update or delete privileges.

IMO the current implementation of our privileges system is not intended to evaluate the data to be displayed.

#4 Updated by Alfonso MH 8 days ago

After past dashboard daily standup conversation, we reach consensus on this topic:
API keys should not be shown if user has only read-only privileges.

#5 Updated by Alfonso MH 8 days ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 33178

Also available in: Atom PDF