Project

General

Profile

Bug #42475

mgr/dashboard: read-only user can display RGW API keys

Added by Ernesto Puerta 11 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Category:
dashboard/rgw
Target version:
% Done:

0%

Source:
Tags:
Backport:
nautilus
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Not sure if it's a bug or intentional behaviour, but just to ensure:

"A dashboard user configured with "read-only" role can access RGW API secrets. If that's intentional, please feel free to close this bug."


Related issues

Copied to mgr - Backport #44375: nautilus: mgr/dashboard: read-only user can display RGW API keys Resolved

History

#1 Updated by Lenz Grimmer 10 months ago

  • Assignee set to Alfonso Martínez
  • Target version set to v15.0.0
  • Backport set to nautilus

#2 Updated by Lenz Grimmer 10 months ago

  • Severity changed from 3 - minor to 2 - major

Increasing severity. It would be nice to get that fixed, to enhance security.

#3 Updated by Volker Theile 8 months ago

If the user has RGW read-only privileges, then the API keys should be visible.

On the one side there might be data that is sensitive and might make problems when the user has read-only privs, but our privileges model is simple and can not (and shouldn't) do any further decision regarding other things than checking if the user has read-only, create, update or delete privileges.

IMO the current implementation of our privileges system is not intended to evaluate the data to be displayed.

#4 Updated by Alfonso Martínez 8 months ago

After past dashboard daily standup conversation, we reach consensus on this topic:
API keys should not be shown if user has only read-only privileges.

#5 Updated by Alfonso Martínez 8 months ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 33178

#6 Updated by Lenz Grimmer 7 months ago

  • Status changed from Fix Under Review to Pending Backport

#7 Updated by Alfonso Martínez 7 months ago

  • Copied to Backport #44375: nautilus: mgr/dashboard: read-only user can display RGW API keys added

#8 Updated by Nathan Cutler 6 months ago

  • Status changed from Pending Backport to Resolved

While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".

Also available in: Atom PDF