Project

General

Profile

Actions

Bug #42475

closed

mgr/dashboard: read-only user can display RGW API keys

Added by Ernesto Puerta over 4 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Category:
Component - RGW
Target version:
% Done:

0%

Source:
Tags:
Backport:
nautilus
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Not sure if it's a bug or intentional behaviour, but just to ensure:

"A dashboard user configured with "read-only" role can access RGW API secrets. If that's intentional, please feel free to close this bug."


Related issues 1 (0 open1 closed)

Copied to Dashboard - Backport #44375: nautilus: mgr/dashboard: read-only user can display RGW API keysResolvedAlfonso MartínezActions
Actions #1

Updated by Lenz Grimmer over 4 years ago

  • Assignee set to Alfonso Martínez
  • Target version set to v15.0.0
  • Backport set to nautilus
Actions #2

Updated by Lenz Grimmer over 4 years ago

  • Severity changed from 3 - minor to 2 - major

Increasing severity. It would be nice to get that fixed, to enhance security.

Actions #3

Updated by Volker Theile about 4 years ago

If the user has RGW read-only privileges, then the API keys should be visible.

On the one side there might be data that is sensitive and might make problems when the user has read-only privs, but our privileges model is simple and can not (and shouldn't) do any further decision regarding other things than checking if the user has read-only, create, update or delete privileges.

IMO the current implementation of our privileges system is not intended to evaluate the data to be displayed.

Actions #4

Updated by Alfonso Martínez about 4 years ago

After past dashboard daily standup conversation, we reach consensus on this topic:
API keys should not be shown if user has only read-only privileges.

Actions #5

Updated by Alfonso Martínez about 4 years ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 33178
Actions #6

Updated by Lenz Grimmer about 4 years ago

  • Status changed from Fix Under Review to Pending Backport
Actions #7

Updated by Alfonso Martínez about 4 years ago

  • Copied to Backport #44375: nautilus: mgr/dashboard: read-only user can display RGW API keys added
Actions #8

Updated by Nathan Cutler about 4 years ago

  • Status changed from Pending Backport to Resolved

While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".

Actions #9

Updated by Ernesto Puerta almost 3 years ago

  • Project changed from mgr to Dashboard
  • Category changed from 143 to Component - RGW
Actions

Also available in: Atom PDF