mgr/dashboard: read-only user can display RGW API keys
Not sure if it's a bug or intentional behaviour, but just to ensure:
"A dashboard user configured with "read-only" role can access RGW API secrets. If that's intentional, please feel free to close this bug."
#3 Updated by Volker Theile almost 3 years ago
If the user has RGW read-only privileges, then the API keys should be visible.
On the one side there might be data that is sensitive and might make problems when the user has read-only privs, but our privileges model is simple and can not (and shouldn't) do any further decision regarding other things than checking if the user has read-only, create, update or delete privileges.
IMO the current implementation of our privileges system is not intended to evaluate the data to be displayed.