https://tracker.ceph.com/https://tracker.ceph.com/favicon.ico2019-11-21T14:07:30ZCeph Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1522982019-11-21T14:07:30ZLenz Grimmer
<ul><li><strong>Assignee</strong> set to <i>Alfonso Martínez</i></li><li><strong>Target version</strong> set to <i>v15.0.0</i></li><li><strong>Backport</strong> set to <i>nautilus</i></li></ul> Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1531332019-12-05T13:37:31ZLenz Grimmer
<ul><li><strong>Severity</strong> changed from <i>3 - minor</i> to <i>2 - major</i></li></ul><p>Increasing severity. It would be nice to get that fixed, to enhance security.</p> Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1558942020-01-16T08:58:40ZVolker Theile
<ul></ul><p>If the user has RGW read-only privileges, then the API keys should be visible.</p>
<p>On the one side there might be data that is sensitive and might make problems when the user has read-only privs, but our privileges model is simple and can not (and shouldn't) do any further decision regarding other things than checking if the user has read-only, create, update or delete privileges.</p>
<p>IMO the current implementation of our privileges system is not intended to evaluate the data to be displayed.</p> Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1581802020-02-10T12:16:31ZAlfonso Martínezalmartin@redhat.com
<ul></ul><p>After past dashboard daily standup conversation, we reach consensus on this topic:<br />API keys should not be shown if user has only read-only privileges.</p> Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1581832020-02-10T12:58:07ZAlfonso Martínezalmartin@redhat.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Fix Under Review</i></li><li><strong>Pull request ID</strong> set to <i>33178</i></li></ul> Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1600882020-03-02T13:55:00ZLenz Grimmer
<ul><li><strong>Status</strong> changed from <i>Fix Under Review</i> to <i>Pending Backport</i></li></ul> Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1600922020-03-02T14:27:50ZAlfonso Martínezalmartin@redhat.com
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-9 status-3 priority-4 priority-default closed" href="/issues/44375">Backport #44375</a>: nautilus: mgr/dashboard: read-only user can display RGW API keys</i> added</li></ul> Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1621332020-03-31T10:02:16ZNathan Cutlerncutler@suse.cz
<ul><li><strong>Status</strong> changed from <i>Pending Backport</i> to <i>Resolved</i></li></ul><p>While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".</p> Dashboard - Bug #42475: mgr/dashboard: read-only user can display RGW API keyshttps://tracker.ceph.com/issues/42475?journal_id=1915842021-04-15T17:26:17ZErnesto Puerta
<ul><li><strong>Project</strong> changed from <i>mgr</i> to <i>Dashboard</i></li><li><strong>Category</strong> changed from <i>143</i> to <i>Component - RGW</i></li></ul>