Bug #42475
closed
mgr/dashboard: read-only user can display RGW API keys
Added by Ernesto Puerta over 4 years ago.
Updated about 3 years ago.
Description
Not sure if it's a bug or intentional behaviour, but just to ensure:
"A dashboard user configured with "read-only" role can access RGW API secrets. If that's intentional, please feel free to close this bug."
- Assignee set to Alfonso Martínez
- Target version set to v15.0.0
- Backport set to nautilus
- Severity changed from 3 - minor to 2 - major
Increasing severity. It would be nice to get that fixed, to enhance security.
If the user has RGW read-only privileges, then the API keys should be visible.
On the one side there might be data that is sensitive and might make problems when the user has read-only privs, but our privileges model is simple and can not (and shouldn't) do any further decision regarding other things than checking if the user has read-only, create, update or delete privileges.
IMO the current implementation of our privileges system is not intended to evaluate the data to be displayed.
After past dashboard daily standup conversation, we reach consensus on this topic:
API keys should not be shown if user has only read-only privileges.
- Status changed from New to Fix Under Review
- Pull request ID set to 33178
- Status changed from Fix Under Review to Pending Backport
- Copied to Backport #44375: nautilus: mgr/dashboard: read-only user can display RGW API keys added
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".
- Project changed from mgr to Dashboard
- Category changed from 143 to Component - RGW
Also available in: Atom
PDF