Bug #43268
Restrict admin socket commands more from the Ceph tool
0%
Description
https://bugzilla.redhat.com/show_bug.cgi?id=1780458
It sounds like we've given admin socket access to any cephx user who has mon w permissions, which isn't really sufficient. They can for instance now force monitor elections on-demand!
History
#1 Updated by Greg Farnum over 1 year ago
- Assignee deleted (
Greg Farnum)
#2 Updated by Radoslaw Zarzynski over 1 year ago
- Tracker changed from Bug to Feature
- Priority changed from High to Normal
A note from a bug scrub:
1. if somebody already has the access to monitors, he can do a lot.
2. no new comments over 2 years so likely this isn't so missed by users.
#3 Updated by Greg Farnum about 1 year ago
- Tracker changed from Feature to Bug
- Priority changed from Normal to High
- Regression set to No
- Severity set to 3 - minor
Radek, I think this was misunderstood. It's a security issue that resulted from exposing all admin socket commands via the "tell" interface.
So you don't need monitor access, except fairly normal user permissions, and can then run commands that when implemented, we assumed required privileged access to the monitor host to run!
(Sorry for the late update.)
#4 Updated by Radoslaw Zarzynski about 1 year ago
- Tags set to medium-hanging-fruit
Tagging as medium-hanging-fruit as, IIUC, we would need to:
0. (only if necessary): introduce a config variable to preserve old behavior to not surprise an operator after an upgrade.
1. maybe introduce new permission level.
2. audit all our asok cmds.