Restrict admin socket commands more from the Ceph tool
It sounds like we've given admin socket access to any cephx user who has mon w permissions, which isn't really sufficient. They can for instance now force monitor elections on-demand!
#3 Updated by Greg Farnum about 1 year ago
- Tracker changed from Feature to Bug
- Priority changed from Normal to High
- Regression set to No
- Severity set to 3 - minor
Radek, I think this was misunderstood. It's a security issue that resulted from exposing all admin socket commands via the "tell" interface.
So you don't need monitor access, except fairly normal user permissions, and can then run commands that when implemented, we assumed required privileged access to the monitor host to run!
(Sorry for the late update.)
#4 Updated by Radoslaw Zarzynski about 1 year ago
- Tags set to medium-hanging-fruit
Tagging as medium-hanging-fruit as, IIUC, we would need to:
0. (only if necessary): introduce a config variable to preserve old behavior to not surprise an operator after an upgrade.
1. maybe introduce new permission level.
2. audit all our asok cmds.