Bug #44237

Updated by Ernesto Puerta almost 3 years ago

Some system roles (@pool-manager@, @cephfs-manager@, @ganesha-manager@ etc) have the @configOpt@ read permissions enabled, which allows to read all cluster config options and manager module config options. The latter includes RGW keys or Grafana user/admin, plus any sensitive information used by existing or new modules. As dashboard cannot control what new information is exposed by these modules, the suggestion is to remove that read permission from all system roles except the specific management ones (@adminstrator@ and @cluster-manager@).

The reason why configOpts was added to those roles is that at some point they require access to some cluster configuration settings:
* **@pool-manager@**: checks @/api/cluster_conf/osd_pool_default_pg_autoscale_mode@. This parameter could/should also be exposed via @/api/pools/_info@, which already returns other ceph config params (e.g.: @bluestore_compression_algorithm@).
* **@ganesha-manager@, @cephfs-manager@, @rgw-manager@**: I couldn't find any direct dependency with cluster config options.

different case is the @read-only@ role. While it initially makes sense to allow @configOpt@ read permission, dashboard administrator might guess that @read-only@ perfectly fits for a @guest@/low-privileged user. On the contrary, a @read-only@ user has access to the same sensitive data as mentioned above.

Suggested next steps:
* - Discuss and agree on @read-only@ user with/without access to @configOpts@. This could improve by splitting it into 2: @administrator-read-only@ and @guest@ (without the read permission on sensitive data). As I'm against adding more roles, I'd simply leave the low-privilege @guest@ one.
* - Make @pool-form@ get @osd_pool_default_pg_autoscale_mode@ from @/pool/_info@.
* - Remove @configOpt@ read perm (and test) in all other roles.