Hi,
I can't reproduce that with a dumpling cluster:
# cat ceph.client.dpm.keyring
[client.dpm]
key = xxx
caps mon = "allow r"
caps osd = "allow x, allow rwx pool=dpm"
# ceph health --id dpm
HEALTH_OK
# ceph auth list --id dpm
Error EACCES: access denied
Cheers, Dan
________________________________________
From: ceph-users-bounces@xxxxxxxxxxxxxx [ceph-users-bounces@xxxxxxxxxxxxxx] on behalf of Gregory Farnum [greg@xxxxxxxxxxx]
Sent: 31 March 2014 19:40
To: Larry Liu
Cc: ceph-users
Subject: Re: Security Hole?
Hmm, this might be considered a bit of a design oversight. Looking at
the auth keys is a read operation, and the client has read
permissions...
You might want to explore the more fine-grained command-based monitor
permissions as a workaround, but I've created a ticket to try and
close that read permission up:
http://tracker.ceph.com/issues/7919
-Greg
Software Engineer #42 @ http://inktank.com | http://ceph.com
On Fri, Mar 28, 2014 at 11:25 AM, Larry Liu <larryliugml@xxxxxxxxx> wrote:
> Hi everyone,
>
> I'm running 0.72-2-1 on ubuntu. I just created a client with these ACLs:
> caps: [mon] allow r
> caps: [osd] allow rwx pool=cloudstack
>
> So my cloudstack + KVM hypervisors work fine. However any client I can view full details of all the cluster's auth keys by running:
> ceph --id cloudstack --keyring=/etc/ceph/ceph.keyring auth list.
>
> Is this a security hole in this version?
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
