Security Hole?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

0.72 is emperor. 
 
On Mar 31, 2014, at 11:00 AM, Dan Van Der Ster <daniel.vanderster at cern.ch> wrote:

> Hi,
> I can't reproduce that with a dumpling cluster:
> 
> # cat ceph.client.dpm.keyring
> [client.dpm]
>        key = xxx
>        caps mon = "allow r"
>        caps osd = "allow x, allow rwx pool=dpm"
> 
> # ceph health --id dpm
> HEALTH_OK
> # ceph auth list --id dpm
> Error EACCES: access denied
> 
> Cheers, Dan
> 
> ________________________________________
> From: ceph-users-bounces at lists.ceph.com [ceph-users-bounces at lists.ceph.com] on behalf of Gregory Farnum [greg at inktank.com]
> Sent: 31 March 2014 19:40
> To: Larry Liu
> Cc: ceph-users
> Subject: Re: Security Hole?
> 
> Hmm, this might be considered a bit of a design oversight. Looking at
> the auth keys is a read operation, and the client has read
> permissions...
> You might want to explore the more fine-grained command-based monitor
> permissions as a workaround, but I've created a ticket to try and
> close that read permission up:
> http://tracker.ceph.com/issues/7919
> -Greg
> Software Engineer #42 @ http://inktank.com | http://ceph.com
> 
> 
> On Fri, Mar 28, 2014 at 11:25 AM, Larry Liu <larryliugml at gmail.com> wrote:
>> Hi everyone,
>> 
>> I'm running 0.72-2-1 on ubuntu. I just created a client with these ACLs:
>> caps: [mon] allow r
>> caps: [osd] allow rwx pool=cloudstack
>> 
>> So my cloudstack + KVM hypervisors work fine. However any client I can view full details of all the cluster's auth keys by running:
>> ceph --id cloudstack  --keyring=/etc/ceph/ceph.keyring auth list.
>> 
>> Is this a security hole in this version?
>> 
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users at lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>> 
> _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20140401/eb639402/attachment.pgp>
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux