Bug 1312443

Summary: restrict access to endpoints to localhost only
Product: [Red Hat Storage] Red Hat Storage Console Reporter: Alfredo Deza <adeza>
Component: ceph-installerAssignee: Andrew Schoen <aschoen>
Status: CLOSED ERRATA QA Contact: Tejas <tchandra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2CC: adeza, ceph-eng-bugs, dahorak, edonnell, gmeno, hnallurv, kdreyer, nlevine, nthomas, sankarshan, sisharma
Target Milestone: ---   
Target Release: 2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-installer-1.2.2-1.el7scon Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-14 15:50:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alfredo Deza 2016-02-26 17:20:28 UTC 
Description of problem: all endpoints are accessible to any host


Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
1. request any endpoint from a non-local server

Actual results: HTTP API responds


Expected results: No responses except for /setup/*/ endpoints


Additional info:
Comment 3 Alfredo Deza 2016-03-03 22:13:35 UTC 
This will need a bit more clarification. Even if requests to the installer are narrowed down to only localhost, it means that *any* user in the machine will be able to interact with the installer API.

That would defeat a lot of the purpose of restricting the access to localhost only. It would be similar to allowing ceph-deploy to be used by any user on the system: it can be completely destructive to do so.

If the path to further restrict this translates to requiring a secret/token/pass of any kind for the API to be able to function then we will need to punt this to a later version.
Comment 9 Christina Meno 2017-01-17 16:54:25 UTC 
Is this a requirement from product or security? Do we need to consider this?
Comment 22 Tejas 2017-02-20 10:43:45 UTC 
Verified this on build:
ceph-installer-1.2.2-1.el7scon
Comment 24 errata-xmlrpc 2017-03-14 15:50:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0515