Description of problem: all endpoints are accessible to any host Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. request any endpoint from a non-local server Actual results: HTTP API responds Expected results: No responses except for /setup/*/ endpoints Additional info:
This will need a bit more clarification. Even if requests to the installer are narrowed down to only localhost, it means that *any* user in the machine will be able to interact with the installer API. That would defeat a lot of the purpose of restricting the access to localhost only. It would be similar to allowing ceph-deploy to be used by any user on the system: it can be completely destructive to do so. If the path to further restrict this translates to requiring a secret/token/pass of any kind for the API to be able to function then we will need to punt this to a later version.
Is this a requirement from product or security? Do we need to consider this?
Verified this on build: ceph-installer-1.2.2-1.el7scon
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:0515