1312443 – restrict access to endpoints to localhost only

Bug 1312443 - restrict access to endpoints to localhost only

Summary: restrict access to endpoints to localhost only

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Storage Console
Classification:	Red Hat Storage
Component:	ceph-installer
Sub Component:
Version:	2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	2
Assignee:	Andrew Schoen
QA Contact:	Tejas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-26 17:20 UTC by Alfredo Deza
Modified:	2017-06-16 20:27 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ceph-installer-1.2.2-1.el7scon
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-14 15:50:28 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1460154	0	unspecified	CLOSED	links to ceph-installer web UI	2023-01-17 16:33:34 UTC
Red Hat Product Errata	RHSA-2017:0515	0	normal	SHIPPED_LIVE	Important: ansible and ceph-ansible security, bug fix, and enhancement update	2017-04-18 21:12:31 UTC

Internal Links: 1460154

Description Alfredo Deza 2016-02-26 17:20:28 UTC

Description of problem: all endpoints are accessible to any host


Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
1. request any endpoint from a non-local server

Actual results: HTTP API responds


Expected results: No responses except for /setup/*/ endpoints


Additional info:

Comment 3 Alfredo Deza 2016-03-03 22:13:35 UTC

This will need a bit more clarification. Even if requests to the installer are narrowed down to only localhost, it means that *any* user in the machine will be able to interact with the installer API.

That would defeat a lot of the purpose of restricting the access to localhost only. It would be similar to allowing ceph-deploy to be used by any user on the system: it can be completely destructive to do so.

If the path to further restrict this translates to requiring a secret/token/pass of any kind for the API to be able to function then we will need to punt this to a later version.

Comment 9 Christina Meno 2017-01-17 16:54:25 UTC

Is this a requirement from product or security? Do we need to consider this?

Comment 22 Tejas 2017-02-20 10:43:45 UTC

Verified this on build:
ceph-installer-1.2.2-1.el7scon

Comment 24 errata-xmlrpc 2017-03-14 15:50:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0515

Note You need to log in before you can comment on or make changes to this bug.