2112325 – [RGW][RFE][Please, add a more limited capability than 'users=read' for admin API requests that don't require access to users keys. ]

Bug 2112325 - [RGW][RFE][Please, add a more limited capability than 'users=read' for admin API requests that don't require access to users keys. ] [NEEDINFO]

Summary: [RGW][RFE][Please, add a more limited capability than 'users=read' for admin ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	5.1
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	7.1
Assignee:	Ali Maredia
QA Contact:	Hemanth Sai
Docs Contact:	Akash Raj
URL:
Whiteboard:
Depends On:
Blocks:	2267614
TreeView+	depends on / blocked

Reported:	2022-07-29 10:55 UTC by nravinas
Modified:	2024-06-13 14:19 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ceph-18.2.1-14.el9cp
Doc Type:	Enhancement
Doc Text:	.A new Ceph Object Gateway admin-ops capability is added to allow reading user metadata but not their associated authorization keys With this enhancement, a new Ceph Object Gateway admin-ops capability is added to allow reading Ceph Object gateway user metadata but not their associated authorization keys. This is to reduce the privileges of automation and reporting tools and to avoid impersonating users or view their keys.
Clone Of:
Environment:
Last Closed:	2024-06-13 14:19:30 UTC
Embargoed:
Dependent Products:
Flags:	mbenjamin: needinfo? (cbodley) akraj: needinfo? (amaredia)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ceph ceph pull 55156	None	open	rgw: add new cap user-without-keys	2024-01-30 16:20:48 UTC
Red Hat Issue Tracker	RHCEPH-4968	None	None	None	2022-07-29 11:04:32 UTC
Red Hat Product Errata	RHSA-2024:3925	None	None	None	2024-06-13 14:19:37 UTC

Description nravinas 2022-07-29 10:55:37 UTC

Description of problem:

Please, add a more limited capability than 'users=read' for admin API requests that don't require access to users' keys.

Comment 19 Ken Dreyer (Red Hat) 2024-01-29 21:53:04 UTC

Ali's https://github.com/ceph/ceph/pull/50313 is closed. What is the next step for this BZ?

Comment 28 errata-xmlrpc 2024-06-13 14:19:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Critical: Red Hat Ceph Storage 7.1 security, enhancements, and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:3925

Note You need to log in before you can comment on or make changes to this bug.