Hmm, this might be considered a bit of a design oversight. Looking at the auth keys is a read operation, and the client has read permissions... You might want to explore the more fine-grained command-based monitor permissions as a workaround, but I've created a ticket to try and close that read permission up: http://tracker.ceph.com/issues/7919 -Greg Software Engineer #42 @ http://inktank.com | http://ceph.com
On Fri, Mar 28, 2014 at 11:25 AM, Larry Liu <[email protected]> wrote: > Hi everyone, > > I'm running 0.72-2-1 on ubuntu. I just created a client with these ACLs: > caps: [mon] allow r > caps: [osd] allow rwx pool=cloudstack > > So my cloudstack + KVM hypervisors work fine. However any client I can view > full details of all the cluster's auth keys by running: > ceph --id cloudstack --keyring=/etc/ceph/ceph.keyring auth list. > > Is this a security hole in this version? > > _______________________________________________ > ceph-users mailing list > [email protected] > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
