You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@trafficcontrol.apache.org by "Gelinas, Derek" <De...@comcast.com> on 2017/03/16 16:04:14 UTC

Proposed change to UI::Parameter conceal_secure_parameter_value

Currently secure parameters are restricted to admin level access.  I propose that we expand this to operations level access.  Operations already have access to the DB dumps, so already basically have access to these values.  I’d like to know if there are any objections or thoughts on this.

Derek


Derek Gelinas
IPCDN Engineering
Derek_Gelinas@cable.comcast.com<ma...@cable.comcast.com>
603.812.5379

Re: Proposed change to UI::Parameter conceal_secure_parameter_value

Posted by Jeffrey Martin <ma...@gmail.com>.

Hi,
My 2 cents are as follows:

1. What is the purpose of the operator user? (from how I understand, oper
can do everything but add. modify and remove users) If the admin password
is opened to the oper user, this effectively removes the distinction
because the operator can now login as the admin user and make this
modification. If there is a risk, it would be in the fact that the operator
can dump the database to get the password. (which in my opinion would
should be restricted, but just my opinion.)
2. The administrative password should probably be encrypted in the
database. This will prevent anyone from getting access to is without having
to do allot of computational work.

Side question, in the traffic control documentation the ort runs with the
following:

admin:password

what is the user level requirement for the ort script to run correctly?
(Must it be admin?, hoping it can be some low privileged operator user that
can update that ths system has been updated...)

Jeff

On Fri, Mar 17, 2017 at 6:14 PM, Jeremy Mitchell <mi...@gmail.com>
wrote:

> Seems ok to me.
>
> Jeremy
>
> On Thu, Mar 16, 2017 at 10:04 AM, Gelinas, Derek <
> Derek_Gelinas@comcast.com>
> wrote:
>
> > Currently secure parameters are restricted to admin level access.  I
> > propose that we expand this to operations level access.  Operations
> already
> > have access to the DB dumps, so already basically have access to these
> > values.  I’d like to know if there are any objections or thoughts on
> this.
> >
> > Derek
> >
> >
> > Derek Gelinas
> > IPCDN Engineering
> > Derek_Gelinas@cable.comcast.com<ma...@cable.comcast.com>
> > 603.812.5379
> >
> >
>

Re: Proposed change to UI::Parameter conceal_secure_parameter_value

Posted by Jeremy Mitchell <mi...@gmail.com>.

Seems ok to me.

Jeremy

On Thu, Mar 16, 2017 at 10:04 AM, Gelinas, Derek <De...@comcast.com>
wrote:

> Currently secure parameters are restricted to admin level access.  I
> propose that we expand this to operations level access.  Operations already
> have access to the DB dumps, so already basically have access to these
> values.  I’d like to know if there are any objections or thoughts on this.
>
> Derek
>
>
> Derek Gelinas
> IPCDN Engineering
> Derek_Gelinas@cable.comcast.com<ma...@cable.comcast.com>
> 603.812.5379
>
>