[openstack-dev] [Keystone] internalURL and adminURL of endpoints should not be visible to ordinary user

joehuang joehuang at huawei.com
Sat Nov 29 04:02:50 UTC 2014 

Hello,

if an ordinary user sent a get-token request to KeyStone, internalURL and adminURL of endpoints will also be returned. It'll expose the internal high privilege access address and some internal network topology information to the ordinary user, and leads to the risk for malicious user to attack or hijack the system.

the request to get token for ordinary user:
curl -d '{"auth":{"passwordCredentials":{"username": "huawei", "password": "2014"},"tenantName":"huawei"}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens

the response will include internalURL and adminURL of endpoints:
{"access": {"token": {"issued_at": "2014-11-27T02:30:59.218772", "expires": "2014-11-27T03:30:59Z", "id": "b8684d2b68ab49d5988da9197f38a878", "tenant": {"description": "normal Tenant", "enabled": true, "id": "7ed3351cd58349659f0bfae002f76a77", "name": "huawei"}, "audit_ids": ["Ejn3BtaBTWSNtlj7beE9bQ"]}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77", "region": "regionOne", "internalURL": "http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77", "id": "170a3ae617a1462c81bffcbc658b7746", "publicURL": "http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.67.148.27:9696", "region": "regionOne", "internalURL": "http://10.67.148.27:9696", "id": "7c0f28aa4710438bbd84fd25dbe4daa6", "publicURL": "http://10.67.148.27:9696"}], "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints": [{"adminURL": "http://10.67.148.27:9292", "region": "regionOne", "internalURL": "http://10.67.148.27:9292", "id": "576f41fc8ef14b4f90e516bb45897491", "publicURL": "http://10.67.148.27:9292"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.67.148.27:8777", "region": "regionOne", "internalURL": "http://10.67.148.27:8777", "id": "77d464e146f242aca3c50e10b6cfdaa0", "publicURL": "http://10.67.148.27:8777"}], "endpoints_links": [], "type": "metering", "name": "ceilometer"}, {"endpoints": [{"adminURL": "http://10.67.148.27:6385", "region": "regionOne", "internalURL": "http://10.67.148.27:6385", "id": "1b8177826e0c426fa73e5519c8386589", "publicURL": "http://10.67.148.27:6385"}], "endpoints_links": [], "type": "baremetal", "name": "ironic"}, {"endpoints": [{"adminURL": "http://10.67.148.27:35357/v2.0", "region": "regionOne", "internalURL": "http://10.67.148.27:5000/v2.0", "id": "435ae249fd2a427089cb4bf2e6c0b8e9", "publicURL": "http://10.67.148.27:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "huawei", "roles_links": [], "id": "a88a40a635334e5da2ac3523d9780ed3", "roles": [{"name": "_member_"}], "name": "huawei"}, "metadata": {"is_admin": 0, "roles": ["73b0a1ac6b0c48cb90205c53f2b9e48d"]}}}

At least, the internalURL and adminURL of endpoints should not be returned to ordinary users, only if the admin configured the policy to allow ordinary user has the right to see it.

Best Regards
Chaoyi Huang ( Joe Huang )

More information about the OpenStack-dev mailing list