[openstack-dev] [OSSN 0055] Service accounts may have cloud admin privileges

Nathan Kinder nkinder at redhat.com
Thu Sep 17 18:47:25 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Service accounts may have cloud admin privileges
- ---

### Summary ###
OpenStack services (for example Nova and Glance) typically use a
service account in Keystone to perform actions.  In some cases this
service account has full admin privileges, may therefore perform any
action on your cloud, and should be protected appropriately.

### Affected Services / Software ###
Most OpenStack services / all versions

### Discussion ###
In many cases, OpenStack services require an OpenStack account to
perform API actions such as validating Keystone tokens.  Some
deployment tools grant administrative level access to these service
accounts, making these accounts very powerful.

A service account with administrator access could be used to:

  - destroy/modify/access data
  - create or destroy admin accounts
  - potentially escalate to undercloud access
  - log in to Horizon

### Recommended Actions ###
Service accounts can use the "service" role rather than admin.  You
can check what role the service account has by performing the following
steps:

1. List roles:

     openstack role list

2. Check the role assignment for the service user in question:

     openstack role assignment list --user <service_user>

3. Compare the ID listed in the "role" column from step 2 with the role
IDs listed in step 1.  If the role is listed as "admin", the service
account has full admin privileges on the cloud.

It is possible to change the role to "service" for some accounts but
this may have unexpected consequences for services such as Nova and
Neutron, and is therefore not recommended for inexperienced admins.

If a service account does have admin, it's advisable to closely
monitor login events for that user to ensure that it is not used
unexpectedly.  In particular, pay attention to unusual IPs using the
service account.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0055
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1464750
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJV+wq9AAoJEJa+6E7Ri+EVxgUH/2EEDXgPQn0TZpds9kK10mVC
jsi8Y/OEAJD2xnUS+ZkT0GbpopOJa3XRWKUmPCufYDz5Ay3ATyTfMuSdH519ZDK6
0sfZmSZK/AKXALFoUUBB1J2QckmrbH9tvMlr3NQ6f1a4MT0UIgkQvGZnduGSF9Gm
aglGWcuhL7TvzuuawwHoivDtWdNWEYOgrvG1779U6uSz9Dj23GvQQwn79y6JE7qt
N2D9dcxqXBlOV+hfcidJVzZ9FvEz7YY2yHZ9EK1apCinDhRin8CH+0W5Ukbur2K+
I1JtvIqMHddoKu6REqQCe3vyme7IHUuYYpiwJgT3yNBDlk+3nbjwRLcUpW4XNPk=
=cGtS
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list