<p>The internal URL is used for more than just admin actions, and admin is no longer a global flag, so this restriction is not suitable.</p>
<p>Duncan Thomas</p>
<div class="gmail_quote">On Nov 29, 2014 6:08 AM, "joehuang" <<a href="mailto:joehuang@huawei.com">joehuang@huawei.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
if an ordinary user sent a get-token request to KeyStone, internalURL and adminURL of endpoints will also be returned. It'll expose the internal high privilege access address and some internal network topology information to the ordinary user, and leads to the risk for malicious user to attack or hijack the system.<br>
<br>
the request to get token for ordinary user:<br>
curl -d '{"auth":{"passwordCredentials":{"username": "huawei", "password": "2014"},"tenantName":"huawei"}}' -H "Content-type: application/json" <a href="http://localhost:5000/v2.0/tokens" target="_blank">http://localhost:5000/v2.0/tokens</a><br>
<br>
the response will include internalURL and adminURL of endpoints:<br>
{"access": {"token": {"issued_at": "2014-11-27T02:30:59.218772", "expires": "2014-11-27T03:30:59Z", "id": "b8684d2b68ab49d5988da9197f38a878", "tenant": {"description": "normal Tenant", "enabled": true, "id": "7ed3351cd58349659f0bfae002f76a77", "name": "huawei"}, "audit_ids": ["Ejn3BtaBTWSNtlj7beE9bQ"]}, "serviceCatalog": [{"endpoints": [{"adminURL": "<a href="http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77" target="_blank">http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77</a>", "region": "regionOne", "internalURL": "<a href="http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77" target="_blank">http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77</a>", "id": "170a3ae617a1462c81bffcbc658b7746", "publicURL": "<a href="http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77" target="_blank">http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77</a>"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "<a href="http://10.67.148.27:9696" target="_blank">http://10.67.148.27:9696</a>", "region": "regionOne", "internalURL": "<a href="http://10.67.148.27:9696" target="_blank">http://10.67.148.27:9696</a>", "id": "7c0f28aa4710438bbd84fd25dbe4daa6", "publicURL": "<a href="http://10.67.148.27:9696" target="_blank">http://10.67.148.27:9696</a>"}], "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints": [{"adminURL": "<a href="http://10.67.148.27:9292" target="_blank">http://10.67.148.27:9292</a>", "region": "regionOne", "internalURL": "<a href="http://10.67.148.27:9292" target="_blank">http://10.67.148.27:9292</a>", "id": "576f41fc8ef14b4f90e516bb45897491", "publicURL": "<a href="http://10.67.148.27:9292" target="_blank">http://10.67.148.27:9292</a>"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "<a href="http://10.67.148.27:8777" target="_blank">http://10.67.148.27:8777</a>", "region": "regionOne", "internalURL": "<a href="http://10.67.148.27:8777" target="_blank">http://10.67.148.27:8777</a>", "id": "77d464e146f242aca3c50e10b6cfdaa0", "publicURL": "<a href="http://10.67.148.27:8777" target="_blank">http://10.67.148.27:8777</a>"}], "endpoints_links": [], "type": "metering", "name": "ceilometer"}, {"endpoints": [{"adminURL": "<a href="http://10.67.148.27:6385" target="_blank">http://10.67.148.27:6385</a>", "region": "regionOne", "internalURL": "<a href="http://10.67.148.27:6385" target="_blank">http://10.67.148.27:6385</a>", "id": "1b8177826e0c426fa73e5519c8386589", "publicURL": "<a href="http://10.67.148.27:6385" target="_blank">http://10.67.148.27:6385</a>"}], "endpoints_links": [], "type": "baremetal", "name": "ironic"}, {"endpoints": [{"adminURL": "<a href="http://10.67.148.27:35357/v2.0" target="_blank">http://10.67.148.27:35357/v2.0</a>", "region": "regionOne", "internalURL": "<a href="http://10.67.148.27:5000/v2.0" target="_blank">http://10.67.148.27:5000/v2.0</a>", "id": "435ae249fd2a427089cb4bf2e6c0b8e9", "publicURL": "<a href="http://10.67.148.27:5000/v2.0" target="_blank">http://10.67.148.27:5000/v2.0</a>"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "huawei", "roles_links": [], "id": "a88a40a635334e5da2ac3523d9780ed3", "roles": [{"name": "_member_"}], "name": "huawei"}, "metadata": {"is_admin": 0, "roles": ["73b0a1ac6b0c48cb90205c53f2b9e48d"]}}}<br>
<br>
At least, the internalURL and adminURL of endpoints should not be returned to ordinary users, only if the admin configured the policy to allow ordinary user has the right to see it.<br>
<br>
Best Regards<br>
Chaoyi Huang ( Joe Huang )<br>
<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div>