[Openstack-security] [Bug 1376915] Re: Ceilometer policy file settings ignored
Matthew Edmonds
edmondsw at us.ibm.com
Mon Oct 13 16:17:07 UTC 2014
I wouldn't expect full implementation of those blueprints to get
backported to previous releases, but is full implementation of those
blueprints necessary to close the security issue that is allowing non-
admin users access to information which only admins should be able to
see? I would expect a more limited fix to close this hole in Juno and be
backported to previous releases, with the full blueprint implementations
coming in later.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1376915
Title:
Ceilometer policy file settings ignored
Status in OpenStack Telemetry (Ceilometer):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Configuring the ceilometer policy.json file to restrict certain
actions has no effect whatsoever. This allows all users access to
sensitive information, such as audit data stored in the http.request
meter.
E.g. policy.json file:
{
"adm": "role:admin",
"default": "!",
"meter:get_all": "rule:adm",
"meters:get_all": "rule:adm"
}
With the above policy, tokens for users without the admin role are
still able to access meters, and any token still works for alarms
despite the default supposedly being to disallow for everyone.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1376915/+subscriptions
More information about the Openstack-security
mailing list