[Openstack-security] [Bug 1376915] Re: Ceilometer policy file settings ignored
Matt Riedemann
mriedem at us.ibm.com
Thu Oct 23 14:12:43 UTC 2014
So it sounds like the 'workaround' in this case is for the
deployer/application building on ceilometer to change role/project
definitions so non-admin users aren't in the same project as admin
users, and then they won't share access to the same data.
I don't see anyone working either of the blueprints:
https://blueprints.launchpad.net/ceilometer/+spec/advanced-policy-rule
https://blueprints.launchpad.net/ceilometer/+spec/admin-only-api-access
And those have been open for awhile. If people want the design changed
to allow different configurations, the blueprints should be worked.
As Matthew pointed out in comment 12, blueprint changes wouldn't be
backport-able, so I'm wondering if there is a more tactical fix here
until the BPs could be implemented?
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1376915
Title:
Ceilometer policy file settings ignored
Status in OpenStack Telemetry (Ceilometer):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Configuring the ceilometer policy.json file to restrict certain
actions has no effect whatsoever. This allows all users access to
sensitive information, such as audit data stored in the http.request
meter.
E.g. policy.json file:
{
"adm": "role:admin",
"default": "!",
"meter:get_all": "rule:adm",
"meters:get_all": "rule:adm"
}
With the above policy, tokens for users without the admin role are
still able to access meters, and any token still works for alarms
despite the default supposedly being to disallow for everyone.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1376915/+subscriptions
More information about the Openstack-security
mailing list