[Openstack-security] [Bug 1376915] Re: Ceilometer policy file settings ignored
Matthew Edmonds
edmondsw at us.ibm.com
Fri Oct 24 13:44:58 UTC 2014
I don't see any way to workaround this security issue with role/project
definition restructuring... Unless you're suggesting we have a separate
project for each non-admin user (which is obviously unworkable), non-
admins in the same project would have access to each other's data. Non-
admin users must not be allowed access to anyone else's data.
I'm not familiar enough with the alarms and resources portions of the
ceilometer API to speak there, but when it comes to meters I think the
simplest option for a backportable solution would be to restrict meters
requests to admins until those blueprints can be implemented. Another
option would be allowing anyone to make the requests but filtering the
results that are returned such that non-admin users only get back data
for themselves.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1376915
Title:
Ceilometer policy file settings ignored
Status in OpenStack Telemetry (Ceilometer):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Configuring the ceilometer policy.json file to restrict certain
actions has no effect whatsoever. This allows all users access to
sensitive information, such as audit data stored in the http.request
meter.
E.g. policy.json file:
{
"adm": "role:admin",
"default": "!",
"meter:get_all": "rule:adm",
"meters:get_all": "rule:adm"
}
With the above policy, tokens for users without the admin role are
still able to access meters, and any token still works for alarms
despite the default supposedly being to disallow for everyone.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1376915/+subscriptions
More information about the Openstack-security
mailing list