[Openstack-security] [Bug 1376915] Re: Access to sensitive audit data is not properly restricted
Matthew Edmonds
edmondsw at us.ibm.com
Fri Oct 31 15:57:41 UTC 2014
** Description changed:
- Configuring the ceilometer policy.json file to restrict certain actions
- has no effect whatsoever. This allows all users access to sensitive
- information, such as audit data stored in the http.request meter.
+ Audit data stored in http.request and http.response meters is not being
+ adequately protected. Admins are allowed to access audit data for all
+ projects rather than just their own. Non-admins are allowed to access
+ audit data for all users within their project rather than just
+ themselves. A non-admin user should not be able to see what other users
+ are doing, and being an admin in project A does not make you an admin in
+ project B.
- E.g. policy.json file:
+ The following blueprints acknowledge the lack of this support. To quote
+ one: "as ceilometer collects more and more different types of data...
+ some of the data collected may be 'privileged' data that only admins
+ should have access to regardless of membership to a tenant (ie. audit
+ data should only be visible to admins)". That day has come, and the
+ implementation of these blueprints is still missing. At this point there
+ is a security hole here (data exposure) which needs to be plugged
+ immediately, either with the implementation of one of these blueprints
+ (which should probably be merged together) or by a less flexible but
+ more easily implemented stopgap measure. Given time constraints and the
+ urgency of closing this hole, I propose the latter, though the
+ blueprints will obviously still be necessary for a more robust and
+ complete solution.
- {
- "adm": "role:admin",
-
- "default": "!",
-
- "meter:get_all": "rule:adm",
- "meters:get_all": "rule:adm"
- }
-
- With the above policy, tokens for users without the admin role are still
- able to access meters, and any token still works for alarms despite the
- default supposedly being to disallow for everyone.
+ https://blueprints.launchpad.net/ceilometer/+spec/advanced-policy-rule
+ and https://blueprints.launchpad.net/ceilometer/+spec/admin-only-api-
+ access and https://blueprints.launchpad.net/ceilometer/+spec/ready-
+ ceilometer-rbac-keystone-v3
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1376915
Title:
Access to sensitive audit data is not properly restricted
Status in OpenStack Telemetry (Ceilometer):
In Progress
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Audit data stored in http.request and http.response meters is not
being adequately protected. Admins are allowed to access audit data
for all projects rather than just their own. Non-admins are allowed to
access audit data for all users within their project rather than just
themselves. A non-admin user should not be able to see what other
users are doing, and being an admin in project A does not make you an
admin in project B.
The following blueprints acknowledge the lack of this support. To
quote one: "as ceilometer collects more and more different types of
data... some of the data collected may be 'privileged' data that only
admins should have access to regardless of membership to a tenant (ie.
audit data should only be visible to admins)". That day has come, and
the implementation of these blueprints is still missing. At this point
there is a security hole here (data exposure) which needs to be
plugged immediately, either with the implementation of one of these
blueprints (which should probably be merged together) or by a less
flexible but more easily implemented stopgap measure. Given time
constraints and the urgency of closing this hole, I propose the
latter, though the blueprints will obviously still be necessary for a
more robust and complete solution.
https://blueprints.launchpad.net/ceilometer/+spec/advanced-policy-rule
and https://blueprints.launchpad.net/ceilometer/+spec/admin-only-api-
access and https://blueprints.launchpad.net/ceilometer/+spec/ready-
ceilometer-rbac-keystone-v3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1376915/+subscriptions
More information about the Openstack-security
mailing list