[Openstack-security] [Bug 1376915] Re: Access to sensitive audit data is not properly restricted

Eoghan Glynn 1376915 at bugs.launchpad.net
Mon Feb 2 14:03:34 UTC 2015


** Changed in: ceilometer
    Milestone: kilo-2 => kilo-3

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1376915

Title:
  Access to sensitive audit data is not properly restricted

Status in OpenStack Telemetry (Ceilometer):
  In Progress
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Audit data stored in http.request and http.response meters is not
  being adequately protected. Admins are allowed to access audit data
  for all projects rather than just their own. Non-admins are allowed to
  access audit data for all users within their project rather than just
  themselves. A non-admin user should not be able to see what other
  users are doing, and being an admin in project A does not make you an
  admin in project B.

  The following blueprints acknowledge the lack of this support. To
  quote one: "as ceilometer collects more and more different types of
  data... some of the data collected may be 'privileged' data that only
  admins should have access to regardless of membership to a tenant (ie.
  audit data should only be visible to admins)". That day has come, and
  the implementation of these blueprints is still missing. At this point
  there is a security hole here (data exposure) which needs to be
  plugged immediately, either with the implementation of one of these
  blueprints (which should probably be merged together) or by a less
  flexible but more easily implemented stopgap measure. Given time
  constraints and the urgency of closing this hole, I propose the
  latter, though the blueprints will obviously still be necessary for a
  more robust and complete solution.

  https://blueprints.launchpad.net/ceilometer/+spec/advanced-policy-rule
  and https://blueprints.launchpad.net/ceilometer/+spec/admin-only-api-
  access and https://blueprints.launchpad.net/ceilometer/+spec/ready-
  ceilometer-rbac-keystone-v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1376915/+subscriptions




More information about the Openstack-security mailing list